Top 5 recommendations for preventing ransomware for 2022

Cybersecurity is quickly becoming one of the largest areas of business risk for many organizations. It is no surprise that executives and board members are paying more attention to security risks with ransomware attacks on the rise and ever-larger ransoms being demanded. With ever-evolving Tactics, Techniques, and Procedures (TTPs) being utilized, Group-IB has put together our top recommendations to help you protect your organization from the ransomware threats you may encounter this year.
Which organizations are most at risk from ransomware?
Threat actors typically select their targets based on the organization's industry, region and size. This pattern has also been noticed in many of the modern Ransomware-as-a-Service (RaaS) programs that we monitor; here are the top trends we have observed recently:
Threat actors typically select their targets based on the organization's industry, region and size. This pattern has also been noticed in many of the modern Ransomware-as-a-Service (RaaS) programs that we monitor; here are the top trends we have observed recently:

Industry: Analysis of Data Leak Sites (DLS) reveals that the most targeted sectors – manufacturing, real estate and transportation – faced roughly 2/3 of all ransomware attacks last year. However, nearly every industry was impacted and experienced an increase in the number of attacks. Group-IB's cyber threat intelligence shows that the financial sector is increasingly being targeted by ransomware operators utilizing DLS, with the number of ransomware attacks growing +146% over 12 months.

Region: DLS analysis also shows that the most targeted country by ransomware in 2021 was the US, experiencing nearly half of all known attacks. However, every other region is experiencing fast growth in the number of attacks, particularly APAC and LATAM, which saw an increase in the number of attacks by 143% and 127%, respectively.

Size: Over their history ransomware gangs have targeted organizations of all sizes, but since 2018 large enterprises have been increasingly targeted. However, in 2021 activity by initial access brokers, which sell access to organizations' networks to ransomware gangs, grew 204%. These initial access brokers launch widespread attacks, often targeting any organization with vulnerable systems.

The full details of ransomware trends can be found in Group-IB's recently released report here.
Top recommendations for preventing a ransomware attack
With ransomware attacks on the rise for industries and regions around the world, organizations need to take a proactive approach to security. Group-IB's analysts have observed some consistent trends in attacker behaviors and have created the checklist below. These immediately actionable tips in the list will help prevent, mitigate and remediate the ransomware attacks you may encounter in 2022.
  1. Protect home users. Due to COVID, many employees are working remotely and are heavily targeted by spear-phishing emails and malvertising. Group-IB analysis shows that the number of phishing resources has nearly doubled since the end of 2019. A successful attack allows botnets' operators to infect end-user devices, and provide ransomware affiliates capability to access enterprise environments.

  2. Protect public-facing applications. Research by Group-IB found that in 2021 47% of ransomware attacks started with the successful exploitation of public-facing applications. This trend is expected to continue in 2022. Organizations should not only patch implement a vulnerability patching program that prioritizes actively exploited applications, they should also ensure that they have not been compromised by a historical attack.

  3. Take care of legitimate software. In 2021, ransomware affiliates made use of legitimate tools at almost every stage of the attack lifecycle. Make sure you are able to detect and prevent legitimate software misuse. This may include remote access software and common utilities used by system and network administrators. For example, Group-IB has identified the use of ProcDump, for dumping lsass.exe, in 31% of all ransomware incidents.

  4. Take care of penetration testing tools. Ransomware affiliates commonly rely on various penetration tools and frameworks. In some cases, they can blend with legitimate penetration testing engagements and red teaming exercises. One of the most popular commercially available tools is Cobalt Strike Beacon, a penetration testing tool used in 57% of all the attacks investigated by Group-IB.

  5. Secure backups properly. In 89% of incidents, attackers breached system recovery tools by damaging Windows backup shadow copies. Make sure backups are safe even if the whole environment is compromised. This will enable you to recover even if various stages of the attack lifecycle are not detected by your tools or team.

The complete list of technical recommendations for preventing and hunting ransomware can be found in Group-IB's
"Hi-Tech Crime Trends 2021/2022. Part II. Corporansom"
If you or your company have fallen victim to a ransomware attack, contact us to get a rapid and complete response from the Group-IB Incident Response team.

Contact our 24/7 incident response hotline:
— Call us at +31 20 226-90-90
— Email us at response@cert-gib.com
— Fill out our incident response form