Blog · 28 May 2021

The evolution of ransomware attacks

Ransomware is hitting the headlines with increasing regularity and it’s evolving. Know your enemy so you can protect your organisation effectively.

Michala Hart
VP, Security UK and Enterprise

Recent ransomware attacks have underlined the fact that any organisation can be vulnerable, and that attacks can have far-reaching consequences, even affecting critical national infrastructure.

And cybercriminals are increasingly evolving their attack methods all the time.

The Colonial Pipeline ransomware attack in the US in May 2021 caused a shutdown of fuel supplies that allegedly led to widespread disruption of fuel distribution across the country, price hikes and even panic buying. Cyber attackers encrypted the organisation’s IT systems and exfiltrated data to encourage payment of the ransom that reports suggest was paid to the criminal gang. Potentially, the criminals didn’t intend to create such wide-ranging effects to the country, but the attack is a serious reminder of how production systems and safety critical services can be affected as Operational Technology (OT) integrates into a connected environment.

Also in May 2021, a large insurance company saw its Asian operations attacked and cybercriminals stole sensitive data. What’s interesting about this attack, is that the data theft was accompanied by Distributed Denial of Service (DDoS) attacks to take down their network in order to apply more leverage, designed to encourage them to reach out and begin negotiating to pay the ransom.

It’s an indication of how ransomware attacks are evolving, and it’s important that organisations are aware of what could be coming their way.

The 4 main techniques used by ransomware today

There are four key types of ransomware that you should look out for.

1)     Encryption
A ‘straightforward’ ransom transaction, where cybercriminals encrypt your data, so your applications and systems are unavailable. The criminals then offer to unlock the impacted systems with a decryption code once you’ve made payment. We’ve seen these attacks focus on personal information as well as on organisations. Some attacks are random and are the result of accidental infection, but others deliberately target specific employees as a gateway to an organisation.

2)     Exfiltration
As organisations increase their defences against encryption attacks with better backups, cybercriminals have upped the stakes, starting to exfiltrate critical data before the encryption stage. This requires a greater degree of sophistication to get inside the organisation and to remove data through backdoors, remote shells or compromised remote terminal services undetected. Exfiltration and encryption combined gives cybercriminals greater leverage to coerce the organisation into paying.

3)     Extortion DDoS
The huge shift to internet access we saw during the pandemic has re-sparked criminals’ interest in Denial of Service attacks. These can range from a solo DDoS attack, to a DDoS attack combined with other forms of hostility, as we saw with AXA’s experience. It can be part of a triple threat: exfiltration, encryption and DDoS attack.

4)     Harassment
Cybercriminals know that putting victims under pressure makes it more likely they’ll get a pay-out. Recent reports highlight a trend to use the stolen data to harass customers and employees of the impacted organisation. Criminals are unafraid to take their activities into the public realm and cause damage to the brand if it will further their aims.

An evolving form of attack

Ransomware attacks are increasing in sophistication all the time, with cybercriminals continually refining their methods. As organisations develop new countermeasures, the bad actors are using the latest innovations to create more compelling reasons for organisations to pay. For example, recent reports suggest technical developments that allow malware to infiltrate virtualisation deployments to encrypt virtual servers at scale or to block organisations’ attempts to recover by creating rapid virtual copies of their services.

But you’re not alone in this era of ransomware. Our team of 3,000 security experts and 16 global security operations centres are here to help you keep watch and act decisively at all times.

To find out more about how to protect your organisation from DDoS attacks visit our website or watch the replay of our recent webinar on ‘When two worlds collide: How to define your IT/OT Security strategy’. Or contact your account manager to get further support from our security advisory team.