19, Oct 2023
Newest Ransomware Trend: Attackers Move Faster with Partial Encryption
On Wednesday morning, May 3, 2023, security personnel with the City of Dallas were horrified when their security software alerted them that they had likely become the target of a ransomware attack. Multiple servers across a range of departments were affected: 911 dispatchers, courts, and police services couldn’t use their computers for days.
It later emerged that sensitive data had been stolen—800,000 files containing full names, home addresses, Social Security numbers, dates of birth, and the health and insurance data of at least 30,000 city employees and other individuals. Two weeks later, the Royal ransomware group, which took responsibility for the attack, threatened to release the information. In particular, police officers and others whose data had been stolen feared the data could fall into the hands of violent offenders who might try to retaliate.
The City of Dallas wasn’t the first government to be hit by ransomware—or the first ransomware attack where lives could have been lost. The Royal ransomware group was originally part of the Conti group, which previously took credit for bringing the entire Irish healthcare system to a halt in 2021.
One of the reasons Royal was able to strike so quickly and effectively in Dallas is that they took advantage of today’s fastest-growing ransomware trend: partial encryption.
The term “partial encryption” may sound more benign at first than traditional attack strategies, since theoretically less damage is being done. However, in fact, it’s no less devastating to organizations that find themselves under attack.
In this post, we’ll explore the emergence of partial encryption as a strategy to make cybercrime even more profitable, which industries are at risk, and finally, a few key steps to help you protect your business.
Why Do Attackers Choose Partial Encryption for Ransomware Attacks?
Encryption is a tried and true strategy for malware actors. Malware within the victims’ systems leaves their data in place but completely inaccessible. Attackers then demand a price to unlock the data so victims can resume business as usual. In a second-tier strategy, in the event that victims refuse to pay, attackers can still make money by selling the compromised data.
Based on this model, ransomware has become big business over the last decades. And like all big businesses, attackers are always seeking to optimize their operations and find more efficient, cost-effective ways to achieve the same or better results.
Encryption in particular can be very time-consuming, especially for large amounts of data. This has led attackers to seek more efficient, effective ways to render victims’ data inaccessible unless they pay the ransom.
Partial encryption, also known as intermittent encryption, has emerged as just one example of increasingly sophisticated attack tactics, often in readily available off-the-shelf ransomware products that are openly sold on the darkweb much like traditional software.
Rather than encrypt the entire compromised system, partial encryption does just that: It encrypts a portion of the victim’s files either at random, encrypting a predetermined percentage of the data, as Royal ransomware does, or encrypting only the most important files, as determined by fingerprinting: financial documents, photos, and personal information. Ransomware can also selectively encrypt files related to a particular project or task, bringing it to its knees until payment is made.
For attackers, the advantages of partial encryption over complete encryption are clear:
- Speed– Faster and less resource-intensive than traditional encryption, attackers can finish partial encryption before victims even notice the intrusion.
- Complexity– Because only some data is encrypted, it’s harder for victims to restore data from backups, increasing the odds that they will simply pay the ransom.
- Less detectable- Automated scanners might not notice the smaller-scale modifications made by partial encryption while compromised systems may not behave as erratically as completely encrypted systems, triggering fewer alerts. Royal ransomware is particularly insidious because it not only uses partial encryption but also a multithreaded model, another increasingly popular strategy. In a single attack, there is only one ransomware process; a multithreaded attack uses multiple CPU cores to encrypt files simultaneously. This can quickly overwhelm the available processing power and make the attack more difficult to stop; even if one or two child processes can be stopped, the others will continue to encrypt files. This means that multithreaded ransomware attacks can be very destructive.
Even more frightening, today’s attackers have begun using a “triple extortion” strategy. With a double extortion strategy, as previously described, attackers not only hold the encrypted drives for ransom, they threaten to release or sell encrypted data if the organization does not pay. For the victim, this means that even if files can be restored from a backup, they must still pay to avoid data leakage.
However, a triple extortion strategy unfolds, as the name suggests, over three stages:
- Infiltrate and encrypt. Attacker profits when the initial victim pays the ransom.
- Exfiltrate and threaten to sell. Attacker can profit from the sale of data.
- Ransom third parties. Attacker demands ransom from third parties whose data has been stolen, such as patients or employees; they may also threaten the organization or its partners with distributed denial-of-service (DDoS) attacks.
However, whether ransomware attackers use one of these new strategies or a more traditional approach, the goal is always the same: to extort money. And the truth is that even after paying up, few organizations can reconstruct 100% of their compromised data.
Therefore, the best defense against today’s ransomware is thwarting attacks altogether.
Who Are the Attackers?
When combating ransomware, it’s important to understand who you’re up against. Today’s ransomware attackers are far from the stereotypical hooded criminal-in-a-basement, although that may have been who was behind very early ransomware, 10 to 15 years ago. Attackers back then would use broad-scale, fairly obvious, and generally imprecise attacks that succeeded in bringing in small amounts of money.
Today, like all technology industries, ransomware has matured beyond these modest origins. Ransomware gangs have formed larger-scale enterprises and brought talented developers on board to research and implement increasingly sophisticated techniques, methods deployed against wealthier targets to reap the highest rewards.
And these illicit enterprises have found safe havens in places like Russia, Asia, and Eastern Europe. Today, in addition to these large and highly professional enterprises, hostile governments and other nation-state entities are using ransomware for nation-level intelligence-gathering operations. And beyond literal warfare, ransomware has become a powerful digital weapon in corporate warfare as well.
There are numerous hacking groups out there, but a few leading ones deserve a mention.
- Chernovite – A likely nation-state group and the developer of Pipedream, U.S. law enforcement has called this modular industrial control system (ICS) toolset a “Swiss army knife” for attacking utility companies (electricity, water, natural gas) in the U.S. and Europe.
- Bentonite – An opportunistic group affiliated with Iranian hacking groups Phosphorus and Nemesis Kitten, Bentonite leverages known vulnerabilities in maritime oil and gas, government, and manufacturing infrastructure.
- ALPHV/BlackCat– BlackCat is a relatively new ransomware group that popped up in late 2022. It is known for its sophisticated encryption and ability to target a wide range of organizations. It is believed BlackCat is operated by a group of Russian-speaking cybercriminals and is known to use intermittent encryption via customizable byte-skipping patterns.
- Hive– Before being brought down by the U.S. FBI, German law enforcement, and the Dutch National High-Tech Crime Unit, this ransomware group had extorted over $100M by terrorizing healthcare organizations, schools, and public infrastructure worldwide. While the investigation is ongoing, Hive is believed to have ties to the Kremlin.
In just the first half of 2023, 48 ransomware groups including these and others—such as Ryuk, Medusa, Play, LockBit3, and many more—have breached over 2,200 victims, 45% of whom are in the U.S.
These groups use two main vectors to introduce ransomware: through software vulnerabilities, which are unintentional weaknesses or flaws in applications or code libraries that can go unpatched for years, and social engineering techniques, such as phishing. Attacks often combine these two strategies, or use variations such as callback phishing attacks, which are commonly used by the Royal ransomware group, the group behind the Dallas attack.
Regardless of how individual groups operate, and which encryption technologies they’re using, the consequences can be dire, as in an August 2023 ransomware attack on two Danish cloud hosting companies that resulted in the total loss (to encryption) of all customer data. An unidentified attack group demanded 6 bitcoins in ransom (approx $155,000 as of this writing), an amount CloudNordic was unable to pay; the company has since shut down its operations.
What Industries Are Most at Risk?
There are several sectors that find themselves frequently targeted by ransomware attacks.
Healthcare– Medical IT departments are both the most obvious and the most sensitive target since lives are most clearly on the line. When the Rhysida ransomware group, which had gained notoriety for its attack on the Chilean army, attacked Prospect Medical in August of 2023, the company—which operates 16 hospitals and numerous clinics all over the U.S.—was forced to use paper charts until systems could be restored. Healthcare data is both sensitive and valuable; it also features a large threat surface and a wide range of device types, including a mix of old and new technologies. This type of environment is hard to securely administer and update. This is especially true of medical IoT devices, which are often not built securely by design. Finally, healthcare organizations are historically more likely to pay ransoms compared with other industries, specifically so that life-saving operations will not be interrupted. The year 2022 brought an average of 1,426 attempted breaches per week per organization in the healthcare industry, a 78% year-over-year increase. There was also a distinct uptick in mortality following a cyber attack, although attributing deaths directly to ransomware is almost impossible due to the complexity of the events involved. Deaths connected with ransomware attacks can come about due to slowdowns, meaning delays in important surgeries and other care, as well as a lack of electronic health records, leading to a higher chance that patients will be given the wrong medication or an incorrect dose. In a recent Ponemon study of healthcare IT professionals, almost half (45%) said ransomware led to increased complications from medical procedures, up from 36% just a year earlier.
Higher Education– Just as school was starting back in September of 2021, Howard University, one of the U.S.’s five largest historically black colleges and universities, was forced to cancel classes due to a ransomware attack. Attacks against higher education institutions are on the rise, with at least eight reporting ransomware attacks since December 2022. Why are attackers targeting these schools? Colleges and universities are seen as attractive targets because they hold valuable data and their IT departments are often understaffed and outdated, with limited security resources. Educational institutions are also considered slower to recover than other sectors. Despite the fact that 64% of higher education institutions experienced attacks in the past year, many are still unwilling to discuss these incidents due to the negative influence they may have on a school’s reputation. Unfortunately, because of this silence, others in the sector may not realize that they are at risk—further perpetuating the cycle.
Manufacturing– In February of 2023, MKS Instruments, a little-known U.S.-based supplier to major players in the semiconductor industry, woke up to every manufacturer’s worst nightmare: a ransomware attack. Hackers compromised production and business systems, leading to predictions of $200M in losses from the attack. But the worst may be yet to come: Employees have filed a class action suit, claiming that the company did not adequately protect their sensitive personal data. Attacks on semiconductor companies have continued: Taiwan Semiconductor Manufacturing Company (TSMC) itself, the world’s largest chip manufacturer, was hit by the LockBit ransomware group in June 2023. The group demanded $70M, adding: “In the case of payment refusal, also will be published points of entry into the network and passwords and logins company.” But the semiconductor sector is not alone; almost every major field of manufacturing is being targeted. In fact, the manufacturing sector has been the industry most heavily hit by ransomware. The primary vector is unpatched vulnerabilities, particularly in industrial control systems. Manufacturers may also be more likely to pay ransoms to avoid production disruptions and financial losses, as well as devastating repercussions up and down the supply chain.
Tips to Protect Your Business From Today’s Sophisticated Ransomware
Although these three industries are among the most frequently targeted, attacks like the one in Dallas, the cloud providers in Denmark, and other victims profiled above reveal the broader truth that any organization storing sensitive data is at risk today, from financial services and insurance to retail and logistics.
That’s especially true now, with partial encryption likely to increase in popularity as ransomware gangs study one another’s techniques. As more and more adopt this hyperefficient technique, they will find it easier and more effective than ever to steal your assets and avoid interception. So regardless of your industry, now is the time to take a few important steps to protect your organization from ransomware.
Inventory Assets– All comprehensive security strategies begin with a comprehensive assessment of what you need to protect, including OT assets that may be the weakest link in your organization.
Stay on Guard 24/7– When it comes to ransomware attacks, hackers usually take advantage of times when people are not as vigilant. In the past year, most breaches have occurred on weekends and holidays.
Patch, Patch, Patch– Keep up to date with a rigorous patching regimen, since known vulnerabilities are a popular attack vector. Also, automate patching wherever possible.
Watch for Pre-Ransomware– Trojan malware infections like Trickbot, Emotet, Dridex, and Cobalt Strike should be dealt with immediately, as these can all be used to let ransomware in the door; similarly, taking steps to prevent phishing and train users can help foster a culture of security.
Get Backed Up– Store multiple copies of data in different locations (cloud, on-premises, and physical locations), and establish a backup testing regimen. Remember, never attach an uninfected backup to an infected computer. This could spread the ransomware to the backup and make it impossible to recover your data.
Minimize the Blast Zone – Reduce the impact of a potential attack with security measures such as strong user authentication and network segmentation to limit the radius of an attack’s spread.
It is important to note that none of these measures can provide complete protection. And particularly in light of the fact that partial encryption is notoriously difficult to detect, your best bet is a comprehensive anti-ransomware solution.
Check Point Harmony: The Industry’s Best Prevention
The best way to keep your organization safe is effective threat prevention with an organization-wide anti-ransomware solution that uses up-to-the-minute threat intelligence data along with advanced algorithms that work automatically in the background, around the clock.
Check Point Harmony is the first unified security solution that protects users, devices, and internet connections from the most sophisticated attacks, including phishing, zero-day ransomware, and more. It also ensures that users only have access to the applications they need, which helps reduce the risk of data breaches.
Check Point Harmony delivers peace of mind with a total, holistic defense against malware:
- Constantly monitors for ransomware-specific behavior
- Detects threats fast so teams can act quickly to minimize harm
- Identifies illegitimate file encryption; signature-less to detect new attack types
- Uses forensic analysis to detect and quarantine all elements of a ransomware attack
- Automatically restores encrypted files from snapshots to ensure business continuity
Check Point Harmony is prevention-focused, stopping attacks before they become a threat to your organization. Powered by
real-time threat intelligence through Check Point’s ThreatCloud AI and backed by the industry-leading Check Point Research
team, Check Point Harmony gives you today’s best security, hands down.