BlackBerry researchers see more double-extortion ransomware attacks, attackers demanding ransom from healthcare patients, and rising bitcoin prices driving the growth of ransomware.
Ransomware has become an increasingly virulent threat targeting businesses, government agencies, schools, and even individuals. As ransomware attacks gained greater traction and variety in 2020, so too will they bring about more developments in 2021. A report released Wednesday by BlackBerry highlights several trends to watch for in the year ahead.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
For BlackBerry’s “2021 Threat Report,” researchers and security professionals at the company were asked to offer their cybersecurity predictions for the upcoming year. In response, they advice organizations and users to stay vigilant to the following threats as 2021 progresses.
Ransomware attacks will continue to leverage the double-extortion strategy
A growing tactic among cybercriminals is the double-extortion ransomware attack. In these cases, the attackers demand a ransom not just to decrypt the stolen data but to refrain from releasing it publicly. If the ransom is not paid within a certain time, the criminals vow to publish it for all to see or reveal it to a possible competitor.
Even if the victimized organization can restore the data from backups, they may still be forced to pay the ransom to prevent the data from being exposed.
This strategy drove up average ransom payments throughout 2020. But keep in mind that there is never any guarantee that the attackers won’t still publish the data. In several instances, attackers still released the victim’s data even after receiving the ransom payment, proving that the promises of criminals don’t hold much value.
Threat actors contacting patients as part of healthcare extortion strategies
In 2020, healthcare organizations continued to be top targets for cyberattacks. With the coronavirus pandemic, the healthcare industry has become more vital than ever, holding confidential records and patient data valuable to ransomware attackers.
But in a strategy likely to grow this year, cybercriminals not only demand payment from the healthcare organization but the patients as well. In October 2020, a Finnish psychotherapy center was the victim of an attack in which patient data was stolen. The attackers demanded a ransom from the psychotherapy center but also contacted each patient individually seeking a ransom of 200 Euros in bitcoins. In the end, the criminals published the medical records of at least 300 patients on a Tor site.
Such a tactic could become more popular during 2021, especially when paired with traditional ransomware attacks. This trend could also put added pressure on healthcare organizations from patients who are extorted individually, thereby increasing the odds of a ransom payment.
Nation-State actors hiding behind crimeware-as-a-service
The growth of crimeware-as-a-service allows nation states to hide behind third-party contractors to launch ransomware campaigns and other types of attacks. This obscures the identity of the true attacker and gives them a layer of plausible deniability. It also makes it appear as though the attack could have originated from almost anywhere. As a response, organizations should consider adopting Zero Trust networking principles and role-based access controls, not just to users, but to applications and servers.
Crypto prices driving ransomware growth
Researchers and analysts see a strong correlation between the rate of ransomware infections and the fluctuating price of bitcoin. Already on the rise since last year, the value of bitcoin reached all new highs in early 2021. If this correlation continues to prove true, BlackBerry expects a robust ransomware market in the near future.
Recommendations to protect companies
Though attackers have become increasingly skilled at exploiting vulnerable services and unpatched software, most ransomware breaches still require some type of end-user interaction, said Eric Milam, BlackBerry lead threat researcher. In this regard, ransomware typically executes when a user clicks a link or opens a malicious attachment in an email. As such, Milam offers the following recommendations:
- Organizations need to have a strong culture of security to minimize the risk of an attack. Patch efficiency, antivirus software, and simple endpoint administration are no longer enough. You must use security that employs signature-based patterns, behavioral analytics, and machine learning backed by a strong R&D team.
- A data leak prevention (DLP) solution is a must to mitigate the risk of sensitive data being exfiltrated and avoid the scenario of a double extortion. You should also protect sensitive data by restricting its access only to people who need it to do their jobs. Remember that the attackers won’t hesitate to release sensitive data on underground forums and websites whether or not you pay the ransom.
- Ensure that all backups are stored offsite, either physically or in the cloud. Doing so may add an extra layer of security to identify and prevent encryption.
- In the event of a ransomware attack, consider using a decryptor to recover your data. Many decryptors are publicly available, free of charge, and work with some of the ransomware families. In some cases, you may also be able to partially restore the files using file recovery software.
- Consult with experts who are used to dealing with ransomware situations. You don’t want to add insult to injury by paying the ransom and still not getting the data.
And what of the big question: should an organization pay the ransom or not?
“As a matter of principle, the security community doesn’t recommend paying cybercriminals, simply because doing so justifies and propels the ransomware business,” Milam said.
“However, we do understand that in some of the highly targeted and most damaging attacks (for example, on critical infrastructure or healthcare providers) there might be no other way to recover and preserve human life but to meet the ransom demands,” he added. “Since the individual cases and circumstances vary dramatically, there is no golden rule. In any scenario, though, the victims should work closely with law enforcement and do everything possible to help with the investigation.”