Companies that produce manufactured goods were the biggest targets of ransomware attacks in the first half of the year, according to a new report from a Canadian-based international managed services provider.
In the report issued this week, the Herjavec Group said 39 per cent of the victims listed on data-leak websites of ransomware groups in the first two quarters of the year broadly fell into the manufactured goods category.
That was double the number of technology firms and technology service providers (18 per cent) that were listed. The third biggest were public sector and legal services organizations (16 per cent), followed by firms in finance (11 per cent), healthcare (six per cent) and education (four per cent).
The bulk of the report deals with short profiles of the most common ransomware variants: Conti, REvil, Advaddon, Cl0P, Darkside, Doppelpaymer, Babuk and Netwalker.
In an interview Adam Crawford, Herjavec’s senior vice-president for managed services, said CISOs should be aware that attacks from two of the most common ransomware groups, Conti and REvil (also called Sodinokibi by some researchers), are now run by someone at a keyboard rather than by automation. That makes them a bigger challenge for defenders.
Many of the ransomware variants share code similarities and tactics, techniques, and procedures (TTPs) related to older variants observed in 2020 and earlier, the report notes.
For example, Wizard Spider’s Conti contains many code similarities to its predecessor, Ryuk. However, criminal developers continue to innovate, including encrypting on multiple threads to achieve a faster target takedown time.
Another recently observed trend is the use of domain generation algorithms for command and control communications and common cloud platforms such as Rclone for data exfiltration.
Ways to reduce risk
The report also includes a list of ways CISOs can lower the risk of their organizations being victimized by ransomware.
One is to deploy a Microsoft Group Policy to restrict software’s ability to run from Windows %appdata% and temp folders. These are generally used by malware because all users have the ability to write to these locations predictably, the report says, and permission cannot be restricted without affecting system function. However, it adds, there are few reasons why software should install or have to run from these directories.
“If the malware can’t run,” the report reads, “it can’t do any harm.”
Another recommendation is to restrict the web browsing and email use by privileged users such as administrators, who are the main targets of attackers. These staff should have separate accounts for administration and day-to-day computing.
Asked what organizations could be doing better to reduce the risk of being victimized by ransomware, Crawford listed three things:
- Understand what their critical data assets are and protect them. Not every asset can be treated the same way.
- Ensure backups are and can’t be encrypted by an attacker.
- Have a good business continuity plan that can be implemented quickly.