Qbot Banking Trojan Now Deploying Egregor Ransomware
Organizations should have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do…
Dan Norman, Senior Solutions Analyst at the ISF.
Affiliate Model
With ransomware developers increasingly offering their malicious tools through renting or service models, criminal groups are hiring more affiliates to help distribute the malware and carry out attacks, which increases profit margins for the operators who control the larger operations (see: More Ransomware-as-a-Service Operations Seek Affiliates).
“We have seen the creation of multiple ransomware variants and data leak sites every month, and this trend is likely to continue due to the high popularity of ransomware and ransomware-as-a-service (RaaS) variants,” Ivan Righi, cyber threat intelligence analyst at security firm Digital Shadows, tells Information Security Media Group.
Because a common tactic for many ransomware groups is to target vulnerabilities in Remote Desktop Protocol connections used in Windows devices, Righi says organizations should restrict RDP access behind a gateway to help prevent attacks.
Since these groups are prolifically advertising their services and toolkits, the number of attacks is likely to surge in the coming months, says Daniel Norman, senior analyst at the London-based Information Security Forum.
“Organizations should have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do,” Norman says. “This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly. Payment of a ransom is also a contentious discussion – in many cases, the ransom may be cheaper than replacing a suite of locked devices. Therefore, it becomes a cost decision. However, you can never trust that the attacker will unlock the devices, making it a gray area.”