Persistent and pervasive – two words that well describe today’s most infamous uninvited guest, ransomware. Quickly establishing itself as the scourge of businesses, governments, and cybersecurity teams in recent years, ransomware continues to run rampant across the Asia-Pacific cyberthreat landscape, with attacks growing more sophisticated each day, and as new attack vectors emerge.
A trend primarily driven by the region’s rapid adoption of digital technology, the United Nations reports that Southeast Asia has seen a 600% rise in cybercrimes. In digital economies such as Singapore, local authorities reported a 54% increase in ransomware between 2020 and 2021.
The evolving face of ransomware
Money is a key motivation for ransomware threat actors. With the rapid pace of enterprise digitalisation, it’s safe to say that ransomware is now a billion-dollar industry. Modern ransomware gangs operate much like corporations, adapting their tactics to align with ongoing trends and maximise success. They have also commodified these attacks by providing ransomware as a service, heightening the risk faced by digital organisations.
As ransomware evolves, so has the sophistication of malicious actors behind it. Needless to say, with the increasing number of available targets and potential risks, it has become more necessary than ever for organisations to have security as their top priority.
When ransomware meets IoT and OT
According to research from Forescout’s Vedere Labs, two of the biggest threats of the past few years are converging: Ransomware and IoT attacks. Attacks have moved beyond IT workstations and servers, with threat actors now looking for vulnerabilities in connected IoT devices.
Enterprise IoT devices are being actively exploited because they are generally harder to update than IT devices, and are usually compromised as a result of weak credentials or unpatched vulnerabilities. The research has identified IP cameras, VoIP, and videoconferencing systems as the IoT devices that pose outsized cybersecurity risks for organisations. Corroborating our findings, security leaders at financial organisations that we spoke to confirmed that IP cameras were among their riskiest devices, according to their internal security assessments.
The accelerating convergence of IT and OT networks present further risks for the rapidly digitalising markets of Asia-Pacific. Through compromised IoT devices, attackers could pivot into other connected IT or OT devices, which could impact physical systems. Vulnerable IoT devices, such as the aforementioned IP cameras, VoIP, and video conferencing systems serve as an initial access point, but it is IT/OT convergence that enables this lateral movement.
This type of attack is applicable in almost every organisation nowadays because of the widespread presence of IoT and OT devices. This is particularly dangerous for healthcare organisations due to the widespread adoption of the Internet of Medical Things and its potential impact on healthcare delivery and patient safety.
Several incidents have already occurred in 2022 that demonstrate the ability of ransomware groups to leverage IoT devices for initial access to organisations. These include the extortion methods of DeadBolt ransomware operators, who targeted internet-exposed QNap and Asustor network-attached storage (NAS) devices; and ZuoRAT, a remote access trojan that initially targeted routers to enumerate and move laterally across its victim’s network.
Nascent ransomware trends
An increasingly digitalised and connected world means that ransomware is a challenge that is here to stay for the foreseeable future. Our research found three trends among ransomware threat actors and what they portend for 2023:
- State-sponsored ransomware
While cyberattacks funded by a government or executed by its agencies for monetary gain aren’t particularly new, we see more nations exploring this threat vector, deploying ransomware either for financial gain or as a subterfuge for espionage operations.
- New mainstream targets
ESXi virtualisation servers and NAS devices have become main targets of ransomware actors, with malware being created or adapted specifically for such environments. This is largely due to the valuable data they hold, and their often lax security posture. VoIP appliances have also become some of the most scanned devices on the internet, indicating that they could become a target of ransomware groups.
- Evolving extortion techniques
Major ransomware threat actors are developing and testing new extortion techniques, alongside data exfiltration and encryption. A notable practice involves creating a website where customers and employees of the victim organisation could check if their data was stolen, and thus be pressured into paying a ransom.
Minimising the ransomware risk
With IoT spending in Asia-Pacific on track to reach US$436 billion in 2026 as per IDC, it is clear that the attack surface in the region is increasing. There are several measures that organisations can adopt to mitigate the risk of these IoT-driven ransomware attacks. These include the following:
- Identification and protection
Analysing attacks that have occurred across the region can reveal which vulnerabilities are being actively exploited, allowing organisations to remediate identified security gaps.
Most tactics, techniques, and procedures that ransomware groups use are typically well known and can thus be detected on the network. Popular tools include Cobalt Strike and malicious PowerShell scripts.
- Response and recovery
Although ransomware attacks are incredibly efficient, they are not fully automated and the dwell time for such attacks can range anywhere from 20-40+ days, leaving time for incident response and recovery before data encryption.
The path forward
As ransomware continues to relentlessly seek and compromise corporate assets and disrupt business, decision makers should actively be making cybersecurity their top priority. Beyond the practices mentioned above, traditional cyber hygiene practices such as asset inventory, patching, credential management, and network segmentation must also be extended to encompass the organisation’s entire digital terrain.
Mitigation must also prioritise up-to-date threat intelligence, which will indicate what types of devices are currently being targeted. A good way to start is by focusing on the aforementioned riskiest devices that could be easily exploited by threat actors.
Finally, organisations should also segment their network to isolate IT and OT to decrease the probability of OT/ICS malware reaching its target. Security teams can also adopt monitoring solutions capable of alerting them of malicious indicators and behaviours, and observe internal systems and communications for known hostile actions.