Ransomware Demands – A Record Breaking Fee

The current ransomware landscape

The cybersecurity landscape has become increasingly treacherous, with ransomware attacks surging by 18% between April 2023 and April 2024. This alarming trend highlights the growing sophistication and audacity of cybercriminals, who are targeting organizations of all sizes across various industries.

While the $75 million ransom payment sets a new and troubling record, it's not an isolated incident. Several high-profile companies have fallen victim to ransomware attacks in recent years, resulting in substantial payouts:

• CNA Insurance: $40 million to Phoenix Cryptolocker
• CDK Global: $25 million to BlackSuit
• Change Healthcare: $22 million to ALPHV/BlackCat

Despite these eye-watering sums, we consistently advise against paying ransoms. Paying not only fuels further attacks but often leads to repeat targeting of the same organizations. It's a short-term solution that exacerbates the long-term problem.

Spotlight on the Dark Angels

The group behind the record-breaking $75 million ransom, known as the Dark Angels, has quickly established itself as a formidable force in the ransomware ecosystem since its emergence in May 2022. Unlike many ransomware groups that cast a wide net and rely on affiliate networks, the Dark Angels take a more methodical approach, focusing on single, high-value targets.

The Dark Angels operate a data leak site called Dunghill and have orchestrated several high-profile attacks. One notable example is their $51 million ransom demand from Johnson Controls, during which they claimed to have exfiltrated an astounding 27 terabytes of data.

This strategic targeting of high-value companies ensures substantial payouts and represents a concerning trend in the evolution of ransomware tactics. The group's ability to steal enormous amounts of data adds another layer of complexity to the threat they pose.

Best practices for ransomware protection

As ransomware groups like the Dark Angels continue to evolve their strategies, organizations must implement comprehensive cybersecurity measures. Here are ten best practices to help protect your organization:

1. Regular Backups: Implement a robust backup strategy that includes regular, secure, offline backups of critical data. This allows for data restoration without paying a ransom in case of an attack. Ensure these backups are tested regularly to verify their integrity.
2. Employee Training: Human error remains one of the biggest vulnerabilities in cybersecurity. Conduct regular, comprehensive cybersecurity training for all employees. This should cover recognising phishing attempts, handling suspicious emails, and following security protocols. Consider implementing simulated phishing exercises to test and reinforce this training.
3. Patch Management: Develop and maintain a rigorous patch management process. Regularly update all software, including operating systems, applications, and firmware, with the latest security patches. This helps prevent exploitation of known vulnerabilities that ransomware often targets.
4. Network Segmentation: Divide your network into separate segments or subnetworks. This limits the spread of ransomware if an infection occurs, helping to contain the damage and isolate affected systems. Implement strong access controls between these segments.
5. Endpoint Protection: Deploy comprehensive endpoint protection solutions that include anti-ransomware capabilities. These should be able to detect and block malicious activities in real-time, including attempts to encrypt files or make unauthorised system changes.
6. Multi-Factor Authentication (MFA): Implement MFA across all systems and applications, especially for remote access. This adds an extra layer of security, making it significantly harder for attackers to gain unauthorised access even if they obtain user credentials.
7. Incident Response Plan: Develop, regularly update, and practice a comprehensive incident response plan. This ensures a swift and effective response in the event of a ransomware attack. The plan should clearly define roles, responsibilities, and procedures for containing and mitigating the impact of an attack.
8. Email Filtering and Web Security: Deploy advanced email filtering and web security solutions to block phishing emails and access to malicious websites. These are common initial vectors for ransomware infections. Regularly update these tools to keep pace with evolving threats.
9. Least Privilege Principle: Implement the principle of least privilege across your organization. Limit user permissions to the minimum necessary for their roles, and regularly audit these permissions. Reducing administrative access helps mitigate the impact of a ransomware attack if a user's account is compromised.
10. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in your infrastructure. This proactive approach helps you stay ahead of potential threats and ensures your security measures remain effective.