Ransomware Attack 2020

Mounika Raghavarapu   

Throughout 2020, the world has witnessed innumerable uncertainties in economies, people, and livelihoods. Though cybersecurity hygiene is a common practice, the pandemic has brought in a new set of threats that are associated with employees working from home. With almost 90% of the employees working from home, there is a need for altering the common cybersecurity hygiene checklist amid new kinds of ransomware, phishing, and malware incidents during the pandemic.

The year 2020 has opened a new gateway for attackers to intrude the business systems through its employee’s computers. During the first quarter of the year, hardly any company was ready to set up a secure Work From Home environment, which resulted in the highest number of attacks, reportedly through the employee's accounts and systems.

Also, many ransomware people have enhanced their skills of theft sensitive data from many sectors such as governmental services, financial services, banking, insurance, and manufacturing sectors. Regardless of the size and sectors, every organization has the great danger of Ransomware attacks, all over the world.

Ransomware Attacks in 2020-2021

Top Ransomware attacks that threaten the organizations in 2020 and 2021

REvil Ransomware: is the topmost ransomware for the year 2020-21. It is a file encryption virus that infiltrates the system and encrypts all the files and demands money from the victim and they are forced to pay the money via bitcoins. The attackers will double the ransom rate if the victim doesn’t stick to the timeline for clearing the payment.

Sodinokibi Ransomware: also known as Sodin, is a type of REvil ransomware. It first spread in 2019, using a zero-day vulnerability in the servers of Oracle Weblogic. This vulnerability was later fixed, but the attackers made use of software installers to spread Sodin. Sodinokibi ransomware has a configurable structure, due to which it can process the following things, when activated:

Making use of CVE-2018-8453 weakness to expand one’s authorization.

Encrypting mobile or web drivers that have not yet been taken to the whitelist.

Averting resource conflict by concluding blacklisted projects.

Deleting files that are in the blacklist.

Transferring the system data to the attacker that belongs to the target.

Nemty Ransomware: is different from other ransomware, it acts like a ransomware service.  It was a version of RaaS (Ransomware as a Service), here the clients where able to spread these versions in their preferred way. Phishing emails where widely used to spread this malware. When the victim is infected with Nemty, they had to pay 30% of the ransom to the Nemty developers and remaining to the clients

Nephilim Ransomware: As per cybersecurity researchers, Nephilim Ransomware is just like Nemty, as they both have similar resource codes, design and attitude. They both threatened the victims to pay ransom, else they would publish the sensitive data. This type of ransomware was largely found in large scale industries, the attackers managed to encrypt victims’ data by using the vulnerability of a remote desktop network and VPN.

NetWalker Ransomware:  is one of the modern variations of the ransomware, also known as Mailto. NetWalker-using attackers, majorly targeted the remote working employees, Governmental agencies, corporations and healthcare organisations.  In the list of 2020-2021 Ransomware attacks, NetWalker is one of the most destructive malicious software. NetWalker encrypts all Windows devices. It uses a configuration including ransom note and file names. Cybersecurity researchers, have identified that NetWalker follows two different ways to attack. One through Phishing mails about Coronavirus and the other through executable files that spread through networks.

Checklist effective security measures to keep Ransomware at Bay:

Check out our blog to have an understanding of how the pandemic has brought in new security challenges and how to design a security palm amid of the newer risks. Click Here

Policies/ procedures: pandemic centric cybersecurity policies may be the same or need to be updated as per the new set of cyber-attacks and their consequences. Documentation on Cybersecurity operating procedures must be kept current.

Cross-training and backup plan: organizations need to create a skills matrix of key cybersecurity personnel and their roles, and need to cross-train them on handling events in case of emergency.

IDS and IPS management: Make Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) both part of organizations' network infrastructure. IDS/IPS are configurable to help enforce internal security policies at the network level

Co-ordinate with network vendors, including local access, internet access, and WAN services, to make sure the ongoing outbreak does not disrupt the network services

Cybersecurity plans. Ensure the cybersecurity or information security plan is up to date and documented with all necessary data to respond to a cyberattack.

Integrate a Zero Trust Architecture which helps to prevent unauthorized access, and reduce the risk of any hacker’s movement within your network.

Security posture assessment: frequent security posture assessments help cybersecurity personnel’s to identify cybersecurity strength and resilience in relation to cyber-threats.

Incident Response Plan: To identify, analyse and mitigate a potential cyberattack. An Incident response plan helps IT staff detect, respond to, and recover from network security incidents such as cybercrime, data loss, and service outages.

Cymune Ransomware Capabilities

Cymune’s Threat Detection, Response & Remediation and Threat Hunting is delivered by a skilled and experienced team as a fully managed and continuous 24X7 service.

Our intuitive team employs manual and orchestrated methods, using Threat Intelligence, Enhanced Telemetry across your endpoints, network for a full picture of adversary activities. It proactively improves your security posture and hardens your cyber defenses with prescriptive guidance for addressing configuration and architecture weaknesses that diminish your overall security capabilities.

And in the event of an incident being confirmed, a dedicated threat response lead is provided to directly collaborate with your on-prem team until the active threat is neutralized.