After a bit of a respite early last year due in large part to criminal elements being tasked with other objectives following Russia’s assault on Ukraine (yes, we said it – Russia directly influences or controls the activity of the most nefarious ransomware gangs), ransomware attacks are likely to increase over the course of 2023, with several factors driving the surge.
One significant motivator for ransomware gangs to get more aggressive is the fact that they lost a lot of their ill-gotten wealth when cryptocurrency markets crashed last year. Many of these criminal syndicates are run like legitimate businesses, with attention paid to operational costs and anticipated return on investment (ROI).
These more sophisticated ransomware operations, or RansomOps, often involve multiple threat actors with differing objectives that can include activity like system resource abuse for cryptocurrency mining or the selling of access to the compromised networks to other would-be attackers on the dark web.
In part one we took a look at some of the most significant ransomware attacks from last year and what lessons organizations should be gleaning in order to better prepare themselves to address this unique threat.
Here’s five more impactful ransomware attacks from last year and few more insights into the impact to the business:
In early 2022, a number of Toyota suppliers were targeted with ransomware attacks that impacted the operations at plants in Central America, North America and Japan. The attacks resulted in a staggering 5% decrease in productivity.
Two ransomware gangs – Pandora and LockBit – took credit for the attacks and (predictably) threatened to leak sensitive data if the ransom demand was not met. Incident responders found that the attackers had gained access to some customer data including banking data and social security numbers.
“Russia especially has been at the forefront of using advanced threat tactics and both internal and external threat actors to further its political objectives. However, the reality that organizations face is that Russian interests extend to foreign businesses and they must take steps to improve their threat detection and response programs,” reported CPO Magazine.
Takeaway: we are continuing to see a trend where the TTPs and objectives of nation-state operators like Russia are increasingly overlapping with those of the cybercriminal elements, often with the same threat actors operating in both capacities.
U.K. car seller Pendragon Group, which operates more than 200 car dealerships, fell victim to a ransomware attack attributed to the prolific LockBit ransomware gang, who reportedly hit Pendragon with a whopping $60 million ransom demand, one of the single largest ransom demands to date..
“We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident. This has not affected our ability to operate, and we continue to service our customers and communities as normal,” a spokesperson for Pendragon said.
“We took immediate steps to contain the incident. Our security specialists launched an extensive investigation to assess fully what has happened and we’ll be keeping our customers and partners updated.”
Details of the incident are few, but the company did acknowledge that they decided to not pay the ransom demand and that swift detention of the attack and effective incident response limited the impact of the attack on operations.
The takeaway here is that it pays to be prepared for a ransomware attack. Keep in mind that ransomware is a different animal than other forms of malware – it behaves differently, and this many AAV/NGAV solutions are simply not as effective in combating a ransomware attack.
Be sure to deploy endpoint protection solutions that are proven effective against multi-stage ransomware operations, or RansomOps. Ensure you have robust network segmentation and isolation capabilities in place to limit the extent of an attack.
Takeaway: hold regular tabletop exercises to test the workflows for ransomware incident response and assure key players can be reached immediately and understand their role in defending against a ransomware attack.
In October of 2002, the Hive ransomware group took credit for a ransomware attack against critical infrastructure giant Tata Power, India's largest power provider. The Hive gang leaked sensitive data stolen from the company, likely the result of a refusal to pay the ransom demand.
The leaked data included the personally identifiable information (PII) of Tata employees, National ID card info, tax account numbers, as well as valuable intellectual property and trade secrets like engineering schematics, financial records and client data.
"The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points," a Tata spokesperson said, according to BleepingComputer.
Takeaway: ransomware attacks can threaten more than just short term operations at victim organizations, they can also result in the loss of proprietary information that is vital to remaining competitive in the market. In the long run, the loss of intellectual property could dwarf the more immediate costs associated with remediating the attack.
UK NHS via Advanced MSP
Advanced, a Managed Service Provider (MSP), suffered a ransomware attack that disrupted emergency services (111) for the U.K.'s National Health Service (NHS), and full recovery is anticipated to take at least a full month.
“Customers of seven solutions from the British MSP have been impacted either directly or indirectly… An investigation is ongoing, still in an early stage. Advanced has yet to determine how the hackers gained access to the network and if data was stolen,” BleepingComputer reported.
“The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the U.K.
Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected.”
Takeaway: Managed Services providers are increasingly being attacked with the intent of extending the attack to their customer bases in an “attack one, compromise all” strategy. The takeaway here is that organizations who enlist the services of MSPs must also take into consideration the additional risk that third-parties can introduce and plan accordingly for the case where your security provider is the attack vector.
Major U.K. media outlet the Guardian was impacted by a ransomware attack in December that is believed to have compromised the personal data of Guardian staff employees.
Guardian Media Group’s chief executive Anna Bateson and editor-in-chief Katharine Viner described the attack as a “highly sophisticated cyber-attack involving unauthorized third-party access to parts of our network” that employed phishing as the initial attack vector.
“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organization. These attacks have become more frequent and sophisticated in the past three years, against organizations of all sizes, and kinds, in all countries,” said Bateson and Viner.
“We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely.”
Takeaway: phishing works. Phishing is successful because it takes advantage of human nature. Some of the most “sophisticated attacks” we see in headlines all started with a simple spam phishing email. Assure your employees understand the risks from phishing and the simple things they can do to prevent phishing attacks from being successful.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – Halcyon Endpoint Resilience expert to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time ransomware tracking of attacks, threat actor groups and their victims.