Barracuda analyzed more than 100 prominent ransomware incidents and found that education, municipalities, healthcare, infrastructure and finance were the most targeted sectors.
Ransomware attacks can affect any type of organization in virtually any industry. But some sectors have proven to be a more attractive target for cybercriminals. In a report released WednesdayAugust 24, security provider Barracuda discusses the types of companies that have been targeted by ransomware and offers advice on how to combat these attacks.
The number of ransomware threats detected by Barracuda increased to more than 1.2 million per month between January and June 2022. The number of actual ransomware attacks increased in January, but started to decline in May.
Focusing on 106 highly publicized attacks, Barracuda researchers identified five sectors as the top victims: education targeting 15% of the attacks, municipalities in 12%, health care in 12%, infrastructure in 8% and financial in 6%. .
Targeted industries face an increase in ransomware incidents
In the past 12 months, attacks on municipalities have increased slightly, but those on educational institutions have more than doubled, while attacks on healthcare and financial companies have tripled. At the same time, the number of attacks on critical infrastructure has quadrupled, a sign that cybercriminals and hostile nation states want to cause as much collateral damage as possible beyond the impact on the first victim.
TO SEE: How to protect your organization from ransomware-as-a-service attacks (TechRepublic)
In addition to the five most targeted sectors, other sectors have also suffered from ransomware attacks. Service providers were responsible for 14% of the attacks analyzed by Barracuda. These organizations provide IT assistance and other types of business services and are targeted because of the access they have to customers and customers, all of whom could be affected by a ransomware attack.
The number of ransomware incidents against car companies, hospitality companies, media companies, retail companies, software suppliers and technology organizations has also increased in the past 12 months.
Ransomware in action
To illustrate how ransomware often works, Barracuda’s report highlighted attacks on three different companies.
In an incident from August 2021, attackers from the BlackMatter ransomware group has sent an organization a phishing email to compromise employee accounts. By gaining access to the network, the criminals were able to scan and move laterally within the network, installing hacking tools and stealing sensitive data.
After receiving a ransom request in September 2021, the company reached out to their managed service provider, who reached out to Barracuda for assistance. After the infected systems were isolated and passwords were reset, the encrypted systems were re-imaged from a backup. The company was able to negotiate the ransom to half the original demand, but the attackers still leaked the stolen data.
In an incident from October 2021, the Karakurt Data Extortion Group launched a brute force attack on an organization’s VPN login page. The attack helped the cyber criminals compromise several domain controllers and use RDP to access the compromised systems. The following month, the attackers began modifying the firewall rules.
After ransom calls came in in January 2022, Barracuda found and blocked the Indicators of Compromise (IOCs), reset the victim’s account and created security information and event management (SIEM) rules. Still, the stolen data leaked online in February.
And in another incident, attackers of the LockBit cybercrime group were able to use stolen credentials to log into the VPN login page of a company that did not have MFA. By using malicious PowerShell scripts and installing system-level DLLs (dynamic link libraries), the cybercriminals stole more credentials and gained access to key passwords.
The attackers also compromised a PC running Windows 7, which Microsoft no longer supports with security updates. After receiving the ransom, the company sought help, which led to the quarantine of suspicious files and the rebuild of Active Directory.
Barracuda offers tips to fight ransomware attacks
The three incidents mentioned in the report had certain similarities. The attacks were carried out over the course of several months rather than just a week or a single day. VPNs are always a popular target, as they can easily lead attackers to critical network assets and credentials have been stolen via phishing attacks or bought on the dark web.
TO SEE: Train for some of today’s best cybersecurity credentials for $39 (TechRepublic Academy)
Login credentials for email accounts associated with Microsoft 365 for single sign-on are useful, but if compromised, they can open the floodgates to a corporate network.
To help organizations fight these types of ransomware attacks, Barracuda offers several tips.
- Disable macros: To prevent certain types of malware, disable macro scripts on Microsoft Office files sent by email.
- Segment your network: Ensuring that your network is segmented will reduce the spread of ransomware and prevent attacks from moving sideways.
- Get rid of unused or unauthorized applications: View and remove any unauthorized software that can be used for compromise, with a special focus on remote desktop and remote monitoring programs.
- Enhance web application and API security services: To protect your web applications from hackers and malicious bots, make sure you enable the right security services, including those that protect against distributed denial-of-service (DDoS) attacks.
- Verify credentials and access controls used for backups: The account credentials for offline and cloud-based backups should be different from those for normal systems.