There is no question that ransomware is here to stay. Thirty-seven percent of the matters we handled last year involved ransomware, compared to 27 percent of matters in 2020. In 2019, there were approximately 15 active ransomware threat actor groups. In 2021, we handled matters involving more than 80 different ransomware variants. Government entities and regulators have taken notice, spurred on by media attention to high-profile incidents. Threat actors are evolving, finding additional ways to put pressure on victims to pay. This means that organizations must also evolve to stay ahead of them. This has become even more apparent in recent months, with threat actor groups dissolving, reforming under new names, and even making public statements about current world affairs, including the war in Ukraine. 

One issue that is still at the forefront is that, in some cases, a ransomware investigation may identify a potential nexus between the threat actor group involved and an entity on the Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List). Because it is illegal to pay an entity on the SDN List, the victim would not be able to pay the ransom even if it wanted or needed to do so.

A trend making this issue more complicated is the rise in Ransomware-as-a-Service (RaaS). Certain threat actor groups – for a fee or a cut of proceeds – share their tools and encryption programs with other threat actor groups. As a result, it can be difficult to determine from the ransomware variant alone which threat actor you are dealing with. It is now more important than ever to work with experienced legal counsel, forensic firms, and ransomware negotiators to obtain additional intelligence about the threat actor and analyze the forensic data to identify other indicators of compromise that might help to identify the threat actor.

Of course, the most effective way for victim organizations to avoid this issue is to make sure they have endpoint detection and response (EDR) tools to identify and stop suspicious activity earlier in an attempted attack (prior to the encryption of data) and robust backup capabilities to reduce the likelihood of needing to pay for a decryptor. That said, as threat actors evolve, they may find ways around these protections. Continuing to monitor the threat landscape is a key component of an effective ransomware defense strategy.

Another trend we are seeing is that data exfiltration is not only the “new normal,” it is also increasingly becoming the only method of extortion used by certain threat actors. Last year, we reported on the growing trend of threat actors stealing data from victims prior to encrypting data as an additional leverage point to induce the victims to pay. In 2020, 70 percent of the ransomware matters we handled included a claim from the threat actor that they had stolen data. This percentage jumped to 82 percent of the ransomware matters we handled in 2021. Now we are beginning to see a rise in matters where the threat actor skips the encryption step altogether but still steals data and demands payment to prevent disclosure of that data. As a result, it is even more critical to practice good data hygiene: the less sensitive data there is in a victim’s network, the less data the threat actor may be able to steal and the less leverage they will have.

Steps Organizations Should Take Right Now to Prevent or Limit the Severity of a Ransomware Attack:

  • Widely deploy EDR tools and set them to enforcement mode to identify and stop suspicious activity earlier in an attempted attack.
  • Enforce multi-factor authentication (MFA) for remote connections to keep threat actors out, especially with so many employees working from home.
  • Invest in robust, air-gapped, immutable backup capabilities to reduce the likelihood of needing to pay for a decryptor.
  • Establish and follow patch management protocols to prevent the attacker from exploiting vulnerabilities to gain access to unpatched systems. 
  • Implement – and test – a business continuity plan to identify temporary workarounds for critical business processes.
  • Consider implementing a zero-trust framework to limit a threat actor’s ability to move laterally in your environment if they do gain access.
  • Employ a defense-in-depth strategy, layering safeguards on top of each other to harden your network, as there is no single way to prevent a ransomware attack.
  • Practice good data hygiene and follow data retention policies, making it less likely a threat actor will be able to steal sensitive data.