New Zscaler report finds ransomware continues to run amok

This syndicated post originally appeared at Zeus Kerravala – SiliconANGLE.

Ransomware attacks have grown by 80% year-over-year, as they continue to evolve in tactics and scope.

The findings come from Zscaler Inc.’s newly released ThreatLabz 2022 Ransomware Report, which uncovered a record number of attacks that have increased both in volume and the cost of damages.

This data certainly jibes with my own research that has found that 68% of companies claim to have been hit with ransomware attack in the past two years. An additional 20% were not sure, leaving very few companies that can definitively say they haven’t fallen prey to ransomware.

In the report, ThreatLabz analyzed more than a year’s worth of data from the Zscaler Zero Trust Exchange, a security cloud processing more than 200 billion daily transactions and 150 million blocked attacks. The data — which also include intelligence from external sources — were collected between February 2021 and March 2022 to identify key trends, industries, geographies at risk and emerging ransomware tactics.

The biggest threats identified in the report during that time period were double-extortion, supply chain attacks, ransomware rebranding, geopolitical incited ransomware attacks and ransomware-as-a-service. In fact, ransomware-as-a-service is growing in popularity, where ransomware groups are selling their tools on the dark web. Although the tactics and scope of ransomware attacks have evolved, they continue targeting organizations with the purpose of stealing sensitive information to collect money.

The most alarming ransomware trend involves supply chain attacks, which allow attackers to bypass traditional security controls. Oftentimes such attacks use established connections and shared files, networks, or solutions for second-stage attacks that target a company’s customers. Additionally, the report found a huge increase in double-extortion ransomware, which has surged by 117%.

Manufacturing was the most targeted industry for the second year in a row. Nearly one in five ransomware attacks targeted manufacturing companies. When compared with 2021, healthcare saw the biggest increase (643%) in ransomware, followed by restaurant and food service (460%). Several other industries also experience triple-digit growth in attacks, including education (225%), manufacturing (190%), construction (161%), and financial services (130%).

Last year’s leading ransomware families — especially those targeting critical services — have caught the attention of law enforcement agencies. Despite the crackdown on ransomware families, however, many have been able to sidestep law enforcement by rebranding. Ransomware groups are now operating under new banners, using similar tactics. For example, DarkSide rebranded as BlackMatter, while sanctioned group Evil Corp continuously rebrands its ransomware operations.

One event in particular, the Russia-Ukraine war, is threatening an increase in ransomware this year, according to the report. There already have been several attacks related to the war, including wipers such as HermeticWiper and PartyTicket. Although most of the attacks targeted Ukraine so far, government agencies are warning of potential widespread attacks.

A key defense mechanism against ransomware is zero-trust security, which involves understanding the dependency between applications and workloads, then applying policies to control access. Organizations can reduce their attack surface by enforcing least-privilege access control and continuously monitoring data across all environments.

The report also recommends using zero-trust architecture to secure internal apps. Zero trust helps to redefine security as it makes corporate resources invisible to attackers. Traditional networks were designed with the principal that everything can talk to every other connected node, which is why the internet works as well as it does. The downside is that, once the environment is breached, the bad guys have unfettered access to everything. Zero trust works on the concept of least privilege, where nothing can access any other resources without explicitly being permitted.

On top of that, organizations should keep their software up to date by applying patches, they should have a data backup plan and they should have a response plan as part of their security strategy. The backup plan should be multitiered and include a ring-fenced copy that is not accessible on any part of the network.

A word of caution to security professionals looking to implement zero trust: Although I am in violent agreement that zero trust is one of the best protection mechanisms for ransomware, all zero-trust solutions are not created equal, since it has become the latest buzzword that vendors have attached to their products. Zero trust is not an upgraded VPN, nor is it network segmentation rebranded.

The problem with many zero-trust solutions is that they operate at the network layer. That can work if the network uses static IP addresses, but almost all applications use dynamic addressing, so the policies need to cover a wide range of addresses, which defeats the purpose of least privilege.

For zero trust to be effective, it should function at the application or user identity layer, making it transparent to the network. Security professionals need to do their homework around zero trust and ensure the attack surface is kept as small as possible, which minimizes the blast radius of a breach.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.