What cyber attackers are actually targeting
Ransomware is very profitable for cybercriminals, especially during the current pandemic with the increase in remote work and learning.
The Acronis Cyber Protection Operation Centre (CPOC) noticed a recent spike in globally blocked ransomware attacks: 20% in the second half of May.
20% spike in globally blocked ransomware attacks
Simple tools such as FTP scripts are used to ex-filtrate the data
Additional security measures outside backup and a DRP are needed in order to be fully protected
The activity has since dropped, however in June, this remains elevated.
But what exactly are cyber attackers looking for? What makes your MSP business a target?
The methods of these criminals have changed slightly over the years, since defence methods have adapted however, targeted ransomware is still primarily distributed through spear-phishing emails.
With the increase of working from home, there has been a growing interest in scanning for exposed and poorly secured services such as RDP and VPN servers.
Recent years have seen many attacks directed towards services providers (SP) as a supply chain attack.
Having access to cloud infrastructure, or at least the consoles or a SP, can multiply the reach for the attacker.
Having access to web consoles, including the ones from security and backup services can make this a target.
Misusing that access, they can try to disable security tools, delete backups and even deploy their malware into the organisation.
Companies may already have a working disaster recovery plan without the worry about losing their encrypted data, which is why attackers are increasingly shifting their focus towards stealing data.
The attackers sometimes ex-filtrate tens of terabytes of data, which could be identified by the network monitoring team, if they’re looking.
Often simple tools such as FTP scripts are used to ex-filtrate the data.
In order to bypass DLP or network monitoring, encryption might be applied, like compressing the data in a password-protected archive before transferring.
The attackers search for sensitive data and aren’t really interested in holiday photos, but rather go for financial documents, contracts, customer records and legal documents.
Anything that could inflict damage to the victim and would motivate them to pay the ransom demand.
When cybercriminals gain a foothold inside an organisation they’ll often manually expand their influence with common tactics.
The attackers adapt to whatever situation and resistance they encounter.
Some groups attempt to attack password managers.
The lateral spreading still mostly relies on privilege escalation or stolen passwords.
The actual ransomware payload is often deployed very late in the process.
How to protect your MSP business
No matter what motive the attackers have, it’s clear that the era where backup alone was enough protection against ransomware attacks is long gone.
Of course, you should still have a working backup and a tested disaster recovery plan – just like you wouldn’t remove the seat belts in your car either – but you need additional security measures in order to be fully protected.
That said, each ransomware attack should be treated as a data breach investigation at the start.