CXOToday has engaged in an exclusive interview with Mr. Raj Sivaraju, President, APAC, Arete
- What are the key takeaways from Arete’s Crimeware report on ransomware incidents?
Arete’s Crimeware report sheds light on the ever-changing world of cyber events, particularly ransomware incidents. The report reveals significant trends and shifts in this digital landscape. These insights emphasize the need to remain vigilant and adapt to the evolving nature of these events.
The report uncovers intriguing patterns in the realm of ransomware variants. Arete gathers data from each incident response engagement to understand how different ransomware strains rise and fall, providing a comprehensive view of the changing landscape of ransomware incidents. The report also delves into significant trends, such as the amounts of ransom demanded and paid, the industries most targeted by ransomware, and potential future developments.
The report reveals a cycle of action and reaction in cybersecurity in the last few years. After high-profile cyber incidents, many organizations invested in security tools and training to reduce risks. However, cybercriminals adapted by targeting different operating systems with more complex tactics. The report also discusses the influence of factors like AI tools, the accessibility of cybercrime, newly discovered vulnerabilities, and the Russia-Ukraine conflict. This evolving landscape has led ransomware operations to become more innovative, continuously refining their tactics.
Threat actor groups have also undergone changes, making it harder to attribute incidents to specific actors. But just as the threat actors evolve, so do the organizations tracking them. In the first half of 2023, law enforcement agencies worldwide collaborated more closely, resulting in impactful arrests and the dismantling of cybercriminal groups. This collaboration has led to a wealth of information sharing about tactics and indicators of these events, aiding in better attribution and prevention.
Ultimately, Arete’s Crimeware report underscores its commitment to shedding light on the complex world of cyber events. Through comprehensive data and analysis, the information acts as a guide for organizations dealing with cyber events. As we navigate this changing landscape, the report highlights the need to adapt, stay vigilant, and work together to make cyberspace safer.
- Can you highlight some of the most prevalent ransomware strains mentioned in the report, their distinct characteristics, and preferred incident methods?
The first half of 2023 has brought significant changes to the world of ransomware. LockBit, a leading strain, has dominated with 30.3% of observed cases by Arete. Alongside, new versions like Akira and Luna Moth have emerged. Despite these newcomers, well-established actors maintain their influence.
LockBit and ALPHV/BlackCat have consistently ranked in the top three for four quarters, demonstrating their strong presence. LockBit has evolved, refining its tactics, providing new tools to affiliates, and targeting different operating systems. It can even impact Linux systems, and a new LockBit version for macOS has been spotted.
LockBit’s versatility is evident in variations like LockBit Green and LockBit Black. ALPHV/BlackCat, on the other hand, employs a unique approach by requiring specific command-line arguments for encrypting files on victim systems. They use stolen admin credentials and tools like PsExec for propagation, making manual efforts unnecessary.
Another player is Royal ransomware, which, like BlackCat, requires command-line arguments for execution. It appeared in Arete’s scope in Q4 2022, and Q1 2023 saw a spike in cases, followed by a drop in Q2. In this same period, the newcomer Akira rose quickly to become the second most observed variant. Interestingly, a cybersecurity entity released a decryptor for Akira, requiring both encrypted and unencrypted file pairs for proper decryption. However, an improved Akira version might soon render the free decryptor ineffective. It’s possible Akira could shift toward a more extortion-focused approach, similar to other ransomware groups.
- According to the report, which industries appear to be the most vulnerable to ransomware incidents, and what factors contribute to their susceptibility?
Understanding which industries are most at risk of ransomware incidents is critical in today’s cyber threat landscape. With its leading expertise in cybersecurity, Arete offers deep insights into industry-specific vulnerabilities using comprehensive data-driven methods.
In the first half of 2023, there has been a significant uptick in ransomware incidents in the professional services sector, with a notable increase of almost 12% compared to the latter half of 2022. This surge is largely due to escalated activities by the Luna Moth extortion group, which has particularly targeted law firms. Interestingly, there has been a slowdown in Luna Moth’s operations in the latter part of Q2, hinting at a potential decline in incidents in the professional services sector in Q3.
Analyzing the industries most prone to ransomware incidents reveals a stable picture. The top five affected industries have stayed the same from the second half of 2022 to the first half of 2023. This consistency underscores the persisting threat landscape within these sectors, which has been ongoing since 2019. The reasoning behind these industries being frequent targets lies in the valuable data they hold. These sectors store crucial data like customer information, intellectual property, financial records, and sensitive operational details, all of which cybercriminals can exploit for financial gain or a competitive edge.
The vulnerability of these industries is magnified by their critical operational infrastructure, including manufacturing plants, hospitals, and transportation networks. This setup makes them more inclined to pay ransoms to avoid operational disruptions. The financial incentives that these sectors provide make them attractive targets for cybercriminals.
While ransom demands from cybercriminals are on the rise, interestingly, Arete’s analysis shows that ransom payments occurred in only 19% of cases in the first half of 2023. This can partly be attributed to increased incidents focused on stealing data without encrypting it. Meanwhile, Arete actively focuses on helping clients recover without resorting to paying ransoms. Using advanced data-driven techniques, Arete’s restoration experts create personalized recovery plans. These plans include evaluating the impact of the incident, assessing the effectiveness of backups, finding alternative data recovery paths, and creating a timeline for restoration.
These analyses aim to find the best way forward, often eliminating the need for ransom payments. Making ransom payments is always the last option for Arete, as we continually seek ways to uphold client security and resilience. Our track record, with over 80% of cases this year avoiding ransom payments, demonstrates our dedication to being a strong defense against ransomware incidents.
- In the context of ransom negotiations, could you explain the dynamics and outline potential outcomes for the targeted organizations and the threat actors?
In ransom negotiations, there’s a growing trend of higher ransom demands from threat actors, with only 19% resulting in payments. A key factor contributing to this low payment rate is the prevalence of exfiltration-only attacks, where data is stolen without encryption. Threat actors use this stolen information as leverage, pressuring victims to pay to prevent sensitive data leaks. Organizations like Arete are working to reduce reliance on ransom payments by enhancing restoration capabilities. They assess the attack’s impact, validate backups, identify recoverable data through alternative methods, and establish restoration timelines, offering a viable alternative to giving in to extortion demands.
