Ransomware Attacks in RI

Ransomware Prevention Best Practices

Maintain Critical Data and System Backups. IT administrators should maintain offline encrypted backups of data, operating system image, and software applications. The best type of backup to have in case of a ransomware attack is a "gold image" of critical systems so they can be rebuilt. A backup of the configured operating system (OS) and all associated software applications that can be deployed to rebuild the system will expedite ransomware recovery. In addition to system images, any applicable source code or executables should be readily available and stored offline with backups. The best cyber-resilient solutions combine information security with system redundancy.

Utilize Application Allowlisting. Application control, whitelisting or allow-listing is one of the most important prevention tools IT administrators can use to prevent ransomware. Use application directory allowlisting, also known as application allowlisting, on all IT assets including endpoint devices, IoT devices, servers and networks to ensure that only already authorized software can run, and all unknown or unauthorized software is blocked from executing. Automated Application Allowlisting from PC Matic makes keeping whitelists up-to-date effective and easy to do.

Ensure Antivirus Software and Anti-Malware Solutions are up to date. Turn on automatic updates for both antivirus and malware solutions. Software and hardware updates including security patch updates are another essential layer of protection against cyber-threats.

Create a Ransomware Response Checklist. Organizations should create a cyber incident response plan with specific steps to take including communications plan that include specific procedures and notifications in case of a ransomware cyber incident. IT professionals in charge of business continuity, cyber incident response, and disaster recovery plans should keep in mind that many ransomware scripts are written to seek out and delete any accessible backups. In some cases, backup files may have already been infected with malware scripts (precursor malware infections). For this reason, application allowlisting which prevents unknown or non-approved program files is an essential part of a cybersecurity plan for any organization.

Vulnerability Scanning. In addition to whitelisting application software and blacklisting antivirus endpoint security, conducting regular vulnerability scans and keeping software up to date is an important part of cyber-incident prevention.

Secure RDP and Device Authentication. Many ransomware incidents occur due to insecure or compromised remote desktop sessions. Using a secure RDP software program with device authentication allows IT administrators to know exactly who is on the network.

Main Ransomware Attack Vectors. Email Phishing, Vishing and Spear-Phishing, Internet Vulnerabilities, Zero-Day and Fileless Infections, Existing Malware Infections (Precursor), third-party MSP (Managed Service Providers), Pass-the-Hash (PTH) Attacks, Advanced Persistent Threats (APTs), and Server Misconfigurations are the principal attack paths cybercriminals use to propagate malware and ransomware in order to launch their attacks.

Implement an intrusion detection system (IDS). With an IDS, IT professionals can more easily detect "command and control" activity irregularities, and other potential malicious network activity that normally occurs prior to ransomware attacks. An effective IDS solution monitors the network, systems and endpoint devices for malicious activity or policy violations. Any intrusion activity or policy violation is reported enabling staff to take appropriate, protective action. PC Matic's System Performance Software is a Unified Performance Management solution helping monitor and maintain systems for optimal cyber-protection.

Use MFA, Multi-Factor Authentication. Institute a policy of using multi-factor authentication for users and apply the principle of "Least Privilege" and "Zero Trust Access" to all systems in the organization.

Employ Network Segmentation and Restrict PowerShell Use. Using Group Policy restrict the use of PowerShell only to specific users on a case-by-case basis. Use network segmentation to silo or insulate critical assets to minimize the impact of any cyber-intrusion, and to frustrate lateral movement by malicious threat actors on the network.

The Latest Ransomware Attacks

Recent Ransomware Attacks.
Twitch, Amazon's video streaming service, suffered a massive data breach of its internal code base which was exposed to the internet. The hackers accessed Twitch servers due to a server misconfiguration and leaked confidential company information and user data including payouts, IT security methods, SDKs, and its entire source code. The massive size of the breach comprising 125 GB of sensitive company data has the potential to affect most if not all of Twitch's user base. This incident demonstrates how important server security is to combat cyber threats. Learn more about server ransomware protection.

Accenture was one of the latest victims of a ransomware attack - hit by Lockbit with a ransom of $50 million. LockBit is a ransomware gang that leases its malicious software to cybercriminals who receive a portion of the ransom paid in exchange for compromising ransomware victim networks. Lockbit is increasingly soliciting disgruntled employees to entice them to download malware in exchange for a piece of the ransom.

T-Mobile. A data breach affecting more than 50 million T-Mobile customers has resulted in a class action lawsuit. The data hack was massive, exposing sensitive customer personal data including Social Security numbers, dates of birth, and driver's licenses.

Renner Brazil. Lojas Renner, Brazil's largest clothing chain store was the target of the first $1 billion ransom, the largest ransomware demand so far. The cyber-attack was conducted by the RansomExx gang, which gained unauthorized access to Renner's servers by way of a Brazilian IT managed services provider.

Memorial Health System. A Hive ransomware attack on Memorial Healthcare System's network allowed access to sensitive patient data and forced the hospital chain to postpone all urgent surgeries. Memorial Health's patients needed to be diverted to other healthcare facilities to receive care. Learn more about ransomware protection for hospitals.

Newest Ransomware Threats

Trickbot, Dridex, Qbot (QuakBot), IcedID, FiveHands, Maze, Egregor, Conti, REvil Sodinokibi, DoppelPaymer, Avo, Pysa, Snatch and NetWalker - are among the most recent ransom variants to be gaining in popularity. Emerging new threat actors include AvosLocker, Hive Ransomware, Karakurt and HelloKitty. Cybersecurity firms suggest these are the most dangerous emerging ransomware threat gangs to watch. Ransomware attacks have increased 65% Year-Over-Year from August 2020 to August 2021 with ransomware gangs Revil and Darkside having been particularly active launching almost 1/3 of the attacks.

Cybercriminals are increasingly exploiting application vulnerabilities to gain access and control of a network's application infrastructure to encrypt sensitive, valuable data.

Ransomware Group Threat Schemes continue to entice disenfranchised employees to deploy malicious scripts. In addition to Lockbit 2.0, Black Kingdom Ransomware is offering one million dollars, or 40% of a $2.5 million ransom as an enticement to employees who help deploy the ransomware known as DemonWare, either remotely or on premises. Insider cyber-threat schemes against corporations and their networks are expected to increase.

Microsoft Windows Tech Support Scam. Using email messages, hackers trick end-users into calling a fraudulent call center or downloading a malicious PDF file with the moniker BazaLoader which installs a backdoor on their computer for hacking into network systems. The malware gives a hacker hands-on-keyboard control of the victim computer leading to the installation of ransomware.

LockFile Windows Exchange Ransomware. LockFile encrypts Windows domains using the recently disclosed ProxyShell and PetitPotam vulnerabilities using unauthenticated, remote code execution to hack into and encrypt devices. (LockFile exploit by the Conti ransomware operation.)

Karma Ransomware Data Leak Cyber Threat. Karma ransomware data breach threatens to release exfiltrated, encrypted data to journalists and publish the data to their website if the ransom isn't paid.

Conti Ransomware is back on the rise again with a renewed FBI/CISA warning alert. Conti's latest victim includes a farm feed cooperative in Iowa that could adversely impact food prices in the near future. The Conti ransomware threat is usually effected through spearphishing or stolen RDP credentials. Read more ransomware alerts.

Ranzy Locker Ransomware FBI Warning Ranzy Locker is a RAAS (Ransomware As A Service) group that uses double extortion against its victims. Ranzy both exfiltrates critical data for extortion before encrypting it for ransom. API calls, system vulnerabilities, and other common ransomware gang TTPs (Tactics, Techniques, Procedures) are used to discover, exfiltrate, and encrypt the target's critical data files.

Sugar Ransomware as a Service. Sugar is a new ransomware variant available to hackers as an RaaS (Ransomware-as-a-Service). This new ransomware family targets personal computers rather than business networks but is just as dangerous as it can encrypt a machine's data and hold it for ransom.

Best Ransomware Protection for 2022

Under Ransom Attack? Get help from PC Matic Anti-Ransomware Solutions. PC Matic is the pioneer in implementing Whitelisting Technologies in small business and enterprise organizations, local and federal government agencies, K-12 schools districts, colleges, universities and educational institutions, hospitals and healthcare facilities, financial institutions, non-profits, critical infrastructure, and industry of all sizes. PC Matic has the best cybersecurity solution for combating ransomware with Application Allowlisting in dynamic and hybrid computing environments. Learn more about how to prevent ransomware attacks.