Ransomware warning: Attacks are rising, and they'll keep coming if victims keep paying

A joint alert by cybersecurity agencies warns about the increasing damage done by ransomware attacks - and offers advice on how to counter the threat.
Written by Danny Palmer, Senior Writer

A growing wave of increasingly sophisticated ransomware attacks poses a threat to critical infrastructure and organisations around the world – and attacks will continue as long as victims keep giving in to ransom demands, a joint advisory by cybersecurity bodies in the US, UK and Australia has warned.

The advisory from the UK's National Cyber Security Centre (NCSC), Australian Cyber Security Centre (ACSC), Federal Bureau of Investigation (FBI), National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) has detailed the growing risk posed by ransomware and has urged businesses to take action to protect themselves from attacks.

The NCSC describes ransomware as "the biggest cyber threat facing the United Kingdom", with education one of the top targets of ransomware gangs, alongside businesses, charities, local government and the health sectors.

SEE: A winning strategy for cybersecurity (ZDNet special report)

The FBI, CISA and NSA warn that 14 of the 16 US critical infrastructure sectors have been targeted by ransomware, including defence, industrial systems, emergency services, food and agriculture, government and information technology, while the ACSC has warned that ransomware attacks continue to target critical infrastructure across Australia.

In what represents the first international joint advisory on ransomware, organisations are being urged to take action in order to defend against attacks and avoid becoming a victim.

"Ransomware is a rising global threat with potentially devastating consequences but there are steps organisations can take to protect themselves," said Lindy Cameron, CEO of the NCSC.

"To help ensure organisations are aware of the threat and how to defend themselves we have joined our international partners to set out the very latest threat picture alongside key advice".

Mitigation advice includes implementing multi-factor authentication, employing a zero-trust strategy, and training users, so they can identify and report phishing attacks.

"We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim," said Jen Easterly, director of CISA.

"Reducing risk to ransomware is core to CISA's mission as the nation's cyber defense agency, and while we have taken strides over the past year to increase awareness of the threat, we know there is more work to be done to build collective resilience," she added.

Some of the key techniques ransomware groups are using to launch attacks include gaining access to networks via phishing, exploiting stolen Remote Desktop Protocol (RDP) passwords, brute force attacks, and taking advantage of unpatched vulnerabilities.

The paper also warns that cyber-criminal services for hire and ransomware-as-a-service schemes are becoming increasingly professional and efficient, even offering "help centres" to talk victims through how to make the ransom payments required for the decryption key required to restore the network.

Ransomware attacks are still evolving and the alert warns that one way in which this is happening is the increasing targeting of cloud infrastructure, which can affect multiple organisations at once.

SEE: DDoS attacks that come combined with extortion demands are on the rise

Cyber criminals are also increasingly targeting managed service providers (MSPs), abusing the widespread and trusted access into clients in order to affect multiple organisations at once. The security agencies warn that it's likely that ransomware gangs will increase attacks targeting MSPs, as will attacks that target other elements of the software supply chain.

Each of the cybersecurity authorities in the United States, Australia and United Kingdom warns that, so long as victims are paying ransoms, ransomware attacks will continue.

"If the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model," the alert warns.

The paper suggests that by applying cybersecurity hygiene protocols, including updating operating systems and software in a timely manner, using offline backups and deploying multi-factor authentication, organisations can take major steps towards avoiding becoming another ransomware victim.


Editorial standards