What Every CEO Should Know About Modern Ransomware Attacks

How To Make Yourself A Tougher Cybersecurity Target
Yaki Faitelson
3 min read
Last updated January 17, 2023

Like most businesses, cybercriminals have adapted and adjusted over the past two years. Modern attackers have learned to launch more destructive ransomware campaigns while becoming more efficient and adept at evading law enforcement.

We now see ransomware gangs quickly rebrand themselves after a disruption, with new names and new infrastructure. DarkSide, the ransomware group behind several prominent attacks, seems to have rebranded as BlackMatter.

With each reinvention, ransomware gangs can come back stronger, learn from their experiences and take advantage of new techniques and vulnerabilities. They have a wealth of evolving tools in their arsenals, many vectors to get to the data they’re after and myriad ways to avoid detection after infiltrating victim organizations. Different names, same potent punch.

The takedown of the REvil ransomware gang and a hacker allegedly behind the Kaseya supply chain attacks, along with the reported shutdown of BlackMatter, are notable and encouraging. 

But there’s no time to relax. Keeping cybercriminals down is like putting out a fire in a dry forest — you can extinguish one, but flare-ups can happen anywhere, at any time.

The Business Of Ransomware

Attackers mean business. There is a lot of money to be made, fueling development and innovation. Regulating cryptocurrency to make them less anonymous is a logical tactic, but cybercriminals are already switching to digital currencies that are harder to track like Monero. Until the incentives change, business leaders should expect that successful ransomware gangs will continue to reinvent themselves, refine their techniques and go after critical data.

No matter what name they go by, these cybercriminal groups typically use an efficient ransomware-as-a-service (RaaS) model that allows independent attackers to get up and running quickly. Attackers can leverage a RaaS platform, along with their own tools and tricks, to target victims and hold their data hostage — twice. Attackers now use a double extortion model, where victims must pay to get their data back and pay again for the promise that the attackers won’t leak stolen data.

Today’s cybercriminal gangs are doing more than stealing and encrypting victims’ data. Attackers have been known to delve through a company’s files to uncover how much their cyber insurance will pay in the event of an attack; they then set the ransom to that amount.

Cybercriminals Sharpen Old Tricks, Surprise with New Ones

BlackMatter tampered with access controls — the security settings that determine who can access what data on your network — and broke them so that every employee could access massive amounts of data. In other words, they’re not just breaking into the vault; they are blasting it open and leaving companies even more vulnerable to future attacks.

Nation-states and cybercriminal groups, like one identified as FIN7, are actively recruiting corporate insiders — employees and others who are already on the company’s network. The FIN7 group also reinvented themselves and sharpened old tricks. Other attackers, like the OnePercent Group, leak small amounts of stolen data to pressure organizations to pay. Attackers are also getting personal by threatening to release mental health records if clients don’t pay up. 

How to Make Yourself a Tougher Cybersecurity Target

With so much money to be made, attackers are not going to quit. Your mission is to make your cyber defenses just as resilient as the ransomware gangs. Here are four ways to make your organization more resilient to data-related threats:
  1. Check for weak and reused passwords and enable multi-factor authentication (MFA). This critical step is one of the simplest steps you can take to protect your company. The BlackMatter gang (and other groups) are known to grab user names and passwords found in data breach dumps on the dark web. They try out every credential in an attempt to brute-force internet-facing systems and gain access.
  2. Be on alert for unusual activity. If your company is like most, your employees and contractors stick to daily work schedules, access the same files and use the same devices from known locations. Unusual activity — like logging in from a new location and accessing files that are not needed for work — can indicate compromised accounts or devices. Unusual activity, especially if it is associated with administrative and service accounts, should be investigated with high priority.
  3. Watch your data for signs of ransomware attacks. Ransomware doesn’t behave like your HR specialist or your accounting team. When ransomware is deployed, it will rapidly begin to encrypt files it can touch. The account activity may be associated with an employee, but it could be a compromised user account. An automated ransomware program will usually touch and change files sequentially and quickly, behaving differently than a human user.
  4. Take a data-first approach. Even with the explosion of endpoints, most data now syncs with and “lives in” large, centralized repositories on-prem and in the cloud. Since there are so many vectors to get to your data, even if you could anticipate and monitor them all, you’d drown in security alerts. Instead of starting from the outside in with all the endpoints and vectors, it’s much more practical to start by protecting your large, centralized repositories — and work from the inside out.
Most organizations don’t realize how much data is overly accessible and unwatched. One compromised user has the potential to access and put so much sensitive data at risk — an unacceptably large blast radius.

If you want your business to become as resilient as ransomware groups, you need to start with your biggest advantage. You know what attackers want — your data. By systematically making data harder to get to and watching it more closely, you make the attacker’s job far trickier.

This article first appeared on Forbes.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-dawn-of-the-four-minute-cyberattack:-four-steps-to-protect-your-company
The Dawn Of The Four-Minute Cyberattack: Four Steps To Protect Your Company
Attack chains that were once only theoretical are now a reality. SolarWinds was the Roger Bannister of cyberattacks — now that we’ve had one breakthrough, we will have others.
what-automation-means-for-cybersecurity—and-your-business
What Automation Means For Cybersecurity—And Your Business
This article explains how automation can help turn the right information into action, helping to defend against cyberattacks, mitigate risk, shore up compliance and improve productivity.
your-sales-data-is-mission-critical:-are-you-protecting-it?
Your Sales Data Is Mission-Critical: Are You Protecting It?
If you’re like many executives, you might assume your data is secure within those cloud applications. That’s a dangerous assumption, though. Cloud providers are responsible for everything that delivers their application (e.g., their data center); it’s your responsibility to protect the data inside it.
why-every-cybersecurity-leader-should-‘assume-breach’
Why Every Cybersecurity Leader Should ‘Assume Breach’
Any system, account or person at any time can be a potential attack vector. With such a vast attack surface, you need to assume attackers will breach at least one vector.