By Kennet Harpsoe, Lead Security Researcher, Logpoint
SMEs are a prime target for attacks because they tend to give less priority to cybersecurity than large businesses (84% compared to 98%, according to the Cyber Security Breaches Survey 2024) and are often under resourced. But what many don’t realise is that, far from being seen as too small to bother with, these businesses are frequently the object of ransomware attacks.
The infamous LockBit group targeted 28% of its attacks against SMEs, states the 2024 Sophos Threat Report, followed by Akira at 16% and BlackCat/Alphv at 14%. But there’s been significant disruption, from Operation Cronos that took down LockBit to the infighting between BlackCat/Alphv and one of its affiliates, resulting in fragmentation. This has led to a proliferation in splinter groups and new leak sites, with the number of ransomware groups up 56%, according to the Ransomware in H1 2024 report.
Change in tactics
Not only are there now more groups but they’re also now changing tactics, with a move away from the traditional ransomware attack method, which is to exfiltrate and encrypt data, demanding a fee in exchange for decryptor software, in favour of extortion which sees the attacker threaten to publish the stolen data unless payment is made. Extortion is both cleaner and swifter.
Alongside this, it’s becoming harder to secure payouts from larger businesses due to improvements in security controls, backups and encryption. Plus, industry groups and regulators such as the NCSC and the ICO have stated that paying a ransom is not regarded as a way of resolving a data breach and have discouraged the practice. The 2024 Thales Data Threat Report found that only 8% of businesses paid the ransomware despite attacks having increased by 27% compared to 2023. It’s therefore more likely that ransomware groups will secure lots of smaller payouts from the SME sector as opposed to one big payout from a large enterprise. There are numerous examples of groups adopting this tactic:
- 8base initially claimed to be a penetration testing service and has quickly carved out a reputation for itself. It uses the Phobos ransomware variant delivered via phishing attacks and had over 350 victims as of April 2024. While it targets numerous sectors, it consistently aims for SMEs, with around 10% of attacks in the UK.
- Play/Playcrypt has also been known to masquerade as a penetration testing tool. It employs a double extortion technique so that victims have to pay both to get their data unencrypted and to prevent it being published. Around a third of attacks are in Europe and by the end of 2023, it had around 300 victims.
- BianLian typically uses remote desktop services such as Remote Desktop Protocol (RDP) as its attack vector. It moved from double extortion to pureplay extortion at the start of the year, publishing victim identities and data over its TOR-based blog. It has disclosed 90 victims this year alone.
- CosmicBeetle/NONAME has been around since 2020 but started gaining attention in March 2023 with its ScRansom malware. It typically uses brute force and credential stuffing and its decryptor can prove unreliable so is regarded as less sophisticated. SMEs across Europe, Asia, Africa and South America have been targeted and it’s now believed to have become an affiliate of Ransomhub.
Looking ahead, it’s unlikely that SMEs can expect the picture to improve. The NCSC has warned that AI is likely to see the scale, speed and complexity of attacks increase by, for example, allowing relatively unskilled threat actors to mine initial access information. But the NCSC report also offers hope by noting that “most ransomware incidents typically result from cyber criminals exploiting poor cyber hygiene, rather than sophisticated attack techniques”. In other words, it’s possible for SMEs to significantly reduce the risk of them becoming a victim if they practice good cyber hygiene.
Cyber hygiene
The most common cyber hygiene practices implemented by businesses were keeping malware protection up to date, strong password policies, cloud backups, restricting administrative rights and firewalls, according to the Cyber Security Breaches Survey. However, of the 15 rules, six of them were met by under half of all businesses. The controls met the least included patching within 14 days (34%) which could allow ransomware groups to exploit vulnerabilities to deliver their payload, using a VPN for staff to connect remotely (32%) without which data can potentially be compromised in transit, and monitoring user activity (30%) which prevents the business from detecting a potential attack.
It’s this last measure which could make a real difference in defending against ransomware. Monitoring the network logs for suspicious events can ensure that a ransomware attack is detected in the early stages and that steps are then taken to mitigate the threat. Security Incident and Event Management (SIEM) solutions automate this function, capturing and flagging events 24×7, but the technology has previously been the preserve of large corporates, only coming with the reach of the SME in the last few years.
Ransomware attacks move through stages, from initial access to installation of the payload and destroying backups, to data exfiltration and extortion. The SIEM is able to utilise current threat intelligence, use a correlation engine to to join the dots between different events and add context through User and Entity Behaviour Analytics to verify if the activity is likely to be malicious, all in real-time. So, any attempts to change user permissions, alter firewalls, or install software would be monitored, correlated and flagged for attention.
Of course, some SMEs will struggle with dedicating the resource needed to respond to these threats or may simply prefer to focus on their core business. In these scenarios it makes sense to look at outsourcing to a Managed Security Services Provider (MSSP) who can provide SIEM services. If this is the case, the SME should look for an MSSP with expertise within their sector.
Irrespective of the path taken, it’s clear that the growth in ransomware groups, their changing modus operandi and deliberate targeting of SMEs, as well as the threat of more sophisticated attacks under AI, make it imperative that SMEs take action. To avoid becoming the next victim, they need to improve cyber hygiene and bolster defences with automated threat detection and response.
