In the second quarter of 2022, ransomware will remain one of the top threats to information security. The META region will also receive its share of this. One of the most notable examples of this was the attacks on Shoprite, Africa’s largest retail chain. Other notable examples of ransomware in the region include attacks by the LockBit group in sub-Saharan Africa and Cl0p attacks targeting assets in the UAE.

In addition, Kaspersky experts are witnessing the growing industrialization of ransomware groups in terms of their internal structure, advertisements and the creative techniques they use during attacks. This trend was also noted in ransomware trends published by Kaspersky earlier this year.

Kaspersky Senior Security Researcher at Kaspersky Maher Yamoutsay: “We see a clear trend in ransomware development to become more sophisticated and targeted, while also exposing victims to more threats. In recent years, ransomware groups have come a long way from swarming gangs to businesses with the hallmarks of a full-fledged industry. We are seeing more and more situations where ransomware attacks are performed manually in a time-consuming but highly efficient manner that we have not seen before from small-scale attackers.”

The Kaspersky Threat Intelligence team has prepared a comprehensive study of modern ransomware to better understand and analyze the most common tactics, techniques and procedures (TTPs). The analyzes performed focus on the activities of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups, active in the United States, United Kingdom, Germany and other countries, targeted more than 500 organizations in industries such as manufacturing, software development and small businesses between March 2021 and March 2022.

Kaspersky experts analyzed how these ransomware groups used the techniques and tactics described in the MITER ATT&CK knowledge base and found many similarities between TTPs across the chain of cyber-attacks. Ransomware attacks follow a very similar and easily predictable pattern: targeting the victim’s corporate network or computer, delivering malware, reconnaissance, accessing credentials, deleting shadow copies, eliminating backups, and ultimately achieving the main goal.

Here’s how the researchers explain where the similarity between the attacks comes from:

• A phenomenon called “Ransomware as a Service” (RaaS) is spreading, where ransomware groups do not distribute malware themselves, but simply provide data encryption services. People who distribute malicious files also want to do it in an easier way, so they use template-appropriate delivery methods or automation-based tools while providing access.
• Reusing known and similar tools makes life easier for attackers and shortens attack preparation time.
• Re-using commonly used TTPs makes hacking easier. While it is possible to detect such techniques, it is extremely difficult to take preventive action against all possible threat vectors.
• Victims are late installing updates and patches. Usually it is the vulnerable who are attacked.

You can download the ransomware TTP report from Securelist.

To protect yourself and your business from ransomware attacks, Kaspersky recommends following these guidelines:

• Do not expose remote desktop/management services (RDP, MSSQL, etc.) to public networks unless absolutely necessary, and always use strong passwords, two-factor authentication, and firewall rules.
• Quickly install existing patches for commercial VPN solutions that provide access to remote workers and act as gateways to your network.
• Always keep your software up to date on all the devices you use to prevent ransomware from exploiting security vulnerabilities.
• Focus your defensive strategy on detecting sideways movement and data leaks to the Internet. Pay special attention to outgoing traffic to detect connections from cyber criminals.
• Pay special attention to offline backup strategies and back up your data regularly. In an emergency, make sure you have quick access to the data you backed up.
• Avoid downloading software from unknown sources and downloading and installing pirated software.
• Evaluate and control your supply chain and managed services access to your environment.
• Develop a plan of action for the reputational risk associated with exposing your data in the event of data theft.
• Helps identify and stop an attack early, before attackers reach their final destination. Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response Use solutions such as services.
• Train your employees to protect your business environment. Kaspersky Automated Security Awareness Platform The special training sessions that are given can help you with this.
• Get a reliable endpoint security solution like Kaspersky Endpoint Security for Business, backed by an exploit prevention, behavior detection, and remediation engine that can undo malicious actions. KESB also has protection mechanisms that can prevent removal by cyber criminals.
• Use the latest Threat Intelligence information to stay informed about the actual TTPs used by threat actors. Kaspersky Threat Intelligence Portal is a general access point to Kaspersky’s TI, providing cyberattack data and insights collected by our team for nearly 25 years. To help companies defend themselves more effectively in these difficult times, Kaspersky has announced free access to independent, constantly updated and globally available information about ongoing cyberattacks and threats. You can use this address to request access to the offer.

Source: (BYZHA) – Beyaz News Agency