The number of ransomware attacks has gone down in recent months because sanctions against Russia are making it harder for cyber criminals to organize attacks and receive ransom payments, Rob Joyce, director of cybersecurity at the National Security Agency (NSA), has revealed. Ransomware attacks have long been a major cybersecurity issue for organizations around the world, affecting computer networks running critical infrastructure, hospitals, businesses and more. Some of the most significant ransomware events of the past year have hit targets in the United States, including the Colonial Pipeline ransomware attack, which restricted gas supplies for large parts of the country – and resulted in a ransom payment of millions of dollars being paid to cyber criminals.
“Ransomware is a huge aspect of where we learned cybersecurity is national security. And we’re seeing the criminal element push through and impacting not only the businesses, but all the way into governments and society at large,” said Joyce, speaking at the National Cyber Security Centre’s (NCSC) Cyber UK event in Newport, Wales.
Many of the most notorious ransomware gangs are suspected to run out of Russia – and Joyce suggested that sanctions against Russia because of the invasion of Ukraine are making life difficult for cyber criminals based in the country, which has led to a reduction in attacks, at least for now.
“One interesting trend we see is, in the last month or two, ransomware is actually down. There’s probably a lot of different reasons why that is, but I think one impact is the fallout of Russia-Ukraine,” said Joyce. “As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them be less effective – and ransomware is a big part of that,” he added.
Even with ransomware incidents on the decline, ransomware remains one of the major cybersecurity threats to businesses. Ransomware threat actors have begun using double extortion schemes, where in addition to encrypting files, they threaten to leak private data on their website if the ransom is not paid. Because of this, it is always best to prevent these incidents from happening in the first place. Phishing emails with malicious attachments is the most common way for threat actors to gain an initial foothold on a network, so train employees to spot and report suspicious emails and to never enable Microsoft Office document macros unless they are absolutely certain that there is a business need. Have a good endpoint monitoring solution in place with the alerts triaged either by an internal SOC or a service like Binary Defense. Set up mandatory multifactor authentication with any RDP and VPN connections, as brute forcing the passwords of services like these is another common way that ransomware threat actors establish an initial foothold. Organizations should have multiple backups, including offline backups, and an incident response plan to get back up and running fast in the case of a ransomware incident.