Cybercriminals will monetize access to your network however they can, depending on their skills and resources. Among the techniques for turning your network into elicit gains, the easiest is to deploy a cryptomining botnet. But as the cybercriminal digs deeper into your network, they will try to develop an attack that can be more lucrative for them and more damaging for the victim, such as a ransomware attack. If they are not able to develop such an attack themselves, then the access can be sold to another APT group that does have the skills and resources to do so.

Increased monetization means more ransomware attacks

Consultants attribute this trend to organizations improving their detection programs, as well as changes in attacker behaviors such as the continued rise in disruptive attacks (e.g. ransomware and cryptocurrency miners) which often have shorter dwell times than other attack types.

The successful monetization of ransomware attacks and the availability of ransomware as a service have contributed to an increase in overall ransomware cases. Established cybercrime groups that historically targeted personal and credit card information have also been increasingly turning to ransomware as a secondary means of generating revenue.

Given the ease with which ransomware attacks can be carried out and their continued financial success for attackers, it is expected that ransomware will continue to be used as a secondary means for monetizing access to victim environments.

Lesson 3: The CrowdStrike eCrime Index (ECX) helps track eCrime monetization. The ECX is based on a range of cybercrime data such as ransomware victims, big game hunting data leaks, attack activities and cryptocurrency rates, all weighted by impact. The ECX is useful to better understand the broader trends of the eCrime ecosystem, and these can be a factor in determining threat activity.

Ransomware continues to garner headlines. However, this particular blight appears to be abating. Since 2015, the number of ransomware families and variants has decreased by about 50 percent. For organizations fighting this threat, this means that ransomware is no longer the in vogue malware.

At the height of ransomware attacks in 2015, anyone who was in the business of creating malware seemed to be creating their own ransomware strain. Ransomware was seemingly easy money for cybercriminals, and everyone was jumping on the bandwagon. However, a groundswell response from the security community stemmed the flow of payouts. Ransomware that was either poorly coded or had a flaw in the encryption implementation was quickly defeated with free utilities that either stopped the initial attack or allowed affected users to retrieve their files without paying the ransom. This created a wholesale market shift in the cybercriminal underground that has largely wiped out ransomware as the top threat for monetization.

These complex, low and slow attacks that seek to infiltrate as much of the targeted network as possible before detonating the ransomware payload means the task of successfully defending against RansomOps attack has never been more challenging, and the stakes for organizations are high...

Not only has the frequency of ransomware attacks nearly doubled (93 percent) during 2021 compared to the year prior, according to a cybersecurity report published by Check Point, but the dollar amount that cybercriminals are extorting is also on the rise.

In order to fight back against the growing threat of ransomware, BitSight suggests incorporating leading indicators of ransomware into your vendor risk management workflows via integrators, take a prioritized view to help your team focus on the highest cyber risks, in order to mitigate them, and work with your vendors, to create mutual accountability, which can translate into a more holistic resilience against risks such as ransomware.

Ransomware actors have been a persistent threat for years, but they are still evolving. The wide adoption of advanced cybersecurity technologies and improved ransomware response processes has limited the success of traditional ransomware attacks. Upgraded security has forced these cybercriminals to evolve their strategies, and has paved the way for what we now call modern ransomware attacks.

When ransomware actors used automated tools, the ransom amount was either fixed or set by the attacker during negotiation with the victim. In more modern attacks, the actor has a substantial amount of information about the victim, allowing for more tailored ransom pricing.

The whole attack chain often involves two or more groups who are responsible for the different attack stages. The attack typically involves the actor who owns the ransomware, and another actor who controls the compromised infrastructure and distributes malware over a network. Since it is normal for this market to have a ransom for big organizations in the seven-digit range, attackers may be able to afford more expensive tools like zero-day local privilege escalation (LPE) and remote code execution (RCE) exploits.

This shift means deep victim profiling has been performed before an attack is initiated, followed by a collaboration among multiple groups who are sharing accesses and using optimized monetization strategies.

As the resurgence of COVID-19 cases stretch hospital capacity to the limit, it provides a fresh reminder of just how critical it is for our healthcare infrastructure to be resilient in times of crises. With the sharp uptick in ransomware attacks on healthcare organizations during the pandemic, and the first death attributed to a ransomware attack in 2020, it is clear that that malicious actors are capable of compromising mission-critical healthcare infrastructure, from the automated refrigerators that store blood products for surgeries to the CT scans that are vital for triaging trauma patients.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

The year-over-year change could stem from a perception in the traditional sports world that esports assets and their marketplace are more complex, technical, and nuanced than previously assumed. While pathways to monetization and a large, dedicated user base exist for esports, perhaps traditional sports leagues expected more commonalities with their business models leading to a quick and lucrative turnaround on investments. And, in many cases, such turnarounds have not happened.

In regard to potential challenges facing the franchise league model, friction remains as to how the industry should be structured. The ubiquity of the franchising model in the more established and stable (in the sense of longevity and in that no one company owns the intellectual property of the game itself) traditional sporting world makes highly structured leagues and teams a familiar and attractive option for prospective owners and advertisers, as does the opportunity for more effective monetization via sponsorship and media coverage. But some respondents may expect pushback from competing frameworks and models, including revenue-share. Moreover, many teams will not want to geolocate within a specific city, especially if their audience is primarily global. 2ff7e9595c