Threat Trends

6 mins

The Rise of Ransomware in 2023: A Surge in Cyber Extortion

Hacker Ops

Ransomware attacks have witnessed a significant increase in recent months. After a decrease in 2022, the first six months of 2023 saw victims globally pay ransomware groups $449.1 million, according to data from the cryptocurrency tracing firm Chainalysis. 

Mikhail joined Hadrian as a HackOps Engineer in February 2022. Day-to-day, Mikhail deploys the modules and writes code for the hacking team, he enjoys collaborating with them due to his interest in digital security/protection. His work is fueled by an interest in the hacker's perspective, as he dives into how threat actors might try to break his code. Mikhail is also part of the internal security group which tries to ensure that Hadrian itself doesn’t introduce any security vulnerabilities. You can find another interview with Mikhail below.

There has been an increase in ransomware victims due to the use of zero-day and one-day vulnerabilities. Can you explain what these vulnerabilities are and how they contribute to the rise in ransomware attacks?

"Yes, the zero and one-day vulnerabilities are areas of concern. These are issues that the developers of mostly open-source software, or software in general, do not yet know about and have not yet had time to mitigate. These are fresh vulnerabilities that are not yet patched, and no one is really protected. While there are some solutions that attempt to protect against zero and one-day vulnerabilities, they rarely work, as the threats are usually completely new and unknown."

"The reason for the prevalence of ransomware in general is quite simple. In the past, we've seen that hackers would steal data or infiltrate systems, adding them to botnets. While these practices still occur, they were not as profitable." 

"Ransomware has become one of the more effective ways of extracting money from organizations if you manage to hack them. Data is valuable, and many companies lack proper backup solutions. Even if they have them, they are often incomplete or untested."

Mikhail, HackOps

"The ransom is usually demanded in cryptocurrency or other means of payment, and the attackers often actually unlock the computer if the ransom is paid. They want to maintain the reputation that if people pay, they will unlock the computers. This encourages victims to comply with their demands."

Can you elaborate on the factors that make companies more susceptible to ransomware attacks?

"Those targeted or attacked by ransomware, particularly those with zero or one-day exploits in their systems, tend to use the same suite of software. This is commonly observed in mature companies that offer a particular stack in their backend. And, zero and one-day exploits are frequently found multiple times in the same software. If a software has had a zero-day exploit in the past, people may become more interested in reviewing the software. For example, with the well-known case of Log4j, the initial patches introduced to fix the injection were incomplete and bypassable. If someone thought that updating to a newer version would solve the issue, they might find themselves vulnerable again weeks later due to the incomplete fix for the zero-day exploit."

As ransomware attacks increase in popularity do you think there has been a shift away from phishing attacks?

"The amount of phishing is still considerable, but phishing always requires interaction from someone. In contrast, zero or one-day exploits usually don't require interaction. If you see a server running certain vulnerable software, you can simply exploit it yourself without waiting for an employee to click on a link or engage in a phishing campaign. And with phishing, you can educate your employees to a certain degree, warning them not to click on random links in emails or give away passwords for example."

Ransomware groups are increasingly targeting the exfiltration of files. Why do you think this is? How does this change the dynamics of ransomware attacks?

"With ransomware, the main purpose is to hold the system or data ransom by exfiltrating it. By possessing the data, you can better hold it ransom instead of merely locking it so no one can access it. This is called double extortion. The threat can extend beyond simply locking the data, to actually threatening to sell it to third parties or the dark web. In my opinion, it's the next level, probably due to people refusing to pay the demand." 

"Quite often, companies are oversaw by legal bodies that strongly discourage paying ransomware and have established legal frameworks against it. In the US, the Department of Treasury's Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) ruled that most ransom payments are illegal. The EU also restricts ransom payments under the Security of Network and Information Systems Directive (NIS Directive)."

The manufacturing sector is identified as being the most affected by ransomware attacks. Can you share your insights on why ransomware attackers are finding success in targeting this particular industry?

"Manufacturers can hardly afford any downtime, as their contracts may impose substantial fines for not reaching certain production deadlines. This can be worse than the ransom itself. If just one machine is down for a day, it's almost like a death blow to the operation."

Mikhail, HackOps

"Hackers target manufacturers because the cost of having a machine down is usually much greater than paying the ransom."

"Protections like having backups are essential, but ransomware groups still find ways to extort companies. If a machine is held ransom, or if there's a situation like in the medical sector where lives are on the line, companies may be more likely to pay the ransom."

"The question is, how to make the organization most likely to pay the ransom? It's all about money. Follow the money, and if it leads to hospitals or a factory, that's where you go."

From your perspective, what are the key strategies and approaches that organizations should adopt to effectively prevent and mitigate ransomware attacks?

"In general, it's essential to know your infrastructure and have good backups that ransomware can't reach. If you can restore your system quickly, ransomware has no effect. It's also wise not to put all your eggs in one basket; different systems that don't interact much are less likely to be cross-infected." 

"Redundancy is the key, though it's expensive. It means having extra machines on standby that aren't connected to the main network, ready to take over if needed. This kind of redundancy can mean zero downtime to a business but doubles the cost."

"One approach is to become aware of where they might be present and disconnect the affected systems from the Internet. Another method is quickly patching the systems from the known one-day exploits. Hadrian can assist in this by mapping where certain software is running, helping identify vulnerable systems. Ransomware requires an entry point, such as an outdated server or publicly accessible infrastructure." 

"Attackers target forgotten servers running old software, and once breached, encrypt or exfiltrate data as they see fit. That's where Hadrian shines in the context of ransomware. Hadrian can help discover vulnerable servers or infrastructure that might be overlooked by security teams but targeted by attackers."

Reach out to our team today.

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo