For more than two months, a new set of vulnerabilities in on-premises versions of Microsoft Exchange Servers and other applications has been extensively exploited. Some of the critical vulnerabilities were initially linked to a Chinese state-sponsored actor, has now been adapted for a variety of criminal.
Key Takeaway 1: Ransomware gangs are not only developing new variants of ransomware, but they are also selling Ransomware as a service (RaaS).
New variants of ransomware can encrypt critical and essential workloads but at the same time those are advanced enough to
- Identify other Data backups
- Evade from End Point Security solutions
- Conduct Data Exfiltration
- Evade from Sandboxing tools
- Delete the backups
Distribution
Ransomware gangs are experimental in terms of using novel “hybrid” methods for encryption, additionally capable to create an encrypted copy of the targeted file with the help of a technique known as ‘copy’ encryption, later it overwrites the original file to prevent recovery, a technique is known as ‘in-place encryption‘, in which recovery using undelete tools is nearly impossible.
Key Takeaway 2: Techniques such as ‘copy encryption’ and ‘in-place encryption’ are being used by various threat groups that enable the encrypted file to be stored on the same logical sectors as the original document, making recovery nearly impossible.
Most ransomware attacks are motivated by financial gain and mainly human-operated. Ransomware gangs are largely making business data and services unavailable in corporate environments such as businesses, government institutions, the critical information sector, healthcare, and small-medium enterprise. The creators of ransomware are putting in the time and effort to create a targeted spear-phishing bait and expect a large payment. In some situations, even paying the ransom is insufficient to re-establish a company’s access to sensitive or important data and services.
Key Takeaway 3: Paying the ransom seems like the quickest and easiest way to mitigate the problem, especially if there are no other means of recovery but it is not the solution. Sometimes, organizations do not get their critical data/files back even after paying the ransom. “Prevention, Prevention, and Prevention” is the best solution.
Ransomware gangs are mainly trying to follow delivery methods to target victims such as:
Attackers can exploit known vulnerabilities to gain access and deliver payloads for infection. It can deliver the malware via Social Engineering, Free / Cracked /Pirated software, Phishing emails, and other sources like malicious web links & documents, fake applications & plugins. Ransomware is often spread through drive-by downloading, which occurs when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge.
Impact Map
Attackers are regularly identifying zero-day vulnerabilities to infiltrate Exchange Mail Servers. Talking about impact; Ransomware assaults have affected over 230,000 systems worldwide, resulting in a significant financial effect. It is believed that this cybercrime cost the world $4 billion. Ransomware campaigns are getting successful as victims may consider a ransom of a few hundred dollars to be a reasonable amount to pay to recover access to data, particularly those of sentimental significance.
Ryuk
DearCry
However, threat actors are increasingly targeting companies with ransomware to extract higher costs from victims. The threat of ransomware is growing in every industry, government, CII- critical information infrastructure and healthcare. It is not just potentially a life-or-death situation if their networks are down, but they also tend to run on older operating systems/ services that are highly vulnerable to other malicious attacks which could cause even more severe disruptions and financial loss.