Vectra disclosed that cybercriminals’ most effective weapon in a ransomware attack is the network itself, which enables the malicious encryption of shared files on network servers, especially files stored in infrastructure-as-a-service (IaaS) cloud providers.
Attackers today can easily evade network perimeter security and perform internal reconnaissance to locate and encrypt shared network files. By encrypting files that are accessed by many business applications across the network, attackers achieve an economy of scale faster and far more damaging than encrypting files on individual devices.
According to the Vectra 2019 Spotlight Report on Ransomware, recent ransomware attacks cast a wider net to ensnare cloud, data center and enterprise infrastructures. Cybercriminals target organizations that are most likely to pay larger ransoms to regain access to files encrypted by ransomware. The cost of downtime due to operational paralysis, the inability to recover backed-up data, and reputational damage are particularly catastrophic for organizations that store their data in the cloud.
“The fallout from ransomware attacks against cloud service providers is far more devastating when the business systems of every cloud-hosted customer are encrypted,” said Chris Morales, head of security analytics at Vectra. “Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”
Ransomware is a fast and easy attack with a bigger payout than stealing and selling credit cards or personally identifiable information (PII), both of which have perishable values as time passes after their theft. Factor-in cryptocurrency as the ransom payment – an anonymous, hard-to-trace currency – and it’s easy to see why cybercriminals like ransomware’s clean, no-fuss business model.
“Our research indicates that 53% of organizations say they have a ‘problematic shortage’ of cybersecurity skills today and the ramifications of it are very evident with fast-moving ransomware attacks,” said Jon Oltsik, senior principal analyst at the Enterprise Strategy Group. “The industry simply doesn’t have enough trained security folks scanning systems, threat hunting or responding to incidents. This Spotlight Report offers important insights into the weaponization, the shift from opportunistic to targeted attacks, and the industries targeted by ransomware that can help organizations be better prepared.”
Artificial intelligence can detect subtle indicators of ransomware behaviors and enable organizations to prevent widespread damage. When organizations recognize these malicious behaviors early in the attack lifecycle, they can limit the number of files encrypted by ransomware, stop the attack from propagating, and prevent a disastrous business outage.
The 2019 Spotlight Report on Ransomware is based on observations and data from the 2019 Black Hat Edition of the Attacker Behavior Industry Report, which reveals behaviors and trends in networks from a sample of over 350 opt-in Vectra customers. The Attacker Behavior Industry Report provides statistical data on the behaviors motivated attackers use to blend in with existing network traffic behaviors and mask their malicious actions.
From January – June 2019, the Vectra Cognito threat-detection and response platform monitored enriched metadata collected from network traffic between more than four million workloads and devices in customer clouds, data centers and enterprise environments. The analysis of this metadata provides a better understanding about attacker behaviors and trends as well as business risks, enabling Vectra customers to avoid disastrous data breaches.
The Cognito platform accelerates network detection and response using sophisticated AI to collect, enrich and store network metadata with the right context to detect, hunt and investigate hidden threats in real time. The Cognito platform scales efficiently to the largest organizations’ networks with a distributed architecture using a mix of cloud, virtual and physical sensors that provide 360-degree visibility across cloud, data center, and user and IoT networks, leaving attackers with nowhere to hide.