Number of attacks increasing
VPN software provider Atlas VPN has released a report on the most significant ransomware statistics from the past year.
The report showed more evidence confirming two trends we have been reporting on. Ransomware attacks are increasing; the number of attacks doubled since 2021 to almost 600 million. The second trend showed that exfiltration or the theft of data has become as important, or perhaps more important. Over 30 terabytes of data was stolen by ransomware cyber criminals.
This is consistent with other data that we have reported on in past installments of This Week In Ransomware. We have previously reported stats from HPE’s Unit 42 showing the average ransomware demand increased by 144 per cent, and that there had been an 85 per cent increase in the number of victims that had data posted on so-called “leak sites.”
The Atlas VPN report also confirmed a chilling stat, that “over 70 per cent of organizations had suffered two or more attacks in the past 12 months.”
This number raises some important questions. We’d like to see how many of those who experienced more than one attack had actually paid the ransom. Does paying a ransom encourage attackers? Is it just that attackers leave “back doors” or other remnants than make a second attack? Or does the publication of an attack make the company a target for other groups? The answers to these questions will affect strategies dealing with and hopefully preventing attacks.
To see the full report, please click here.
The number of ransomware variants is increasing
FortiGuard Labs, part of security company Fortinet, has released its semi-annual Global Threat Landscape Report.
The report noted that there has been a stunning increase in the number of ransomware variants. It reported that FortiGuard Labs had seen 10,666 ransomware variants, compared with 5,400 in the previous six month period – almost 100 per cent growth in six months.
One example noted was the growth in the number of wiper malware variants, with at least seven new variants appearing in the first half of 2022. Wiper malware is a disk erasure threat, often used against government, military, and private orgs in the war on Ukraine. But as with other types of malware, it inevitably spreads, and according to FortiGuard, has been detected in 24 countries besides Ukraine
The attack surface grows
The same FortiGuard report noted that Work from Anywhere (WFA) employees and Operational Technology (OT) both represent attractive targets and are part of a growing attack surface.
TWIR has reported earlier on the surprising lack of regard that many employees are showing for appropriate caution, with a majority regarding security as an impediment, and almost one third admitting that they had attempted to bypass security at one point or another.
OT adds more to the attack surface, once again not necessarily from technical aspects, but rather from the human factor. The report notes that “while OT security has the attention of organizational leaders, it continues to be owned by relatively low-ranking professionals.”
The report claims that only 15 per cent of those surveyed said that the chief information security officer (CISO) is responsible for OT security in their company. OT is more often dealt with by manager and director level employees in plant operations and other roles. Given the way in which ransomware groups are attacking infrastructure and other OT related targets, the need for security expertise and attention is critical.
Mistaken identity avoids disaster in OT attack?
As if to highlight the point on the vulnerability of OT systems, the Clop ransomware gang reported on their dark web site that they had compromised a U.K. water supplier.
The gang claimed that they had attacked the Thames Water system, the United Kingdom’s largest water supplier, which serves over 15 million customers in Greater London and surrounding area. They actually had attacked South Staffs Water and Cambridge Water, which provides water to about 1.6 million consumers daily.
South Staffs confirmed that it was the victim of a cyberattack, but fortunately the attack did not affect the water supply due to what the company says was a quick reaction by its staff.
But was ‘shut down’ the aim of the ransomware attackers? South Staffs acknowledged that the attackers stole customer data and other key information that was published when ransom negotiations broke down. That data not only included identity related items such as names, passwords, emails, but even extended to driver’s licenses and passport info. It also, according to reports on Threat Post, included screenshots from water-treatment SCADA systems, data which might very well aid those who are seeking to attack these systems.
TWIR was alerted to this by a publicist for Sectigo, an SSL certificate provider. Its CSO and CISO advisor, David Mahdi, in a recent article in Cyber Defence Magazine, noted how important data has become in ransomware attacks, stating that “ransomware is a data-centric threat; that is, ransomware preys on corporate data. Cunning and successful ransomware attacks hijack user access with an aim to encrypt sensitive files, and steal data. So, if ransomware is all about the data and the hijacking of user access to get to the data, then the more data a user can access, the more attractive target the user is for the attacker.”