On January 26, the U.S. Department of Justice (DOJ) announced the disruption of the Hive ransomware group. This is a significant development in the ongoing battle against cyber extortion and highlights the value of international coordination to dismantle criminal cyber enterprises. The takedown featured strong coordination with federal police in Germany and the Netherlands High Tech Crime Unit.
DOJ’s press release details how it penetrated Hive’s computer networks in July 2022, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Hive has targeted more than 1,500 victims in 80 countries around the world including hospitals, school districts, financial institutions, and other critical infrastructure.
Hive was ranked as the top ransomware group observed in Q4 2022, accounting for 13.8% of observed ransomware attacks that quarter. This development comes on top of related indicators that 2022 has occasioned a noticeable drop in the volume of ransomware attacks. That said, the global ransomware threat is far from over and is projected to remain a pervasive threat.
Persistent impacts of a successful ransomware attack
Ransomware is designed to paralyze an organization by locking systems and files, rendering crucial data inaccessible. Three weeks of downtime is the average during a successful ransomware attack. Increasingly, double-extortion attacks seek to steal victims’ sensitive data before the encryption event, increasing malicious actors’ leverage. When a ransomware attack goes public, reputational damage results and severe financial impacts can ensue: Tenet Healthcare reported that it expected an April 2022 double-extortion attack to have a pre-tax impact of $100MM.
Likewise, ransomware threat actors are increasingly well-resourced: the U.S. Financial Crimes Enforcement Network (FinCEN) reported that in 2021, it received 1,489 ransomware-related filings worth nearly $1.2 billion, a 188 percent increase compared to the total of $416 million for 2020.
Vigilance is needed and stricter regulations are coming
Organizations cannot let down their guard. Despite the dismantling of Hive, new and emerging actors of will continue to pose an urgent threat. According to the Cybersecurity and Infrastructure Security Agency (CISA)14 of the 16 US critical infrastructure sectors have already been ransomware targets.
As threat activity persists, recent regulatory and legislative developments are heightening cyber risk management expectations. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require covered entities to report covered cyber incidents within 72 hours, and ransomware payments within 24 hours, along with updates if substantial new or different information becomes available. Likewise, the U.S. Securities & Exchange Commission (SEC) expected to finalize a Proposed Cybersecurity Disclosure Rule that would require disclosure of material cybersecurity incidents within 4 business days of a materiality determination.
Many organizations are not prepared
According to the 2022 State of Ransomware Preparedness report by Axio, only 30% of surveyed organizations had a ransomware-specific playbook. Active phishing training has improved but is still not practiced by 40% of organizations, according to the survey. Technical debt and network misconfiguration, both on-premises and in the cloud, will continue to provide windows for exploitation
Small and medium-sized enterprises are disproportionately impacted by ransomware because they have not hardened security measures to the extent that larger organizations have. This is partially due to budget considerations. So how can organizations of all sizes protect against the ongoing threat of ransomware attacks?
Common weaknesses are easily exploited
In the case of Hive, CISA details how these bad actors accessed victims’ networks through a variety of methods, including single-factor logins via Remote Desktop Protocol, virtual private networks and other remote network connection protocols; exploiting vulnerabilities in Fortinet’s mobile software token application; and sending phishing emails with malicious attachments.
Shore up Cyber Hygiene
Immediate actions to protect against a ransomware attack include:
- Update your operating system and software
- Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments
- If you use Remote Desktop Protocol, (RDP), secure and monitor it.
- Make an offline backup of your data.
- Use multifactor authentication (MFA)
For comprehensive ransomware mitigation guidance, reference CISA’s Ransomware Guide
Strengthen Threat-informed Defense and Resilience
Implement a threat-informed defense, for example utilizing the MITRE ATT&CK framework, where likely threat tactics, techniques and procedures are identified and then mapped to threat-specific mitigations and detection data sources. A corollary step is adopting response-oriented engineering, whereby logging and correlation strategies are implemented to streamline the process for understanding, thereby containing incidents when they do occur.
Companies must also exercise their processes for responding to a cybersecurity incident in order to build response muscle memory, stress-test decision making and validate recovery capabilities. Cyber preparedness also means building relationships in advance of a severe event. In DOJ’s Hive announcement, FBI Director Christopher Wray stressed the importance of meeting officials at the local FBI field office before an attack occurs, or at the very least calling them as soon as an intrusion is discovered. He stated that only 20% of Hive’s victims had shared their attacks with law enforcement.
Are your security practices up-to-date?
{{cta(‘c14f3ebb-5035-4455-98bb-4ca96af83c78′,’justifycenter’)}}
