Who Are Ransomware Attackers and What Are They After?

Don’t let ransomware attackers take you by surprise. Understand who makes the ideal target and why, and what you can do to avoid becoming the next statistic.

Ransomware Attackers

6 minutes

Summary

Summary Content

image_pdfimage_print

If the last year taught us anything new about ransomware attackers, it was the extent of their resilience, adaptability, and willingness to capitalize on hard times—particularly geopolitical shifts. Even as larger organizations are prosecuted, splinter groups regroup and relaunch. It’s clear: we need to be more diligent than ever.

Know Your Enemy: A Look at Today’s Ransomware Hackers 

Today’s ransomware attackers are criminals, but they’re also savvy business people who have built multibillion-dollar businesses out of stealing and holding companies’ data hostage. They do their research, they know what data you have (and what data you want to protect), they know who your customers are, and they even know where you purchase your security insurance. Some are even backed by nation states and the intel they possess.

They also aren’t afraid to negotiate.

If modern ransomware is a business, sophisticated attack software is their operating model, and ransoms are their revenue. In fact, ransomware attack platforms can even be purchased as a service, which is putting these powerful capabilities into the hands of would-be attackers around the globe. (REvil is a private ransomware-as-a-service [RaaS] operation.) This means it’s not just the big crime syndicates pulling off highly effective attacks. It could be a lone hacker in another country who purchased the software or subscribed to the platform and makes you his or her next target.

Today’s cybercriminals also move fast, compared with yesterday’s hackers who often sat dormant on your network for months, watching and waiting. These attacks are swift and strategic. Even worse, these hackers understand the PR angle of an attack, and they know how to use it. They won’t just take out your systems and steal your data—they’ll exfiltrate sensitive data and threaten to offer it up to news outlets and chat with reporters about the hack unless you pay up.

How Are Ransomware Attacks Being Carried Out? 

The threat of automated ransomware attacks seemed more sinister than the idea of a hacker alone in a basement typing away. However, recent trends show that savvy attackers are moving away from the mass, automated attacks to more nuanced, complex, and targeted attacks. This allows them to be more hands-on, and more precise.

But RaaS is still a growing threat. Even as giant syndicates were shut down over the last few years, RaaS made advanced ransomware software available to smaller affiliates worldwide.

What Data or Systems Are Most Valuable to Cybercriminals? 

Cybercriminals know exactly what data will sell for the highest price on the dark web or cause the most chaos if released or even deleted. Today, it’s a lot more complex than just stealing a credit card number, which may sell for as little as a dollar. A patient record is much more valuable in identity theft and can sell for $55 to $85. Cybercriminals are also going after intellectual property (IP)—especially where science and technology are involved, like sensitive product schematics.¹

State and local governments, police departments, and companies that deal in healthcare, education, and manufacturing have some of the most high-value data. But beyond the monetary value, certain data can be valuable in its ability to be disruptive. This includes information that disrupts investigations into open criminal cases, causes reputational damage, or leads to massive regulatory or compliance fines.

Are You a Ransomware Target? 

Every company is a viable ransomware target, but some make better—and more lucrative—targets than others.

First, savvy attackers often know better than to go after whales. Carrying out high-profile attacks can put them in the crosshairs of investigators, prosecutors, and news outlets. Once they’ve made the headlines, it’s pretty much over. To stay in the game, many of these groups target mid-sized organizations (1,000-5,000 employees) that are less likely to make the front page.²

Second is a disturbing trend of late: targeting managed service providers and essential service providers that lead to massive outages and widespread disruptions. This is precisely what the REvil hack did, targeting software company Kresaya, which has thousands of customers who were affected

Hacker's Guide to Ransomware Mitigation and Recovery

How Can You Avoid Being a Ransomware Victim?

If you have an airtight, holistic prevention, backup, and recovery plan in place, you’re less likely to be a victim of a devastating ransomware attack. However, for companies without the right backup and recovery solutions, paying the ransom may seem faster and easier. Only, paying the ransom comes with zero guarantees. As demonstrated in recent attacks, the bad guys don’t always test their recovery tools thoroughly. The tools can be very slow to restore encrypted data or, even worse, they may not work at all.

Protecting your organization from the effects and costs of a ransomware attack means being prepared at every point along the ransomware lifecycle. That includes having plans for before an attack, during an attack, and after an attack. Pure Storage® has solutions to help at every point.

  • Before an attack: Pure can serve as a very fast platform to ingest logs and provide scale-out performance and data tiering for high-speed processing by security analytics tools used by cyber threat hunters. Plus, the data protection assessment in Pure1 offers leading practices to compare your configuration to, anomaly detection lets you know if sudden changes in DRR are discovered, and identify areas where your data may be vulnerable across your fleet. Don’t forget to prepare for an attack working with a technical service professional to document your storage recovery plan in the ransomware recovery SLA in Evergreen//One.
  • During an attack: Pure’s unique and highly differentiated SafeMode™ snapshots provide immutability, so they can’t be changed once written. SafeMode also provides an additional layer of snapshot protection. They can’t be deleted from an array, even by a person or process with administrative credentials. In addition, Pure arrays come with AES-256 encryption that can’t be turned off or disabled and has no performance implication on the array.
  • After an attack: Pure’s RapidRestore capability can help recover your data at speeds greater than 270TB/hour. This is hugely important because what matters most after an attack is speed. Another big part of speed and recovering quickly is having clean arrays shipped next business day to store data and an onsite professional services engineer augmenting your staff so you quickly get back to normal operational level.

Learn about the Evergreen//One ransomware recovery SLA that guarantees shipping of clean arrays next business day and onsite staff.

www.forbes.com/sites/daveywinder/2021/04/23/ransomware-gang-demands-50-million-for-apple-watch-and-macbook-pro-blueprints/?sh=4401e30e5839.https://secure2.sophos.com/en-us/content/state-of-ransomware.aspx