+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

The evolving risks from Ransomware

This week the NCSC issued a warning of the evolving risks posed by Ransomware, with increasingly sophisticated techniques being used to extort money from businesses around the world.

The National Cyber Security Centre (NCSC) along with the USA’s CISA and Australia’s ACSC have produced a joint cyber security advisory on the increased globalised threat of ransomware.

What is Ransomware?

Ransomware is a type of malware which uses extortion to obtain money from its victims. Ransomware locks the files and data on a computer system, usually by encrypting the files, and the criminals behind the attack demand a payment in return for unlocking the files.

How Ransomware is evolving

According to the advisory, ransomware threat actors demonstrated increasing technological sophistication through 2021.

The top three initial infection vectors used for ransomware in 2021 were:

  • Phishing emails
  • Remote Desktop Protocol (RDP) abuse through stolen or brute forcing credentials
  • Exploiting software vulnerabilities

There was a move to a more organised ransomware marketplace last year in what the report calls the ‘professionalisation’ of ransomware with the increased use of Ransomware-as-a-Service (RaaS).  The RaaS services evolved to be more than simply providing ready to use software tools, the NCSC reports that RaaS services now include ‘independent services’ to assist with the negotiation of payments, help for victims to make payments and even dispute arbitration and the provision of 24*7 helpdesks to expedite payment and system recovery once decryption keys have been provided.

After encrypting their victim’s network, threat actors are more often using ‘triple extortion’ threats in order to motivate their victims to pay: threatening to publicly release stolen information, disrupt the victim’s internet access and inform the victims shareholders and partners about the attack.

The increased adoption of cloud infrastructures has resulted in ransomware developers creating tools designed to attack cloud service providers, API platforms and cloud storage.  Attack vectors include exploiting vulnerabilities in cloud platforms and compromising on-premise networks and then using their trusted connections to access cloud infrastructures.

Managed Service Providers (MSP) are being increasingly targeted because the threat actors know that compromising one MSP will yield trusted access into the heart of all their client’s networks (think Kaseya for one example).  Similarly the software supply chain came under increasing attack, again because threat actors understand that compromising one supplier can result in their code being transported into the networks of all of that supplier’s customers. (Think Solarwinds for example).

Finally, ransomware actors are more frequently launching their attacks on weekends and public holidays in order to exploit lower staffing levels in the victim’s IT teams during these times.

 

How to defend your network against Ransomware

Strengthen your network protections to defend against the tactics and techniques used by ransomware operators:

Keep all operating systems and software up to date

Ransomware authors use known software vulnerabilities to gain access to their victims networks and to enable lateral movement within the network.  Establish a regular monthly patching cycle to ensure systems are kept up to date.  Do not forget to patch virtual machines and cloud systems as this is usually the customer’s responsibility.  The CISA maintains a useful list of known exploited software vulnerabilities which will help you to prioritise patching if you know your systems are not up to date.

Automated vulnerability scanning is recommended to identify systems that need patching, especially on larger networks with many devices.

Secure and monitor RDP and risky connections

Remote Desktop access and other similarly risky remote access services need particular attention both to keep them secure and to monitor them for abuse.

Prevent credential theft and re-use by requiring multi-factor authentication for RDP connections.

Ensure systems are securely configured, applying proven security baselines where they are available.  If RDP is not used then block it at the firewall to prevent ingress (on port 3389).

SMB file sharing (Server Message Block and Samba) is often used to propagate malware across a network – if you do not need it in your network, disable it on your servers.

Review the security posture of external networks you connect to – supplier and client systems for example. Ensure those network interconnects are placed on isolated LAN segments to protect your network from a breach in a connected network.

Raise Awareness through training

Technical controls will never successfully block all incoming phishing emails and spam, so use Security Awareness Training to help you staff spot fraudulent emails and phishing attempts.

Require MFA for all external services

Require multi-factor authentication for all services published to the internet. This includes webmail, VPNs and Office 365 environments (Sharepoint and Outlook webmail).

Set unique passwords

Ensure all accounts on your network have unique and strong passwords set.  The same password should not be reused across multiple accounts and passwords used by system admins should not be stored on the network where an attacker could find them – use a password manager that employs strong encryption to protect login information.

Protect your backups

Protect cloud storage by backing up to multiple locations that are protected by MFA for access and ensure the backups are encrypted.

Segment your network

Network segmentation can help prevent the spread of ransomware across your network.  This is especially important where your organisation has international operations and VPN links or interconnections with the networks of suppliers or customers.  Internal and external penetration tests are essential to ensure your network segmentation is actually working.

Use Intrusion Detection Systems

Automated tools that monitor network activity for indicators of ransomware activity can help detect a network breach quickly.

 

The full security advisory contains more details and advice that security managers can use to protect their networks from the evolving risks posed by ransomware.

Further information for UK organisations can be found on the NCSC Ransomware hub.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.