As for Q2 2022, ransomware remains one of the main threats towards information security, and the META region is not an exception. One of the most notable cases includes attacks on Shoprite, the largest retail chain in Africa. Other examples of aggravating situation with ransomware in the region, include attacks performed by LockBit group in sub-Saharan Africa region and reported Cl0p attacks on entities in UAE.
RELATED: RedAlert and Monster: Multiplatform ransomware gains steam
Moreover, Kaspersky experts have been witnessing a growing industrialisation of ransomware groups in terms of their inner structure, advertising, and inventive techniques used during the attacks. This trend has been mentioned in ransomware trends issued by Kaspersky earlier this year.
“We can clearly see a distinctive trend in development of ransomware towards getting more sophisticated and targeted, exposing victims to more threats”, comments Maher Yamout, Senior Security Researcher at Kaspersky. “In recent years, ransomware groups have come a long way from being scattered gangs to businesses with distinctive traits of full-fledged industry. We are seeing more and cases where ransomware attacks are performed manually, in a time-consuming, yet efficient manner that was not very typical for small-scale attackers previously”.
In order to better understand and analyse the most common tactics, techniques, and procedures (TTPs), Kaspersky’s Threat intelligence team prepared an extensive study of modern ransomware, which will serve as an aid in understanding how ransomware groups operate and how to defend against their attacks.
The analysis within the guide focuses on the activity of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups have been active in the United States, Great Britain and Germany and other countries, and have targeted over 500 organisations within industries such as manufacturing, software development and small business, between March, 2021 and March, 2022.
Kaspersky experts analysed how these ransomware groups employed the techniques and tactics described in MITRE ATT&CK knowledge base and found a lot of similarities among their TTPs throughout the cyber kill chain. The revealed ways the groups attacked proved to be quite predictable, with ransomware attacks following a pattern that includes the corporate network or victim’s computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups and, finally, achieving their objectives.
The researchers also explain where the similarity between attacks comes from:
- The emergence of a phenomenon called ‘Ransomware-as-a-Service’ (RaaS), where the ransomware groups do not deliver malware by themselves, but only provide the data encryption services. Since the people who deliver malicious files also want to simplify their lives, they use template delivery methods or automation tools to gain access.
- Reusing old and similar tools makes life easier for attackers and reduces the time it takes to prepare an attack.
- Reusing common TTPs makes hacking easier. Although it is possible to detect such techniques, it’s much harder to do preventively across all possible threat vectors.
- Slow installation of updates and patches among victims. It is often the case that those who are vulnerable are attacked.
The public version of the ransomware TTPs’ report is available for download on Securelist.com.
To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:
- Do not expose remote desktop/management services (such as RDP, MSSQL, etc.) to public networks unless absolutely necessary and always use strong passwords, two-factor authentication and firewall rules for them.
- Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
- Back up data regularly with special attention to offline backup strategies. Make sure you can quickly access it in an emergency when needed.
- Avoid downloading and installing pirated software or software from unknown sources.
- Assess and audit your supply chain and managed services’ access to your environment.
- Prepare an action plan for reputational risk of your data exposure in the unfortunate event of data theft.
- Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
- To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
- Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behaviour detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms which can prevent its removal by cybercriminals.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for almost 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.