Increasingly, ransomware threat actors are moving from the ‘traditional’ tactic of only encrypting ransom for data to stealing files before encrypting them. They will then use these files as leverage, threatening to publish data or documents online. If victims refuse to pay during the initial negotiations, the threat actor may publish a small slice of the stolen data on a leak site before threatening to leak the full files if the victim still refuses to pay by the deadline. The ransomware threat actors may also threaten to raise the ransom amount over time, to put pressure on victims to make payment.
It is observed that there is a change in the ransomware threat actors’ targets as well. Previously, the ransomware threat actors’ approach was broad and focused on mass volume, where anyone was at risk of being a target. It evolved to a more selective approach where only big targets such as private businesses, hospitals or government agencies are being singled out.
Ransomware attacks are also becoming increasingly common through operators who offer Ransomware-as-a-service to affiliates. This model provides tools that enable the affiliates to distribute the ransomware through an array of methods, such as brute force attacks, exploiting insecure Remote Desktop Protocols (RDPs) or unpatched Virtual Private Networks (VPNs), and spam campaigns. Increasingly sophisticated obfuscation techniques also means that the malware is better able to evade detection by anti-virus solutions.
What Organisations Should Do
Prevention is key to avoid falling victim to ransomware. Organisations need to take appropriate measures to secure their infrastructure and systems, as well as be vigilant and look out for any unusual or suspicious activities such as unsolicited emails, suspicious scanning activities and unauthorised login attempts. These will go a long way to prevent your organisation from falling victim to a ransomware attack, and also dealing with the disruptions to operations in the aftermath of a data leak or attack.
While the decision to make ransom payment is ultimately a business decision, victims of ransomware attacks should note that paying the ransom does not guarantee that the threat actors will not publish your data online or release the decryption key to decrypt your files. Threat actors may also see your organisation as a soft target and may strike again in the future. Also, besides restoring the data and business operations, victim organisations also need to ensure that they do the necessary cleaning up. This rids their networks of all ransomware traces to prevent a repeat attack.
Secure Your Infrastructure and Systems
Victim organisations commonly get infected with ransomware when their users open malicious attachments or links in phishing emails, which typically download the ransomware from an external server and execute it. Threat actors also exploit software vulnerabilities or unsecured networks to gain unauthorised access to the victim organisation’s network. The ransomware malware will then look for privileged credentials to gain access to the critical areas of the network, in order to obtain valuable data or control over the entire IT infrastructure.
To avoid falling victim to ransomware attacks, organisations are recommended to adopt the following cyber hygiene practices to secure your infrastructure and systems, as well as to protect your data.
Limit Privileged Access to Authorised Personnel
Users with administrative privileges have the rights to execute a wide range of actions on the system, including installing software or accessing sensitive data. If privileged credentials are well-protected and inaccessible from most users’ machines, a ransomware infection will likely be more contained and less able to propagate throughout the network. Organisations should:
• Control and limit privileged access to only authorised individuals who require full access to carry out their work
• Give users, other than the administrator, the lowest user privileges necessary for work
• Review and manage the use of all user accounts and disable inactive accounts when they are no longer in use
• Implement multi-factor authentication for such administrative privileges
Use Anti-Virus; Update your Systems, Software and Applications Promptly
Threat actors commonly exploit unpatched vulnerabilities to gain unauthorised access into systems and networks to carry out other malicious activities, such as ransomware attacks. Organisations should:
• Use anti-virus solutions from reputable providers, and use the latest version of the anti-virus and anti-malware definitions and signature files
• Update all Internet facing systems, applications and software to the latest version
Review Port Settings
Some ransomware variants may take advantage of exposed services and open ports such as the Remote Desktop Protocol (RDP) port 3389 and SMB port 445 to spread malware. Organisations should review if there is a need to leave them exposed and restrict connections to only trusted hosts.
Security Awareness Training
Security awareness is key to preventing ransomware attacks. Organisations should conduct regular security awareness training for employees to learn good cyber hygiene practices, such as identifying suspicious emails and not clicking on links or opening attachments found in emails from unknown or untrusted senders.
Protect Your Data
Encrypt Important or Sensitive Data
It is recommended to encrypt all the important or sensitive data, so even if the data was maliciously accessed or stolen, the damage will be limited.
Maintain an Updated Backup, and Keep it Offline
Depending on your business needs, businesses should maintain backup copies of the database and files regularly, to facilitate restoration and data recovery. It is important that the backup data is stored offline and not connected to your network.
For more ransomware-related information, preventive measures, and what you should do if you encounter a ransomware attack, refer to https://www.csa.gov.sg/singcert/advisories/updated-advisory-on-ransomware
For information on good cyber hygiene practices, visit CSA’s Gosafeonline website at