NSA, FBI, and CISA Issue Global Ransomware Threat Advisory

In a joint advisory, cybersecurity authorities in the US, Australia, and the UK alerted industries worldwide that 2021 trends show an increased ransomware threat. That’s because they see the same numbers as everyone in IT—and a lot more. For starters, SonicWall’s 2021 Cyber Threat Report says there were 304.7 million global ransomware attacks in just the first half of last year. Meanwhile, the advisory notes that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) saw ransomware incidents hit 14 of the 16 U.S. critical infrastructure sectors, including healthcare, financial services, and manufacturing. At the same time, the European Union Agency for Cybersecurity (ENISA) noted a 150 percent rise in ransomware attacks in 2021 and expects that trend to continue.
 

Ransomware Keeps Evolving

Ransomware threat actors continue to develop more sophisticated methods. The recent spate of White Rabbit Ransomware attacks is just one example. And as the advisory notes, ransomware-as-a-service (RaaS) has helped spread the threat by making it easy for any bad actor to mount attacks.

The bottom line is that your people are your front-line defense against data breaches and ransomware. Verizon’s 2021 Data Breach Investigations Report (DBIR) drives that point home, finding that the human element was involved in 85 percent of breaches. The DBIR also found that 36 percent of data breaches involved phishing. And the cybersecurity advisory points out that stolen Remote Desktop Protocols (RDP) credentials, brute force attacks, and other vulnerability exploits are still critical concerns for any organization.
 

Ransomware is Shifting from Big Game Hunting in the US

While highlighting the headline-making attacks like Colonial Pipeline and Kaseya, the advisory also points out regional differences in the type of attack targets. In the first half of 2021, cybersecurity authorities in the US and Australia dealt with more ransomware attacks on “big game” organizations—like those in critical infrastructure sectors. But in mid-2021, as US authorities were able to disrupt some ransomware operations, the FBI saw some threat actors shift their focus toward mid-sized victims so they could stay under the radar longer. In contrast, the Australian Cyber Security Centre didn’t see any changes in attackers’ focus. In the UK, the National Cyber Security Centre saw ransomware attacks on organizations of all sizes throughout the year, including some “big game” targets.
 

“Triple Extortion” and Broader Targeting Ups the Stakes

One change that the advisory points out is how threat actors now use a triple-threat strategy to intimidate organizations when demanding ransomware payments: 1) Threaten to release stolen sensitive information publicly; 2) disrupt the target organization’s internet access; and 3) announce the breach to the victim’s partners, shareholders, and suppliers. Ransomware groups are also exploiting known vulnerabilities in cloud apps, virtual machines (VMs), VM orchestration software, cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems. Interestingly, the advisory says that the FBI and CISA have observed cybercriminals attacking more entities in the US on holidays and weekends when offices are usually closed. That’s also when there are likely to be fewer IT people on hand or available to address an attack.
 

Tighten Your Cybersecurity Tactics

There are some basic actions every IT team should put into place to protect against cybersecurity threats and ransomware attacks. The advisory shares this list of mitigations:

• Keep your operating systems and software up to date
• Secure and closely monitor Remote Desktop Protocol (RDP) deployments or other potentially risky services
• Train your people and conduct phishing exercises so everyone knows how to spot and avoid suspicious emails, links, attachments, and websites
• Require multi-factor authentication (MFA) for as many services as possible
• Require strong, unique passwords for every account that uses a password login
• If using Linux, add a Linux security module
• Segment networks to prevent the spread of ransomware
• Deploy end-to-end encryption
• Use a network-monitoring tool to identify, detect, and investigate abnormal activity
• Document external remote connections
• Implement time-based access for privileged accounts
• Enforce the principle of least privilege in your authorization policies
• Reduce credential exposure
• Disable unneeded command-line utilities, monitor, and constrain scripting activities and permissions

Your Last Life of Defense: Backup and Disaster Recovery

In addition to this long list of mitigations, the advisory also points out two crucial areas you need to focus on:

• Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud
• Regularly test your backup and restore capabilities

With Arcserve Cloud Services disaster recovery as a service (DRaaS), you can count on complete, reliable business continuity using a highly distributed and fault-tolerant disaster recovery cloud with 99.999+ percent uptime. That takes care of bullet #1 above. Arcserve cloud services also feature the optional patented ability to pre-stage site-wide failover processes so you can test or execute a failover with the click of a single button. Check off bullet #2.

With Arcserve OneXafe, you also have options for immutable storage for ransomware protection. OneXafe’s file system is based on an immutable object store, with every object written only once and never modified. So your backups can’t ever be deleted or changed. OneXafe continuous data protection takes low-overhead snapshots—a view of the file system at the instant the snapshot is taken—every 90 seconds. That means you can go back to a snapshot from a specific point in time and recover entire file systems in minutes.
 

Fight Back

If you want answers to your questions about data protection, backup, and disaster recovery, contact us, or find an authorized Arcserve technology partner to help you put the right solutions in place to meet your needs.