The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its “StopRansomware Guide” to reflect the changing threat landscape. Ransomware groups have shifted from using double-extortion tactics, which see threat actors exfiltrate and threaten to leak stolen data as well as encrypt victims’ systems, to choosing new targets and relying solely on data theft and leaks to pressure victims into paying. According to vendor reports and government advisories, ransomware groups are now using a single-extortion approach, exploiting vulnerabilities to commit broad attacks and targeting new groups such as VMware ESXi hypervisor servers. Ransomware-as-a-service groups actively target hypervisor servers, allowing them to enable fast encryption of the infrastructure at scale.
These trends have prompted CISA, along with the FBI and National Security Agency, to update the guide for the first time since its publication in 2020. The new recommendations include warnings about third parties and managed service providers, best response practices for ransomware and data extortion attacks, and the importance of maintaining offline and encrypted backups of critical data.
CISA’s security recommendations are changing to adapt to the ransomware evolution. While maintaining sufficient backups is still critical to the recovery process, there are new caveats when it comes to securing data in the cloud. It is important to maintain offline, encrypted backups of critical data because ransomware variants will encrypt accessible backups to increase the pressure to pay. Automated cloud backups may not be sufficient because if local files are encrypted by an attacker, the files will be synced to the cloud, possibly overwriting unaffected data. CISA recommends using infrastructure as code to deploy and update cloud resources and keep backups of template files offline.
Jen Miller-Osborn, director of threat intelligence at Palo Alto Networks’ Unit 42, observed a significant increase in extensive harassment employed by ransomware groups. She also noted that ransomware groups are starting to look more like nation-state attackers, particularly when it comes to exploiting software vulnerabilities, and some groups even had their own zero-days. Ryan Kovar, distinguished security strategist at Splunk, said ransomware operators are adapting to improved defenses and national policy updates, and he has observed the LockBit ransomware gang trying new methods to get around defenses. Ian McShane, vice president of strategy at Arctic Wolf, said ransomware groups will use data exfiltration as a bluff, and it can be difficult for organizations that don’t have systems or incident response plans in place to verify if sensitive data was indeed exfiltrated.
While many vendors, including Arctic Wolf, observed a decrease in ransomware attacks over the past year, some of it can be attributed to a lack of reporting. McShane said, “We saw 26% less ransomware attacks over the past year. In the grand scheme of things, so few organizations actually put their hands up and say, ‘We’ve had a ransomware attack,’ so it’s probably growing now.” Ransomware isn’t the worst thing, though, as it is not always something that happens overnight. If organizations are prepared and can use defenses, that can help mitigate the damage.
The threat landscape of ransomware is constantly changing, and organizations should adapt their security recommendations accordingly. CISA’s updated “StopRansomware Guide” provides some crucial recommendations for organizations of all sizes to protect against ransomware. Protecting sensitive data with offline, encrypted backups and updating VMs and hypervisors can help mitigate the damage. Organizations should also recognize the importance of response times and incident response plans in keeping their systems secure against ransomware attacks.