Ransomware in 2022: Review
At the end of 2022, the Cybersecurity company Emsisoft released a report revealing the high number of Government bodies, Universities, Hospitals and Healthcare Providers targeted by Ransomware Groups in the United States. Emsisoft’s year-on-year comparisons of Ransomware activity/incidents highlight a surprising level of consistency since 2019. Emsisoft reported that over 100 counties in the US were affected by Ransomware in 2022, hitting over 100 local governments, over 80 Education Sector Organisations, and over 20 Healthcare providers.
Supply Chain Incidents
The total number of healthcare providers registering an incident is only an estimation due to unclear disclosures. It is believed that the number of hospitals affected by Ransomware, in some manner, was closer to 280, but could not be accurately confirmed. Though efforts are being made by governing bodies in the US and globally, the level of Ransomware activity has not been reduced. Instead, it appears to have plateaued.
The beginning of 2023 has already demonstrated how relentless Ransomware Groups can be. At the very end of 2022, the Ransomware Group, LockBit, claimed responsibility for an attack on the SickKids Children’s Hospital. However, the attack was swiftly identified to have been carried out by a rogue affiliate who acted out with LockBit’s internal policies. This resulted in an apology being issued from the Ransomware Group, and the hospital was given a free decryptor at the beginning of this year.
Within the first two weeks of 2023, the Royal Mail Group Ltd in the UK halted its international operations due to a Cyberattack. The Royal Mail reported that domestic operations were not afflicted, however, customers were unable to arrange and pay for international export services and posted an apology to Twitter, asking customers not to post any export items for the meantime, until the issue had been resolved. The National Cyber Security Centre (NCSC) were alerted, and external Cyber experts were called in to aid with the identification of the Ransomware, and to advise how to effectively remediate.
It was later revealed that the LockBit Ransomware Group were responsible for the Cyberattack. Royal Mail entered discussions with the attackers, to discuss a Ransom for the data and decryptor. The discussions ran a course of 4 weeks before the Royal Mail Group decided not to pay the Ransom. This resulted in their data being leaked, and the decryptor being deleted. This alone should demonstrate how ruthless Ransomware Groups will be, to pressure companies into paying obscene amounts for Ransom.
In mid-January, around 1,000 vessels running bespoke marine fleet management software, were affected by a Cyberattack, seemingly from a single vendor. Det Norske Veritas (DNV) are an accredited Norwegian-based registrar and classification society, who provides an array of services and vendor management software; ShipManagement. DNV said in a statement that their ShipManagement software was targeted by Ransomware, affecting 70 customers in total, however, the vessels were still able to operate.
Though this did not impact the performance of the vessels this time, it is not to say they are impervious to future attacks. DNV were very quick to alert authorities of the incident, and worked closely with the affected customers, updating them as soon as they could. DNV demonstrated a very clear and correct attitude to the Cyberattack, informing affected customers and calling for help from authorities.
Ransomware-as-a-Service (RaaS) is becoming ever more popular and threatening, allowing attackers to purchase Ransomware software as they please. The model works by an affiliate of the Ransomware Group asking for the software to use against a target, which should result in a “Pay-Day”, where the Operators then take a cut. There are different revenue models which can be followed on a Subscription basis or One-Time Purchase basis. Ransomware Groups such as LockBit, Hive, or REvil, are considered to be RaaS Groups.
Other groups such as the Royal Ransomware Group, A.K.A Dev-0569, are not. These groups are dedicated and vetted teams of individuals, who employ different infiltration techniques to gain access to a network and unleash their Ransomware. The group has been known to purchase access from Initial Access Brokers (IABs) and use phishing techniques to gain access to the network, before they look to take a foothold over the organisation. From here, they will perform internal reconnaissance and plot their next moves.
Ransomware is an ever present and very real threat to everyone, with one of the biggest methods of initial access being Phishing. Once afflicted, it can be extremely difficult to recover from, both physically and financially. PCs could potentially be rendered useless post Ransomware attack, or the company could end up losing ‘x’ amount of trading days due to a Cyberattack, potentially resulting in financial turmoil.
Having suitable Cyberdefences on Network Devices, Mailboxes and Endpoints will not promise to eradicate the potential of attack but will vastly decrease the threat landscape that a Small-Medium Business poses. Incident Response, Business Continuity and Disaster Recovery plans are an absolute must for, as one serious breach could result in fines from the ICO, financial difficulty replacing equipment, and ultimately a loss of trust from clients.
At Texaport, we understand the importance of these advancements and work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.