Ransomware attackers aren’t always after the biggest fish. In fact, so-called “mid game hunting” — as opposed to “big game” hunting — where attackers identify smaller targets that are less likely to trigger a legal or governmental response, appears to be on the rise.
Who is Being Targeted by Mid Game Ransomware Hunters… and Why?
The high-profile 2021 ransomware attack on Colonial Pipeline drew a great deal of attention, including political responses from the U.S. administration and the administrations of other countries. In response to this attack and other high-volume, widely publicized attacks, governments have begun taking measures to make it more challenging for ransomware attackers to target large scale entities, especially those related to public services. Law enforcement efforts have been beefed up, measures to disrupt the flow of cryptocurrency have been put in place, and governmental investments into Cybersecurity have increased.
These tactics seem to be driving at least some ransomware attackers away from high-profile targets. As this Data Breach Today article emphasizes, many have shifted from fishing for the biggest fish in the sea to a strategy that favors a decentralized approach, conducting multiple attacks on small and medium businesses.
According to the article, small and midsize professional services firms — especially law firms and financial service firms — are at significant risk from ransomware attacks primarily because they are less prepared.
A 2020 Datto survey revealed that more than 85% of managed service providers (MSPs) report attacks against SMBs, but only 28% indicate they are concerned about ransomware.
It’s not surprising that not long ago, companies often felt safe in the knowledge that their small or medium businesses (SMBs) weren’t generally on the radar of ransomware attackers.
Today, however, these same companies sit directly in the crosshairs of an increasing number of ransomware actors looking for targets that typically have ineffective security measures in place. SMBs tend to invest a smaller portion of their budgets into Cybersecurity than large scale enterprises. They are also less likely to conduct Cybersecurity training to their employees, making it less likely an alert employee will recognize and stop a phishing or fraud attempt.
What are Some Prominent Tactics and Threat Types Bad Actors are Using?
The global shift to remote work during the COVID-19 pandemic, opening up millions of new endpoints for ransomware attackers to exploit. Accessible remote desktop protocol (RDP) was a favorite attack vector in 2020.
Industry watchers note that the ransomware being used today is much more advanced than it was even a few years ago. Not only is the malware more capable and more difficult to detect, phishing methods have improved, too. Emails and links often look quite authentic, making it easier to trick unsuspecting employees.
While ransomware itself has become more sophisticated, those who deploy ransomware attacks need not be top tier hackers and programmers to succeed. Ransomware attackers with limited technical expertise are buying deployable malware packages online from ransomware providers and using them against companies within minutes of purchase.
Ransomware groups are infiltrating systems to uncover sensitive data and study financial information before launching malware. This allows them to come up with a ransom amount that the company can actually pay and to threaten companies with going public about what they found on the company servers. Ransomware actors are demanding lower ransoms in general, in fact.
While the average ransomware payment has remained high — according to an IDC survey, the average in 2020 was nearly $250,000 — large ransom payments are at play. Colonial Pipeline, for example, paid a $4.4 million ransom. However, the median ransomware payout is only $75,000, a figure that could significantly damage many SMBs, but also a realistic figure that might entice some to just pay up and put the attack behind them. Unfortunately, 17% of those who paid the ransom still didn’t get their stolen data back, according to a Webroot survey.
How Can MixMode Safeguard Your Network From Ransomware?
The legacy Cybersecurity systems many SMBs have in place are no match for today’s sophisticated ransomware. MixMode’s predictive, third wave AI goes far beyond the capabilities of basic machine learning platforms centered on labeling, which have no visibility into network activity since the latest update.
MixMode responds to real-time behavior, identifying potential threats based on a constantly evolving baseline of expected behavior. Organizations get immediate insights that can identify attacks before they cause damage — including ransomware. Hackers are detected the moment they enter the network, before they can install malware.
Legacy AI solutions lag behind when it comes to identifying the vast majority of ransomware attacks. Because these systems are protected by the labeling process, brand new attacks can slip right by. It would be impossible for these systems to learn enough labels to stave off the literally infinite number of methods attackers can use to access endpoints.