The Increasing Costs of Ran$omware

Summary

The NJCCIC continues to receive reports of ransomware incidents impacting NJ businesses, organizations, and private citizens, resulting in operational disruptions, financial loss, and/or data exfiltration.

The US leads as the most targeted country for ransomware. Ransomware can infect and spread as a result of phishing emails, internet-facing vulnerabilities and misconfigurations, third parties and managed service providers, and previously unresolved network compromises. Recent trends indicate that threat actors are now targeting victims with a low tolerance for downtime, such as manufacturing, professional services, and government. Education is also a target as schools are faced with the possibility of data exfiltration and extortion on top of the challenges of remote learning and keeping up with the security of their systems and network. Organizations requiring high uptime may incur great financial loss when operations are disrupted; therefore, they may be more inclined to pay the ransom demand. Ransom demands continue to rapidly increase as some threat actors consider a victim organization’s annual revenue when calculating the ransom request. Additionally, the US Treasury Department published guidelines to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. 

Since November 2019, Maze ransomware operators began stealing sensitive information before encrypting it in order to threaten to expose the stolen data if payment was not made. Other groups continue to utilize this tactic, implying a ransomware incident turns into a data breach, which may result in additional costs from regulators.

Last week, we reported on the increase in distributed denial-of-service (DDoS) attacks. In the case of ransomware attacks, threat actors are adding DDoS attacks as a new tactic to increase pressure on the victim to pay the ransom. SunCrypt ransomware operators were responsible for DDoS attacks against a victim’s website in order to force negotiations, which ultimately resulted in the victim paying the ransom. 

Threat actors using one or a combination of these tactics—denying access to encrypted files, stealing data, threatening a data breach, and taking further action with DDoS attacks—can increase the overall costs associated with ransomware attacks.

Recommendations

The NJCCIC recommends reducing the potential likelihood and impact of a ransomware incident by implementing a defense-in-depth strategy cybersecurity strategy that includes applying the principle of least privilege, keeping applications up to date, and enabling multi-factor authentication where available. We also advise establishing a cyber incident response plan and a comprehensive data backup plan that includes keeping multiple copies stored off the network in a separate and secure location and tested regularly. We highly encourage the encryption of sensitive data at rest and in transit to reduce the likelihood of threat actors publicly exposing any stolen data.

The following resources can assist New Jersey businesses, organizations, and private citizens in safeguarding their networks and data:

NJCCIC Resources
Ransomware: Risk Mitigation Strategies
Ransomware Threat Profile
Mitigating the Risk of Malware Infections
Cybersecurity Best Practices
NJ Statewide Information Security Manual (SISM)

Other Resources
CISA & MS-ISAC Ransomware Guide
CIS Security Primer - Ransomware
CIS Security Primer – General Security Recommendations
CIS Want to Keep Your Data? Back It Up!
US-CERT Data Backup Options