Ransomware attacks can impact any type of organization in virtually any sector. But, some industries have proven to be more tempting targets for cyber criminals. In a report released Wednesday, August 24, security provider Barracuda discusses which types of companies have been in the crosshairs of ransomware and offers advice on how to combat these attacks.
The number of ransomware threats detected by Barracuda jumped between January and June of 2022 to more than 1.2 million per month. The volume of actual ransomware attacks increased in January but then began to slow down in May.
Zeroing in on 106 highly publicized attacks, Barracuda researchers discovered five industries as the main victims: education targeted in 15% of the attacks, municipalities in 12%, healthcare in 12%, infrastructure in 8% and financial in 6%.
Targeted industries face rises in ransomware incidents
During the past 12 months, attacks against municipalities rose slightly, but those against educational institutions more than doubled, while attacks against healthcare and financial companies tripled. Over the same time, attacks against critical infrastructure have quadrupled, a sign that cyber criminal gangs and hostile nation-states are looking to cause as much collateral damage as possible beyond the impact to the initial victim.
SEE: How to protect your organization from ransomware-as-a-service attacks (TechRepublic)
In addition to the five most targeted industries, other sectors have borne their own brunt of ransomware attacks. Service providers accounted for 14% of the attacks analyzed by Barracuda. Offering IT assistance and other kinds of business services, these organizations are targets because of the access they hold to customers and clients, all of whom can be impacted in a ransomware attack.
Ransomware incidents against automobile companies, hospitality firms, media firms, retail companies, software providers and technology organizations also increased over the past 12 months.
Ransomware in action
To illustrate how ransomware often works, Barracuda’s report highlighted attacks against three different companies.
In an incident from August 2021, attackers from the BlackMatter ransomware group sent an organization a phishing email designed to compromise employee accounts. Gaining network access, the criminals were able to scan and move laterally within the network, installing hacking tools and stealing sensitive data.
Upon receiving a ransom demand in September 2021, the company contacted their managed service provider, which reached out to Barracuda for help. After the infected systems were isolated and passwords reset, the encrypted systems were reimaged from backup. The business was able to negotiate the ransom to half the original demand, but the attackers still leaked the stolen data.
In an incident from October 2021, the Karakurt Data Extortion Group launched a brute force attack on the VPN login page of an organization. The attack helped the cyber criminals compromise several domain controllers and use RDP to access the compromised systems. The following month, the attackers started to modify the firewall rules.
After the ransom demand arrived in January of 2022, Barracuda found and blocked the indicators of compromise (IOCs), reset the victimized account, and created dedicated security information and event management (SIEM) rules. Still, the stolen data was leaked online in February.
And in another incident, attackers from the LockBit cybercrime group were able to use stolen credentials to sign into the VPN login page of a company that did not have MFA in place. Using malicious PowerShell scripts and installing system-level DLLs (dynamic link libraries), the cyber criminals stole more credentials and accessed key passwords.
The attackers also compromised a PC running Windows 7, which Microsoft no longer supports with security updates. After receiving the ransom demand, the company reached out for help, leading to the quarantine of suspicious files and a rebuild of Active Directory.
Barracuda offers tips to combat ransomware attacks
The three incidents cited in the report shared certain commonalities. The attacks were carried over the course of several months rather than just a week or a single day. VPNs are always a popular target, as they can easily lead attackers to critical network assets, and credentials were stolen through phishing attacks or purchased on the dark web.
SEE: Train for some of today’s top cybersecurity credentials for $39 (TechRepublic Academy)
Email account credentials that link with Microsoft 365 for a single sign-on are convenient, but if compromised, they can open the floodgates to a corporate network.
To help organizations combat these types of ransomware attacks, Barracuda offers several tips.
- Disable Macros: To prevent certain types of malware, disable macro scripts from Microsoft Office files sent by email.
- Segment Your Network: Ensuring your network is segmented will lessen the spread of ransomware and prevent attacks from moving laterally.
- Get Rid of Unused or Unauthorized Applications: Review and remove any unauthorized software that could be used for compromise, paying special attention to remote desktop and remote monitoring programs.
- Enhance Web Application and API Protection Services: To defend your web applications from hackers and malicious bots, make sure to enable the right protection services, including those that guard against distributed denial-of-service (DDoS) attacks.
- Review Credentials and Access Control Used for Backups: The account credentials for offline and cloud-based backups should be different from those for normal systems.