Why ransomware might be the biggest cyber threat of 2020

The attack on the law firm Grubman Shire Meiselas & Sacks in May and the infamous TraveleX ransomware attack earlier this year point towards a worrying trend.

In the case of cyberattacks, ransomware has been dominating the headlines for much of the year. The attack on the New York law firm involving celebrity clients like Lady Gaga, Robert de Niro, and Jennifer Lopez is no exception. The attackers set up an auction site for the 750 GB of sensitive data and threatened to sell the data to the highest bidder if the ransom is not paid. This attack, reminiscent of the infamous WannaCry and Petya ransomware attacks, has been in the spotlight due to the company’s clients’ celebrity status and the sensitive nature of the data involved. Since the data likely contains contracts, non-disclosure agreements, and personal information, the financial ramifications of it getting leaked would be substantial.

The attackers have also released a screenshot of the files with sensitive data in an attempt to coerce the law firm into paying the ransom. Source: BBC News

To pay or not to pay?

On May 11, 2020, the law firm confirmed that it had been a victim of the attack, but did not disclose what action it intended to take. The decision to pay a ransom or not to pay a ransom is not an easy one; even if the ransom is paid, there’s no guarantee that the attackers will honor the agreement. In fact, the FBI strongly advises victims of ransomware to avoid paying the ransom at all costs, as it might encourage the attackers to carry out similar attacks, and there’s nothing stopping them from receiving the ransom and releasing the data regardless. In this case specifically, the temptation to monetize the stolen data could prove to be too much to resist. Only time will tell on how the law firm will navigate this crisis and get back on its feet.

Who is behind the attack?

There’s no saying for certain who is behind this, but security researchers strongly suspect that it could be the same attackers responsible for the infamous REvil or Sodinokibi attacks, a virulent strain of ransomware that crippled the British foreign exchange company TraveleX in early January of this year. The attackers exploited a vulnerability in the Pulse virtual private network (VPN), which the US Department of Homeland security says could be exploited by an attacker to take control of a system, and have been exploited by advanced persistent threat (APT) actors.

REvil ransomware is also known to use brute-force attacks and gain access to systems by exploiting weaknesses in the Remote Desktop Protocol (RDP). According to the Microsoft Threat Protection Intelligence Team, multiple organizations that use managed service providers (MSPs), or have used a remote desktop tool to manage their systems, have fallen victim to REvil.

What should you do protect your organization with ransomware attacks on the rise?

In light of the COVID-19 pandemic, the use of VPNs has increased exponentially. Due to weaknesses in VPNs and remote desktop tools, networks using these tools are more vulnerable than ever. However, there are certain measures you can adopt to protect your systems from ransomware, including:

• Patch your systems regularly. The TraveleX and WannaCry ransomware attacks exploited vulnerabilities for which patches had been released.
• Monitor VPN logins. Configure alerts for unusual logins and multiple login failures.
• Many attacks initially gain access to a network through phishing campaigns, so instruct your users to be vigilant and look out for the telltale signs of a phishing email.
• Configure executable scripts to take actions like shutting down a system in case of suspicious activity.
• Monitor the creation of privileged users and escalation of privileges. Once a system is compromised, attackers exploit these accounts to launch ransomware campaigns or steal data.
• Monitor your logs for signs of suspicious activity like multiple logon failures, and configure alerts for these scenarios.

It is crucial that organizations adopt security measures to plug loopholes that allow attackers to gain a foothold. It is equally crucial to educate users to recognize social engineering or phishing attacks as each user is a potential target for malicious actors. One of the ways of achieving this would be to promote a dialogue within the organization on safe online practices, possible security loose ends and more. Organizations with a proactive stance towards security will certainly have an edge over the others since the threat of ransomware is only expected to get worse in the days to come.