Feds are taking aggressive action to curb record levels of extortion malware.
With ransomware attacks reaching record levels, the White House has officially classified the extortion malware as a national security threat — a move designed to unlock “all elements of national power” to disrupt malicious cyber activity. The official designation will allow increased collaboration between public- and private-sector organizations, including providing law enforcement officials with access to some of the military and intelligence community’s most powerful cyber tools.
In a 38-page document announcing the new strategy, White House officials said the administration is “committed to mounting disruption campaigns and other efforts that are so sustained, coordinated and targeted that they render ransomware no longer profitable.”
The more aggressive policy is meant to counter record numbers of attacks featuring much larger ransom demands and frequent use of double- and triple-extortion tactics. The NCC Group’s Global Threat Intelligence team reports that ransomware attacks reached an all-time monthly high in March of this year with 459 attacks — the most recorded in a single month since analysts began keeping records in 1989.
Average ransom demands are also rising, increasing 144 percent to $2.2 million. Threat actors are also changing their tactics. Instead of just encrypting data, they often exfiltrate data and threaten to release or sell the stolen information. In some cases, they also threaten to launch distributed denial-of-service (DDoS) attacks if the ransom isn’t paid.
A Cyber War
The increase in ransomware is likely linked to Russia’s ongoing war with Ukraine. The U.S. has provided nearly $80 billion in humanitarian and military aid to Ukraine since the war began. Intelligence analysts believe Russian hackers are using ransomware to retaliate.
The Russia-backed Clop ransomware gang has attacked approximately 200 public- and private-sector targets in the U.S. since the beginning of the year, including the Department of Energy, the Department of Agriculture, the Office of Personnel Management and the Department of Health and Human Services. Clop is considered among the most dangerous ransomware variants because it can disable Windows’ built-in security safeguards such as Windows Defender and Microsoft Security Essentials.
That activity seems modest compared to another group of Russian hackers, however. The LockBit ransomware-as-a-service (RaaS) gang is widely considered the world’s most active ransomware group. It is believed to have successfully extorted more than $90 million from roughly 1,700 attacks against U.S. organizations since 2020. In one recent attack, the gang published the data of about 9 million patients of Atlanta-based Managed Care of North America Dental after the company refused to pay a $10 million ransom demand.
Hive, another Russian RaaS group, was also very active before being taken down by the FBI in January. Authorities say the group attacked more than 1,400 organizations since 2021, raking in as much as $120 million in ransom payments. The group commonly targeted healthcare organizations, compromising patient safety and forcing hospitals to divert ambulances, cancel surgeries, postpone appointments and close urgent care units.
Preventive Measures
While an aggressive government campaign against ransomware is a welcomed development, it doesn’t relieve organizations and their users of the responsibility to implement strong security practices. The following preventive measures can help protect systems from crippling ransomware infections:
- Implement an awareness and training program to ensure everyone in the organization understands the ransomware threat and how it is delivered.
- Require multifactor authentication, which requires additional verification steps in addition to a password. This can prevent unauthorized access, even if malicious actors have a valid password.
- Configure access controls for files, directories and network shares for least-privilege access. Users who don’t need write access to files should be granted read-only access.
- Use spam filters to keep phishing emails out of users’ inboxes. It’s also a good idea to authenticate inbound email to detect email spoofing.
- Scan emails to detect and block threats and malicious attachments.
- Configure firewalls with strict outbound rules to prevent malware from contacting command-and-control servers.
- Back up data regularly and verify the integrity of the backup data. Restoration processes should also be tested to ensure they work.
- Isolate backup storage from production networks with segmentation to limit the lateral movement of ransomware within the network, reducing the risk of backups being compromised.
- Patch applications, operating systems and device firmware. A centralized patch management system can help ensure that patches are applied promptly.
- Set antivirus and anti-malware programs to scans regularly.
- Disable the execution of macro scripts from Microsoft Office files sent via email. Office Viewer can be used to view files within email safely.
- Disable Remote Desktop Protocol if it’s not being used.
- Use application whitelisting and only allow permitted programs to execute.
- Conduct annual penetration tests and vulnerability assessments.
