The Threat That Never Went Away Is Back (with a Vengeance)

What is your recollection of May 2017? Emmanuel Macron won the French election. The Ringling Bros. and Barnum & Bailey Circus gave its final performance after a 146-year run. The U.S. FCC voted to overturn net neutrality rules. And the National Health Service in the United Kingdom was crippled by a massive ransomware attack that ended up costing over $120 million.

Fast-forward four years, and ransomware is once again making headlines by causing significant financial damage to organisations around the globe. For example, the recent attack on the Colonial Pipeline caused the company to shut down operations and once again garnered mainstream media attention.

If you only follow mainstream media, your perception might be that ransomware attacks only happen occasionally. But the reality is that ransomware has never gone away. Since 2017, the volume of attacks has increased steadily, the cost of payments demanded by the attackers has soared, and remediation costs have continued to climb. 

Moreover, attackers have constantly evolved the tools and the attack vectors they use to deliver the ransomware payload. For a while, the payload was attached to phishing emails with the frequently used subject line, “Invoice Attached.” That changed to a malicious link in the email that downloaded the payload when clicked by a victim. Attackers have also dropped an initial payload that allowed them to gain a foothold in the target network; after a period of time, the initial malware downloaded and executed the ransomware. 

Ransomware uptick in 2021

Based on an analysis of sampled DNS logs from the Akamai Intelligent Edge Platform, we can see that there has been a continued increase in requests to ransomware delivery domains since the start of 2021. 

Screen Shot 2021-06-22 at 4.45.19 PM.jpgFigure 1: Traffic to ransomware-associated malware websites

A noticeable increase in traffic to ransomware domains can be seen from mid-February until mid-March. The observed spike was attributed to a large increase in Ryuk ransomware, which is normally targeted at large businesses. Since the ransomware was first seen in the wild in August 2018, it’s estimated to have netted the criminal group behind the attacks in excess of $150 million.

How Akamai can help improve your ransomware defenses

Akamai Enterprise Threat Protector is a cloud-based secure web gateway that proactively blocks requests to ransomware delivery domains and URLs using real-time threat intelligence. Additionally, it uses multiple malware detection engines, including a cloud sandbox, to inspect and analyse web traffic to detect ransomware payloads. Learn more about Enterprise Threat Protector.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Jim Black. Read the original post at: