IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attacks and Response: What You Need to Know Now

Not only is ransomware the top cybersecurity story in 2021, but new twists, turns and countermeasures keep coming. Here are the latest headlines and what news you need.

A map of the United States with colored pins showing the locations where ransomware attacks are known to have occurred.
I participated in several cybersecurity events in Minnesota this past week, and conversations continued to revolve around new (and old) types of ransomware, incident response, and what’s being done to stem the rising tide.

But despite the growing number of reported incidents, I continue to believe that the problem may actually be worse than we are reading about in the media. Why? Because many ransomware attacks continue to go unreported for a variety of reasons and because the (surging number of) people responding to these attacks continue to struggle to keep up with demand for help.

Add in the fact that ransomware premiums are rising fast while coverage scope shrinks. Some are even saying that ransomware should not be covered by cyber insurance.


So what’s hot off the press? Here are few important headlines to consider:
“Over the past year and a half, the threat actor has compromised the networks of at least eight French companies, stealing data and deploying malware from multiple ransomware-as-a-service (RaaS) operations.receipts

“Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.

“Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.”

“In response to tightening security, it appears that ransomware hackers are adopting new methods. One gang, Lockbit 2.0, is now offering millions of dollars to employees who are willing to help them gain access to a network.

“If hackers are able to contact a disgruntled employee and convince them to work with them, even the best cybersecurity defenses in the world will fail. This presents yet another challenge to already struggling cybersecurity teams.”

“A new threat actor is hacking Microsoft Exchange servers and breaching corporate networks using the ProxyShell vulnerability to deploy the Babuk Ransomware.

“The ProxyShell attacks against vulnerable Microsoft Exchange servers started several months ago, with LockFile and Conti being among the first ransomware groups to exploit them.

“According to a report by researchers at Cisco Talos, a Babuk ransomware affiliate known as 'Tortilla' had joined the club in October, when the actor started using the ‘China Chopper’ web shell on breached Exchange servers.”


On Nov. 3, The Washington Post reported that “A ransomware gang shut down after Cybercom hijacked its site and it discovered it had been hacked.” Here’s an excerpt:

“A major overseas ransomware group shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter.

“The foreign government hacked the servers of REvil this summer, but the Russian-speaking criminal group did not discover it was compromised until Cybercom last month blocked its website by hijacking its traffic, said the officials who spoke on the condition of anonymity because of the matter’s sensitivity.

“Cybercom’s action was not a hack or takedown, but it deprived the criminals of the platform they used to extort their victims — businesses, schools and others whose computers they’d locked up with data-encrypting malware and from whom they demanded expensive ransoms to unlock the machines, the officials said.”

Meanwhile, The Hill reported that a “Top DOJ official predicting more arrests in crackdown on ransomware, cyber crime”:

“Deputy Attorney General Lisa Monaco said the U.S. should expect to see a crackdown on ransomware attacks and cyber crime as the Department of Justice (DOJ) ramps up its efforts in the area.

“Monaco told The Associated Press during an interview this week that the U.S. is going to see an increase in arrests of individuals and seizures of ransom payments linked to cyber crimes that have affected the country.

“‘In the days and the weeks to come, you're going to see more arrests, more seizures, and you're going to see more operations like we did last week,' Monaco said, referring to the extradition of an alleged Russian cyber criminal actor who was hiding in South Korea to face charges in the U.S.”

Also, CNN reported that “Cyber Command head says US has carried out a ‘surge’ to address ransomware attacks”:

“US Cyber Command head and director of the National Security Agency Gen. Paul Nakasone said Wednesday that the US had ‘conducted a surge’ over the past three months to address the problem of ransomware attacks on US interests.

“Nakasone said the US government had taken aim at sources of funding for ransomware operatives, many of whom are based in Russia and Eastern Europe and who have made millions extorting US companies.

“‘We bring our best people together, the really good thinkers of, how do you get after folks that are doing this?' Nakasone said at the Aspen Security Forum in Washington. 'How do you get after the capabilities that they're producing, how do you get after the flow of money?’”


In addition, the news was widespread last week about the U.S. government offering a big reward for information leading to the arrest of DarkSide cyber crime group members.

Reuters: “U.S. offers $10 million reward in hunt for DarkSide cybercrime group”

“The State Department also said it is offering a reward of up to $5 million for information leading to the arrest or conviction in any country of any person attempting to participate in a DarkSide ransomware incident.

“‘In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals,' the department said in a statement.”

Neil Jones, cybersecurity evangelist at Egnyte, said this about the reward:

"The US government's $10 million reward for DarkSide leaders demonstrates the ability of ransomware to cripple global supply chains and grind business productivity to a halt. To put the size of that reward into perspective, the United States offered a $25 million reward for the capture of the late Osama bin Laden, which would be approximately $39 million today.

"I am particularly heartened by the US government's decision to offer $5 million for information that results in the arrest or conviction of those who perpetrate attacks that are powered by DarkSide's ransomware. To protect themselves, organizations should utilize ransomware detection technology, educate their employees about the danger of clicking on phishing emails and leverage Defense in Depth solutions such as Multi-Factor Authentication (MFA). The best ransomware payment is the one that your company never makes."

Steve Moore, vice president and chief security strategist at Exabeam, said this:

“This offer for bounty represents a continuation of a position made back in July 2021 on bug bounties — now it seems we have criminal adversary bounties. This is no different than a bounty on the head of a warlord or traditional criminal — just the cyber version.

“I believe that the Biden administration calls out DarkSide specifically due to their desire to manipulate the victim’s stock price and the additional stress it could represent on financial markets. In April of this year, they bragged about having access to companies who trade on NASDAQ and other exchanges. If payment isn’t received, they will release information before their earnings statements are made, allowing those ‘in the know’ to profit by shorting the stock.”


In conclusion, I like the items offered by Help Net Security offering the “Top 10 ways attackers are increasing pressure on their ransomware victims to pay”:
  • Stealing data and threatening to publish or auction it online
  • Emailing and calling employees, including senior executives, threatening to reveal their personal information
  • Notifying or threatening to notify business partners, customers, the media, and more of the data breach and exfiltration
  • Silencing victims by warning them not to contact the authorities
  • Recruiting insiders to help them breach networks
  • Resetting passwords
  • Phishing attacks targeting victim email accounts
  • Deleting online backups and shadow volume copies
  • Printing physical copies of the ransom note on all connected devices, including point of sale terminals
  • Launching distributed denial-of-service attacks against the target’s website

Stay alert and watch this fast-moving ransomware space.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.