Most industries seeing relief from ransomware, but insurance isn't one
Smaller insurers became a favorite target for the LockBit ransomware gang during Q1 2022.
The first quarter of 2022 closed with businesses seeing a 25% decline in the total number of ransomware attacks compared with the prior quarter, according to Abnormal Security Corp. However, the finical service industry, including insurance, saw no such relief as the total sector saw attacks grow 35% quarter-on-quarter and 75% year-on-year.
Insurers saw a 13% increase in ransomware attacks during the first quarter, according to Crane Hassold, Abnormal Security’s director of threat intelligence,” who tells PropertyCasualty360.com that the financial service industry was the only sector that saw a net increase in overall ransomware attacks in Q1 2022.
While insurers saw an uptick in attacks, accounting for 10% of ransomware incidents during the period, manufacturers continued to be the most targeted by ransomware, drawing 25% of attacks, according to Abnormal Security.
The retail and wholesale trade saw the biggest drop in ransomware attacks during the period, declining 52% compared with the prior quarter.
LockBit loves insurers
Abnormal Security reported that LockBit, an affiliate-based ransomware-as-a-service (RaaS), has increased its focus on the financial service industry in general, and smaller accounting and insurance firms specifically. Hassold explains this is because smaller companies typically lack the capital to robustly invest in cybersecurity, making them easier to exploit and more attractive targets for cybercriminals.
“Smaller organizations are also attractive targets for other types of attacks such as financial supply chain compromise, where small companies are exploited first with the goal of attacking large customers,” he says, adding: “Most of today’s ransomware attacks are delivered indirectly through compromising an organization’s network with malware.”
Coveware, Inc., a ransomware remediation firm, reported that phishing is the most common attack vector targeted by LockBit, followed by software/hardware vulnerabilities and remote desktop protocol, respectively.
“Once an organization’s network is compromised, the threat actors will leverage initial access to remotely deploy ransomware,” Abnormal Security’s Hassold said. “The most important step organizations can take in protecting against ransomware today is ensuring that this initial compromise doesn’t happen.”
Earlier this year, the FBI cyber division released a flash bulletin regarding LockBit 2.0, an update to the RaaS, which noted these attacks are difficult to defend against because of the wide variety of tactics, techniques and procedures they employ. However, the bureau did offer some tips to mitigate against risks from LockBit 2.0:
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
- Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
- Use a host-based firewall to only allow connections to administrative shares via server message block from a limited set of administrator machines.
- Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
Related:
- What is jackware? Ransomware’s vicious cousin
- Insurance agency cybersecurity questions answered
- How NotPetya reveals the future of cyber risks & damages