Nuspire Report Confirms Massive Spike in Ransomware Attacks
Nuspire, a provider of managed security services, published a report today that found a 55,239% increase in ransomware activity a few weeks prior to the Colonial Pipeline ransomware attack conducted by DarkSide ransomware group.
Josh Smith, a cyberthreat analyst for Nuspire, said there is no absolute correlation between the rise in ransomware activity and any specific attack, but that the report validates the current level of concern.
Based on an analysis of 90 billion traffic logs conducted in the second quarter of 2021, the report also noted malware activity increased by up to 41.84%, most notably in the form of ongoing VBA Agent Activity targeting Microsoft applications and a new addition to the JS/Valkyr family of malware. Valkyr is classified as a trojan and is often delivered via phishing and spam campaigns using JavaScript as its execution method. In total, the report identified 3,718,947 malware events for the quarter.
On the plus side, there was a 51% decrease in exploit activity, with 19,371,167 events for the quarter. However, that trend was reversing at the close of the quarter mainly because of a large increase in SSH Bruteforce activity that has not been seen before. A significant number of SMB brute force attacks and the DoublePulsar exploit were also seen during the quarter.
Finally, botnet activity totaled 540,332 events, a 50% decline; this decrease was most likely because of the Emotet platform being taken offline.
The Nuspire report retrospectively confirms what most cybersecurity teams most likely already suspected. However, attack vectors are like fashion trends—they tend to evolve and change as cybercriminals experiment with different techniques. As such, cybersecurity teams would be well-advised to take note of changes in attack patterns, said Smith.
Smith also noted it’s apparent IT environments need to embrace zero-trust IT architectures across the full IT stack and, whenever possible, replace easily stolen passwords with multifactor authentication.
The best defense, of course, is to patch applications and systems as quickly as possible when vulnerabilities are found, noted Smith. The challenge is that each patch needs to be tested to make sure it doesn’t break the larger application environment. Before too long, the number of patches that need to be tested and then deployed starts to add up. It’s not uncommon for IT organizations to be running software that is several releases behind the most current version available. Unfortunately, many cybercriminals read release notes closely to discover vulnerabilities they can find by scanning IT environments.
In theory, at least, the rise of DevSecOps best practices should result in faster upgrade cycles as developers assume more responsibility for security. The issue is that it will take a significant amount of time to train developers to have a greater appreciation for security. Until then, it will remain incumbent on security teams to discover vulnerabilities and hope developers will find the time to remediate them before they are discovered by cybercriminals.
Cybersecurity, of course, has always been a race against time. The issue is that as the attack surface that needs to be defended continues to expand, the number of opportunities for organizations to run out of time continues to exponentially increase.
