A recent report by CrowdStrike observes on a disturbing trend: the increasing use of manual techniques in ransomware attacks. This shift towards hands-on-keyboard activities is not only making these attacks more sophisticated but also more challenging to detect and mitigate.
The Surge in Interactive Intrusions
According to CrowdStrike’s findings, there has been a staggering 55% increase in interactive intrusions over the past year. These intrusions, characterized by direct human involvement rather than automated scripts, account for nearly 90% of e-crime activities. This trend underscores a critical shift in the tactics employed by cybercriminals, who are now leveraging manual techniques to bypass traditional security measures and achieve their malicious objectives.
Why Manual Techniques?
The adoption of manual techniques in ransomware attacks offers several advantages to cybercriminals. Firstly, these techniques allow attackers to adapt and respond in real-time to the defenses they encounter. Unlike automated attacks, which follow predefined scripts, manual intrusions enable attackers to think on their feet, making it harder for security systems to predict and counter their moves.
Secondly, manual techniques often involve the use of legitimate tools and credentials, making it difficult for security teams to distinguish between malicious and benign activities. This tactic, known as “living off the land,” involves using tools that are already present in the target environment, such as PowerShell or Remote Desktop Protocol (RDP). By blending in with normal network traffic, attackers can evade detection for extended periods, increasing the likelihood of a successful attack.
The Impact on the Technology Sector
The technology sector has been particularly hard-hit by this surge in manual ransomware attacks. CrowdStrike’s report indicates a 60% rise in such attacks targeting tech companies. This sector is an attractive target for cybercriminals due to its vast repositories of sensitive data and intellectual property. Additionally, technology companies often have complex and interconnected systems, providing multiple entry points for attackers to exploit.
The consequences of a successful ransomware attack on a tech company can be devastating. Beyond the immediate financial losses from ransom payments, these attacks can lead to prolonged downtime, loss of customer trust, and significant reputational damage. In some cases, the recovery process can take months, further compounding the financial and operational impact.
What to do?
Enhanced Monitoring and Detection: Implement advanced monitoring tools that can detect anomalous behavior indicative of manual intrusions. Behavioural analytics and machine learning can help identify patterns that deviate from the norm, providing early warning signs of an attack.
Regular Security Training: Educate employees about the latest phishing techniques and social engineering tactics used by cybercriminals. Regular training sessions can help staff recognize and report suspicious activities, reducing the risk of initial compromise.
Zero Trust Architecture: Adopt a Zero Trust approach to security, where no user or device is trusted by default. Implement strict access controls and continuously verify the identity and integrity of users and devices accessing the network.
Incident Response Planning: Develop and regularly update an incident response plan that outlines the steps to take in the event of a ransomware attack. Conduct regular drills to ensure that all team members are familiar with their roles and responsibilities during an incident.
Backup and Recovery: Maintain regular backups of critical data and ensure that these backups are stored securely and inaccessible from the main network. Regularly test the recovery process to ensure that data can be restored quickly in the event of an attack.
