The world of ransomware is a never ending arms race, with hackers and cybersecurity experts continuously trying to outsmart each other.
The general trend in ransomware over the past year has been a shift towards more targeted, high profile spear phishing attacks. These attacks usually involve high ransom demands, and involve weeks or months of dedicated work by hackers overseeing every step of the process. But older methods are still finding a niche.
Avaddon, for example, is one ransomware variant that is turning back to the classic tactic of using malicious links in spam emails. In order to make this approach work, they’ve innovated some new techniques which allow them to efficiently extort money from a large number of victims.
Automating Extortion
Since Avaddon is casting a wide net and trying to infect as many victims as possible, they’ve come up with a clever scheme for automated extortion. Their dark web site contains a public list of the companies they’ve infected, complete with a countdown until private data will be publicized. If they aren’t paid, data will automatically be publicized at the end of the countdown.
The website contains the following message:
Encrypted files are not the main problem. Companies cannot understand the risk of information leakage, especially private information. Such leaks of information lead to losses for the company, fines and lawsuits. And don’t forget that information can fall into the hands of competitors! As we know from the reports, the cost of company recovery services can be ten times more than our amount for the ransom.
To make the threat seem even more real, the data of companies that refused to pay is free to download on the same website.
Ransomware Gangs Adapting
Generally speaking, robust backup procedures can dramatically decrease the danger of ransomware attacks. In the past, ransomware attacks relied mainly on locking companies or other organizations out of their data. This left them unable to work and faced with the threat of losing irreplaceable data. For this reason, many ransomware hackers go to great lengths to find and encrypt backups before demanding ransoms.
As ransomware attacks are getting more frequent and severe, many organizations are improving their backup procedures. This renders traditional ransomware attacks ineffectual, since victims can simply refresh their systems from air-gapped, secondary backups, even if the hackers are able to access the primary backup.
In response, groups like Avaddon are placing more emphasis on leaking sensitive data. Restoring from backups can bring a system back online, but leaked data can cause damage in other ways, like causing reputational damage, legal problems, or helping a company’s competitors. The damages caused by leaked data can easily be big enough to make it worthwhile for victims to pay a ransom.
What to Do About It
The first line of defense against ransomware attacks is to prevent attackers from gaining access to the system at all. The most common attack vectors are phishing attacks and remote desktop protocol exploits. It’s important to conduct regular phishing awareness campaigns with employees and keep up to date with the latest techniques. Hackers are continuously refining their methods to avoid detection.
Remote desktop protocols also fall victim to ransomware hackers fairly often. If hackers gain access via RDPs, it’s very easy for them to escalate their privileges. A lot of these hacks utilize brute force attacks, so it’s important to be sure that all employees are using strong, unique passwords, especially with RDPs.
When it comes to the growing trend of using data leaks to extort victims, one useful trick is encrypting backups and servers.
Encrypting backups can make life much more difficult for ransomware hackers. They may be able to shut down your network, but if you have a solid backup strategy they won’t be able to encrypt all of your backups. Whatever data they gain access to won’t be of any use for blackmail.