Power Rankings: Halcyon Ransomware Malicious Quartile Q2-2024

Ransomware attacks continue to plague nearly every major business sector as well as state and local governments. The relentless pace of attacks brings into question whether organizations fully understand the threat and what steps need to be taken to reduce the risk of costly disruptions.  

The Halcyon team of ransomware experts put together this RaaS and extortion group guide as a quick reference resource based on data from throughout Q2-2024. Download the full report here: Power Rankings: Ransomware Malicious Quartile.

Halcyon also recently conducted a survey published a new study detailing the significant impact on businesses from ransomware and data extortion attacks over the past 24 months. According to the Ransomware and Data Extortion Business Risk Report (PDF), there is a strong disconnect between perception and reality when it comes to prevention and resilience against ransomware and data extortion attacks.  

While most respondents feel confident their current security deployments are adequate for both prevention and recovery, the data shows that the majority of attacks are nonetheless successful and victim organizations are struggling to get operations back up and running, which is what is driving up these post-attack recovery costs.

Fully 88% of respondents indicated they were somewhat or very confident their organizations’ current security deployments could disrupt an attack before a ransomware payload is delivered. As well, 85% were somewhat or very confident their organizations could quickly resume regular operations following a successful attack. Yet 36% indicated their organizations were infected 5 times or more over the two-year period.

Furthermore, 62% of organizations hit by ransomware reported a major disruption in operations, with 38% saying operations were disrupted for at least two months to more than six months. These findings clearly show that organizations are overly confident in their ability to defend against and quickly recover from ransomware attacks.

Given this disconnect, it’s not surprising that the number of ransomware attack victims increased by 71% in 2023 over 2022 levels. The increase was driven by things like increased automation, more vulnerability exploits, and a 30% increase in the number of identified ransomware operators.  

Data exfiltration occurs in nearly every major ransomware attack today, and nearly two-thirds (of respondents said that sensitive or regulated data was exfiltrated from their organization, with more than half reporting the attackers issued an additional ransom demand to protect the exfiltrated data. Additionally, 58% of victims reported that the loss of sensitive data put their organizations at additional risk of regulatory action and lawsuits.

The disconnect between perception and reality with regard to the actual ransomware threat and perceived risk was underscored by the fact that the Cybersecurity and Infrastructure Security Agency (CISA) alerted nearly 2,000 organizations about known vulnerabilities being exploited by ransomware operators, yet the agency said that only about half took any action on the vulnerabilities despite the warnings.

The fact that hospitals across the nation must cancel medical procedures and divert ambulances to other facilitates, or that our schools are now just as likely to close due to ransomware as they are for inclement weather, are further evidence that our collective response to ransomware attacks has been completely inadequate.

Now we must contend with the fact that state and local governments are regularly seeing critical services disrupted more frequently, even to the degree where officials are forced to declare a state of emergency – something typically reserved for the direst of circumstances.

What is not being talked about enough is the potential dual nature of many of today's ransomware attacks, where they are not only very lucrative for the attackers, but they may also be furthering geopolitical interests.

Ransomware operators try to elicit as much pain, frustration, and publicity as possible because it translates into revenue. But we cannot discount the dual nature of many of today’s ransomware attacks, where the attackers may be serving themselves from a financial perspective but are also furthering a larger geopolitical strategy of an adversarial nation.

This is especially concerning as we move into an already contentious election season. As we approach the fall, we need to prepare for the potential that even a handful of isolated disruptions could cause unwarranted fear, uncertainty, and doubt amongst the public.

There need to be real consequences – not just for those who are orchestrating the attacks and benefitting financially, but also for the nation-states who are benefitting geopolitically from these attacks. Until there are real consequences on the table, we will see these attackers continue to brazenly act with impunity.

Q2-2024 Trends

Some interesting trends emerged in the first quarter of 2024:

Legal and Regulatory Lability

• Vendors Sued: A recently filed lawsuit by law firm Mastagni Holstedt against managed service provider (MSP) LanTech LLC and data backup provider Acronis seeks more than $1 million in damages, alleging the companies failed to protect the firm from a disruptive ransomware attack: MSSP Alert

• Victims Sued: US Fertility (USF), which provides IT services to more than 200 physicians at multiple fertility clinics, has settled a class action lawsuit for $5.75 million following a 2020 ransomware attack that included the exfiltration of sensitive data for nearly 900,000 people: Health IT Security

• Revictimized: The US Department of Health & Human (HHS) Services Office for Civil Rights (OCR) recently opened an investigating into medical payments giant Change Healthcare to enforce rules designed to safeguard the Protected Healthcare Information (PHI) of patients: Infosecurity Magazine

• C-Level Liability: Nearly two-dozen state Attorney’s General have petitioned the CEO of UnitedHealth Group over concerns following the devastating ransomware attack on subsidiary Change Healthcare that occurred in February: PDF

Data Exfiltration

• Data Extortion: Group Health Cooperative of South-Central Wisconsin (GHC-SCW), a non-profit healthcare service provider, disclosed that documents containing the private health information (PHI) of over 500,000 individuals were exfiltrated in a January ransomware attack: Bleeping Computer

• Risk of Exposure: A threat group known as ShinyHunters apparently published a 1.3TB database of compromised Ticketmaster customer data on the relaunched BreachForums criminal forum and is asking for a $500,000 ransom: Tech Radar

Dual Nature of Ransomware

• Plausible Deniability: FBI says ongoing Chinese campaign known as Volt Typhoon has successfully gained access to numerous American companies in telecommunications, energy, water and other critical sectors, with 23 pipeline operators targeted – China says it’s ransomware gangs: Reuters

• Voting Systems at Risk: Georgia’s Coffee County was forced the county to sever the connection to the state’s voter registration system out of precaution following a ransomware attack after CISA (Cybersecurity and Infrastructure Security Agency) notified the county of the attack in mid-April: CNN

Healthcare Getting Hammered

• In Crisis: An attack on the Ascension hospital system has forced staff to depend on manual paper-and-pen systems in the treatment of patients in an environment described by one nurse as “pure and utter chaos from the second you walk into the door”: WKRN

• Lives at Risk: Medical procedures have been canceled at multiple London hospitals and a critical emergency declared in the aftermath of a ransomware attack against pathology services provider Synnovis: Reuters

• Increasing Attacks: At least 44 ransomware attacks targeting healthcare organizations in April following disclosure of a $22M payout in the Change Healthcare attack, more victims from that sector than they have ever previously tracked in a single month: Wired

Takeaway

Ransomware attacks pose a significant threat to organizations of all sizes and industries. By fostering a culture of cybersecurity, investing in the right technologies and personnel, and developing comprehensive incident response and business continuity plans, organizations can minimize the impact of ransomware attacks and maintain a strong security posture.  

As well, in understanding and addressing the unique challenges that ransomware presents, stakeholders can work together to protect their organizations and maintain the trust of their customers and employees.  

Financial losses, operational disruptions, data exfiltration, reputational damage, legal consequences, and the evolving threat landscape are all factors that demand attention.  

To protect your business, invest in robust cybersecurity measures, engage in ongoing employee training, and cultivate a culture of cybersecurity awareness. Collaborate with legal counsel to navigate the legal and regulatory landscape and develop a crisis communication plan to address reputational damage.  

Achieving cyber resilience requires more than just robust cybersecurity measures; it demands a comprehensive understanding of an organization's preparedness to withstand and rebound from cyber incidents. Central to this endeavor is the strategic selection and diligent monitoring of key performance indicators (KPIs) and metrics tailored to assess cyber resilience effectively.  

Here are some of the essential metrics that can assist in bolstering cyber resilience:

‍Mean Time to Detect (MTTD): This measures how long it takes for an organization to detect a cyber threat or incident. A lower MTTD indicates better detection capabilities. MTTD is a key indicator that can be used to determine whether an organization is properly prepared to respond to threats in a timely manner. Lowering the MTTD can help contain the lateral movement within an organization and is an effective way to reduce the potential impact spread in a breach.  

‍Mean Time to Respond (MTTR): This measures how long it takes for an organization to respond to a cyber threat or incident once it has been detected. A lower MTTR indicates faster response capabilities. Once an incident has been detected how quickly is an organization able to respond to the event, in order to effectively lower this metric, consider the outcomes of tabletop exercises and implementation of lesson learned during incidents that should provide indications of area for improvement in the response.  

‍Incident Response Plan Effectiveness: Assess the effectiveness of the incident response plan by measuring how well it is followed during a cyber incident, including factors like containment time, communication effectiveness, and coordination among response teams. In order to have an effective cyber resilience strategy it is key that an organizations response plans are effective and followed, if the plan is not being followed it can lead to an increase in the time required to respond and effectively mitigate the issue. Evaluate whether the plan needs to be changed to address changes in the threat landscape, risk themselves, or the organization response.  

‍Cybersecurity Training and Awareness: Measure the effectiveness of cybersecurity training programs by tracking metrics such as employee awareness levels, completion rates of training modules, and performance in simulated phishing exercises. At the end of the day cyber incidents often have at least some if not a major human component. Evaluate the effectiveness of the training you are providing and the way it is provided. Often organizations provide a “one size fits all” approach to cyber training and awareness, this unfortunately misses the mark, a successful approach for a developer will not address the same needs for the CFO.  

‍Cybersecurity Hygiene: Track metrics related to cybersecurity hygiene practices, such as the frequency of system patching, vulnerability scanning results, and compliance with security policies and standards. Hygiene should be table stakes for any organization trying to increase their cyber resilience, however this is often not the case. Create a prioritized approach to address the hygiene issue. Avoid the pitfall of chasing the next new cyber solution until you have a successful approach to address your organization's cyber hygiene.  

‍Cyber Risk Exposure: Quantify cyber risk exposure by assessing the organization's risk posture based on factors such as asset criticality, vulnerability severity, and threat likelihood. If you don’t have a valid way to measure your exposure, then you have little ability to identify where to prioritize your resources and increase your resilience.  

‍Third-Party Risk Management: Track metrics related to third-party cyber risk, including the number of third-party assessments conducted, the level of compliance with security requirements, and any incidents or breaches involving third-party vendors. In today's interconnected world it's impossible to have any perspective on the resilience of your organization if you can understand the risk that your third-party relationships and connections are introducing into the ecosystem you operate in.  

‍Security Controls Effectiveness: Assess the effectiveness of security controls by monitoring metrics such as intrusion detection/prevention system (IDS/IPS) alerts, firewall rule effectiveness, and malware detection rates. Are your controls effective? Should you be investing in other areas with potentially better ROI? Measuring whether you have implemented the right controls and are delivering the right results is important to consider.  

‍Backup and Recovery Metrics: Measure the effectiveness of backup and recovery processes by assessing metrics such as backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO). In an incident, can you get the data back? How long will recovery take? Does it match the desired recovery window? This should be tested and confirmed that the expectation meets real world results.  

‍Business Continuity and Disaster Recovery (BCDR) Metrics: Measure the organization's ability to maintain operations during and after a cyber incident by tracking metrics such as recovery time objectives (RTOs), recovery point objectives (RPOs), and the success rate of BCDR exercises.  

Effective cyber resilience requires a holistic approach that incorporates proactive measures, rapid detection, efficient response, and robust recovery mechanisms. By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, safeguarding their operations and maintaining business continuity.

Lastly, think about how often the plan is tested and confirm disaster recovery planning. Sometime this is outside of cyber, but it's important to confirm that your plans can be implemented in a true DR scenario and services remain available.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more, and check out the Recent Ransomware Attacks resource site.