Cyber Defense Advisors

A glimmer of good news on the ransomware front, as encryption rates plummet

No-one would be bold enough to say that the ransomware problem is receding, but a newly-published report by Microsoft does deliver a slither of encouraging news amongst the gloom. 

And boy do we need some good news – amid reports that 389 US-based healthcare institutions were hit by ransomware last year – more than one every single day. 

The 114-page Microsoft Digital Defense Report (MMDR) looks at multiple aspects of the cybersecurity landscape, including AI security, denial-of-service attacks, phishing, social engineering, and nation-state threats. 

But for me one of the most positive findings of the report was the news that the number of ransomware attacks that have successfully encrypted data have plummeted by 300% in the past two years. 

According to Microsoft’s research team, this dramatic drop can be attributed to advancements in attack disruption technologies, which can neutralise the impact of a ransomware attack before it can inflict maximum damage. 

Of course, if a ransomware attack which attempts to encrypt a company’s data is more likely to trigger security measures, there’s an obvious step that cybercriminals can take: stop encrypting data. 

With encryption payloads becoming less reliable and more counter-productive, ransomware gangs are increasingly focusing their efforts on data theft and extortion. 

As many businesses have discovered, such a tactic can be just as damaging as having encrypted servers, as it can lead to damage to a company’s brand and reputation, and subsequent financial losses through lost business and regulatory penalties. 

As a consequence, companies would be wise to continue to ask themselves how they might be hacked by a ransomware group. 

According to the report, in 92% of ransomware incidents where a ransom was successfully extorted from a corporate victim, the attackers had exploited unmanaged devices within the victim’s network to gain access. 

Clearly, organisations would be sensible to either exclude unmanaged devices from their network, or enroll them into management. 

“The most prevalent initial access techniques continue to be social engineering – specifically email phishing, SMS phishing, and voice phishing – but also identity compromise and exploiting vulnerabilities in public-facing applications or unpatched operating systems,” said Microsoft corporate vice president of customer security & trust, Tom Burt. 

Worryingly, the research claims that nation- states such as Russia, Iran, and North Korea are working more closely with hacking gangs than ever before – for the purpose of either gathering intelligence, political disruption, or securing funds to support the country’s economic or military ambitions. 

For instance, an Israeli dating site was hacked by an Iranian-linked group that threatened to release personal information, Russian criminals breached devices used by Ukraine’s military, Iran’s apparent hack of Donald Trump’s presidential team, and a Chinese-backed disinformation campaign designed to meddle with US election races for Congress. 

According to Burt, some countries have turned a blind eye to cybercriminal gangs operating within their borders as long as attacks are focused on victims based in foreign states – exacerbating the problem for all internet users. 

According to Microsoft, the key ransomware gangs are names very familiar to readers of Tripwire’s State of Security blog:  

Akira (responsible for 17% of attacks)LockBit (15% of attacks)Play, BlackCat/ALPHV, Black Basta (each responsible for 6-7% of attacks)

Here are 30 ransomware prevention tips that can help prevent a ransomware infection from succeeding in your organisation.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.