5 Ways Ransomware Hackers Can Blindside Your Business

© AdobeStock
Cyber criminals have gone way beyond phishing explorations. Here’s what to look out for—and how to keep your organization safe.

Ransomware and data extortion attacks are surging, with 2023 on track to become another record year for these attacks—with close to $1 billion in victim payments when the final tally is done.

As companies reassess their cybersecurity programs, it’s important for C-Suite to understand the different tactics many ransomware groups are now using to outsmart the biggest companies in the world.

For the last two decades, the vast majority of successful cyberattacks have typically relied on phishing emails. This has led many companies to focus heavily on this specific threat vector in their cybersecurity programs. However, cybercrime groups are nothing if not creative, and they are constantly evolving their tactics to stay ahead of corporate security teams. We’re seeing many of these cybercrime groups augment their strategies with new tricks that can blindside companies—by hitting them with attacks they didn’t expect.

To avoid becoming the next corporate victim of ransomware groups like LockBit, Cl0p, BlackCat, Royal and more, it’s important for companies to use a multi-layered cyber defense strategy that anticipates multiple pathways hackers could use to sneak inside the company.

Here are the top five to watch out for:

Botnet attacks

Botnets allow ransomware groups and other cybercriminals to automate attacks on company networks—or to buy access to already infected systems.

Instead of having to trick an employee over email, a bot can directly target an application or device in seconds through attacks like credential stuffing (i.e., password cracking) or vulnerability exploits. Once the bot has gained access, it can then be used to install backdoors in the network and deploy other types of malware—such as ransomware.

One of the most popular botnets among ransomware criminals, Qakbot, was disrupted by the FBI last summer. But the hackers behind Qakbot are still active and many expect they will rebuild their botnet. In the meantime, other botnet operators are filling the void. Another growing concern is that artificial intelligence technology could be used to create vastly more powerful botnets, which can launch a wider range of sophisticated attacks.

Many botnet infections can fly under the radar, so it’s critical that companies thoroughly check for any signs of these backdoors in their networks.

Slipping in through remote services

Although many companies are switching away from remote work, remote services remain a key element in most corporate networks. These services, such as remote desktop protocol (RDP), virtual network computing (VNC) and file transfer protocol (FTP), improve efficiency and productivity—but they also pose a major risk to the network.

The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) recently warned that ransomware gangs are increasingly exploiting remote services to breach business networks and carry out their attacks. These services are most often vulnerable through stolen or default passwords, which allows the hacker to simply login and use the program as a legitimate user. Ransomware groups also target virtual private network (VPN) services, using publicly available exploit code, to gain access to victim accounts.

By exploiting these services, a hacker can completely bypass the company’s otherwise robust cybersecurity protections. Since they are logging in through a legitimate user account, these attacks are also difficult to detect early on.

Attacking the company through a third-party

A growing number of ransomware gangs are specifically targeting third-party vendors and trusted technology providers to gain access to company networks and information.

According to a recent insurance report, third-party vendor attacks were responsible for 29 percent of insurance claims in H1 2023, replacing phishing as the top threat. Meanwhile, ransomware hackers also zeroed in on multiple trusted technology tools—like MOVEit Transfer and GoAnywhere—to pull off some of the largest attacks this year. The hack of 3CX, a leading VoIP provider, was another major incident potentially impacting hundreds of thousands of customers. It also exemplifies the growing risk of multiple—or linked—software supply chain attacks.

These attacks are difficult for businesses to prevent or detect, since they start with an outside organization where the company has little or no control. They then use that organization’s access to the company to sneak into the network or to steal data. These third-party attacks are a growing risk to every industry, from financial services and healthcare to technology, retail and gaming.

Recruiting insiders

One of the more alarming developments in ransomware is a new tactic by some cybercriminals to recruit company employees, executives, contractors and other “insiders” to help them pull off an attack.

LockBit 2.0, one of the most dangerous ransomware groups in existence, is actively using this tactic to target corporate victims. They are willing to pay insiders millions of dollars for providing them with user credentials for RDP, VPN and corporate email accounts that they can then use to gain access to the network.

Insider threats pose a significant challenge to corporate security since employees have extensive access to online systems and accounts as well as direct physical access to company equipment. 

Hacking into vulnerable devices

Although companies spend a lot of money to protect their networks, the growing adoption of Internet of Things technologies is leaving these networks more exposed than ever.

Between their poor security and the fact that many IoT devices can be discovered through the public Internet via websites such as Shodan, they pose one of the most significant long-term threats to company networks. Ransomware groups can use an IoT device to bypass the company’s network security, while also remaining undetected. Once inside the IoT device, the hacker can pivot to the main IT network where they can pull off a larger attack.

Research has shown that IoT ransomware could cause massive disruptions to companies, since it would damage physical systems. Recent data also shows IoT attack cycles are up and IoT malware has more than doubled. Singapore’s Cyber Security Agency warned in a recent report that critical IoT devices could be targeted in ransomware attacks.

How to Diversify Your Security Strategy

Since ransomware attacks can take many forms, it is critical for companies to have a multi-layered defensive approach that is equally focused on proactive prevention and post-breach containment.

When it comes to proactive security, companies should embrace new strategies like threat hunting and digital risk protection to anticipate these threats ahead of time and make sure they are prepared. The threat hunting process checks for weaknesses, misconfigurations and other security blind spots in the corporate infrastructure. It also allows the company to test its security processes against hypothetical threats and to determine where its detection falls short (i.e., which types of attacks may escape notice). Digital risk protection monitors the surface web, deep web, dark web and social media for any signs of emerging threats. 

Companies also need to plan for the worst. Strong access control, network segmentation and data encryption practices will significantly reduce the potential damage from a ransomware or data extortion attack. Data backups are also vital to mitigate the impact from a data encryption ransomware attack.

It is important to note that in many ransomware attacks, there is a time delay between the initial compromise and the actual execution of the damaging phase of the attack (such as data theft or data encryption). This delay can range from several hours to several days or even weeks. If companies act quickly, by mitigating the threat soon after they’ve discovered the initial compromise, they may be able to prevent the worst part of the attack. This is why it is vital to have a Security Operations Center staffed by well-trained and experienced cybersecurity professionals. Companies can establish these SOCs in-house or they can use a third-party cybersecurity service that provides them.


  • Get the Corporate Board Member Newsletter

    Sign up today to get weekly access to exclusive analysis, insights and expert commentary from leading board practitioners.
  • UPCOMING EVENTS

    MARCH

    7-8

    Directors Forum

    Dallas, TX

    SEPTEMBER

    16-17

    20th Annual Boardroom Summit

    New York, NY

    MORE INSIGHTS