Ransomware exploded in 2017, when hackers were breaking into hospital systems and holding patient data ransom in exchange for cryptocurrency. But these types of attacks are now spreading to wider targets, such as cloud, datacenter, and enterprise infrastructure, according to a report by security firm Vectra.

The Vectra 2019 Spotlight Report on Ransomware finds that the most significant ransomware threat — in which hackers steal your data and hold it for ransom — is malicious encryption of shared network files in cloud service providers. San Jose, California-based Vectra released the report ahead of the Black Hat 2019 security conference in Las Vegas this week.

Cybercriminals are targeting organizations that are most likely to pay larger ransoms in order to regain access to files encrypted by ransomware. The costs of downtime due to operational paralysis, inability to recover backed-up data, and reputational damage are particularly catastrophic for organizations that store their data in the cloud.

Above: Some of the key targets of ransomware in Europe and the Middle East.

Image Credit: Vectra

“The fallout from ransomware attacks against cloud service providers is far more devastating when the business systems of every cloud-hosted customer are encrypted,” said Chris Morales, head of security analytics at Vectra, in a statement. “Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”

Ransomware makes for a fast and easy attack with a bigger payout than stealing and selling credit cards or personally identifiable information (PII), both of which have perishable values as time elapses after their theft. Factor in cryptocurrency as the ransom payment — an anonymous, hard-to-trace currency — and it’s easy to see why cybercriminals like ransomware’s clean, no-fuss business model.

The report disclosed that cybercriminals’ most effective weapon in a ransomware attack is the network itself, which enables the malicious encryption of shared files on network servers, especially files stored in infrastructure-as-a-service (IaaS) cloud providers.

Above: Ransomware attacks by industry.

Image Credit: Vectra

“Fifty-three percent of organizations say they have a ‘problematic shortage’ of cybersecurity skills today, and the ramifications of it are very evident with fast-moving ransomware attacks,” said analyst Jon Oltsik of Enterprise Strategy Group in a statement. “The industry simply doesn’t have enough trained security folks scanning systems, threat hunting, or responding to incidents. This Spotlight Report offers important insights into the weaponization, the shift from opportunistic to targeted attacks, and the industries targeted by ransomware, that can help organizations be better prepared.”

Attackers today can easily evade network perimeter security and perform internal reconnaissance to locate and encrypt shared network files. By encrypting files that are accessed by many business applications across the network, attackers more quickly achieve an economy of scale that is far more damaging than encrypting files on individual devices.

Vectra said artificial intelligence can detect subtle indicators of ransomware behaviors and enable organizations to prevent widespread damage. When organizations recognize these malicious behaviors early in the attack lifecycle, they can limit the number of files encrypted by ransomware, stop the attack from propagating, and prevent a disastrous business outage.

The report is based on observations and data from the 2019 Black Hat Edition of the Attacker Behavior Industry Report, which reveals behaviors and trends in networks from a sample of over 350 opt-in Vectra customers. The Attacker Behavior Industry Report provides statistical data on the behaviors motivated attackers use to blend in with existing network traffic behaviors and mask their malicious actions.

Above: Network file encryption attacks are common.

Image Credit: Vectra

From January to June, the Vectra Cognito threat-detection and response platform monitored enriched metadata collected from network traffic between more than 4 million workloads and devices in customer clouds, datacenters, and enterprise environments. The analysis of this metadata provides a better understanding of attacker behaviors and trends, as well as business risks.

The Ryuk ransomware strain, one of the more successful ransomware strains observed in the past year, sets the ransom according to the victim’s perceived ability to pay. It was first seen in August 2018, and Ryuk has targeted more than 100 U.S. and international businesses, including cloud service providers like DataResolution.net.

The Cognito platform works by accelerating network detection and response, using AI to collect, enrich, and store network metadata with the right context to detect, hunt, and investigate hidden threats in real time. The company says its platform scales efficiently to the largest organizations’ networks, with a distributed architecture using a mix of cloud, virtual, and physical sensors that provide 360-degree visibility across cloud, datacenter, and user and IoT networks, leaving attackers with nowhere to hide.