X-Labs
January 18, 2023

The Persistent Threat of Ransomware

A quick analysis of recent ransomware threats
Aaron Mulgrew
Joanna Crossley

Ransomware is one cyber threat that consistently dominates industry news. It's one of those threats that  keeps security teams, professionals and CISOs awake at night. The recent Royal Mail attack is one of the latest examples. Here are some things to note: 

Royal Mail Logo

In their recent Global Attacks in 2022 Report, Check Point Research noted that there was a “38% increase in ransomware attacks in 2022 compared to 2021.”

The increasing agility of criminal groups points towards organizations considering a necessary shift in defenses to prevention, rather than detection to minimize potential exposure to ransomware, with a large focus on email.

 

Why are ransomware attacks increasing?

The biggest reason for the rise in ransomware attacks in recent years is the massive increase in digital sharing. More and more people are using online portals to upload files, as well as the growth in the number of people working from home, using unsecure workstations.

The rise of digital currencies, such as Bitcoin, has also provided cyber-criminals with a relatively safe and risk-free mechanism for obtaining payment and remaining anonymous.

It’s becoming harder for organisations keep on top of the increasing number of software updates, resulting in out-of-date software and devices that are particularly vulnerable to attacks.

In addition to the above, cyber-criminals are honing in—targeting specific organisations, using highly-sophisticated, advanced attacks that easily beat traditional detection methods.

 

How can your business be infected by ransomware?

Cybercriminals can access your network through various methods, such as:

  • Phishing or malicious emails, where they impersonate legitimate organizations to trick you into opening an attachment or clicking a link that may install malware on your device. With “over 90% of cyberattacks starting with an email”, this is the most used method to infiltrate organizations.
  • Using infected websites, downloads, and links in conjunction with phishing emails or on their own to attack a company's network.
  • Developing fake or unprotected apps infected with malware to gain access to your smartphone.


What Can we Learn from Recent Ransomware Threats?

REvil: REvil, also known as Sodinokibi, is a ransomware family that emerged in 2019. It is known for targeting large organizations and encrypting not only the victim's own data, but also any backups they have stored. REvil also includes a feature that allows the attackers to remotely access the victim's network after the encryption process is complete.

TrickBot: TrickBot is a banking trojan and malware downloader that is used to steal sensitive information and deliver other malware, including ransomware. It's been active since 2016 and is known for its widespread distribution and advanced evasive techniques.

Maze: Maze is a ransomware family that emerged in 2019. It is known for stealing data from the infected systems before encrypting them and demanding a ransom payment. The group behind Maze has been known to publicly release stolen data as a form of pressure on victims who refuse to pay the ransom.

LockBit is a ransomware family that emerged in 2020. It is known for its ability to encrypt not only the victim's own files, but also any backups they have stored. It is also known for its use of a unique encryption method that makes it difficult to decrypt the encrypted files without paying the ransom.

LockBit is typically delivered via malicious email attachments or through vulnerabilities in unpatched software. The attackers behind LockBit have been known to target small and medium-sized businesses, with a focus on companies in the United States and Europe. LockBit is also known for its use of the double extortion tactic, which involves stealing sensitive data from the victim before encrypting their files and demanding a ransom payment.

As mentioned, the recent cyber incident involving the British postal service, Royal Mail  is the latest example shining a media light on the threat of ransomware. Reports indicate that the incident involved the use of a specific strain of malware, known as LockBit. It is important to note that the incident has not been officially confirmed to be related to LockBit yet and the investigation is ongoing. Although Royal Mail has said that no personal data has been compromised, they are still experiencing disruptions to services almost one week on from the attack. It's another example that highlights that the true cost of a ransomware attack spreads wider than just the demanded ransom.

 

Don’t Let Ransomware Devastate Your Business

Whatever the size of your business it’s vital to protect your business against ransomware attacks. This is one situation where prevention is better than cure.

Join us for our webinar on February 8 for our “Defending your Business from Ransomware Attacks” webinar.

Aaron Mulgrew

Aaron works with central government departments in the UK and abroad to secure their systems, as well as working alongside critical national infrastructure providers to make sure they aren’t an easy route to compromise. With a specialism in cryptocurrency...

Read more articles by Aaron Mulgrew

Joanna Crossley

Joanna Crossley joined Forcepoint as a part of the Deep Secure acquisition in 2021, Joanna works with the Global Governments team specialising in demand generation and social strategy.

Joanna is based in the United Kingdom.

Read more articles by Joanna Crossley

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.