Ransomware is on the rise, what can telcos do about it?

Ransomware attacks are becoming more sophisticated as threat actors turn to new tactics like ransomware-as-a-service (RaaS) and encryption-less extortion, according to a new Ransomware Report from Zscaler's ThreatLabz research group.

Zscaler CISO Deepen Desai told Fierce what telco operators can do to confront the growing threat landscape.

The Ransomware Report found that in the Zscaler cloud, ransomware attacks witnessed a nearly 40% increase from April 2022 to April of this year, signaling a growing threat to organizations worldwide. Payloads (the malicious code that is delivered and executed on a target system as part of a cyberattack) observed in the Zscaler sandbox surged 57.50%.

Since 2022, Zscaler’s ThreatLabz has identified thefts of increasing size – reaching several terabytes of data -- as part of several successful ransomware attacks, which were then used to extort ransoms. 

According to ThreatLabz, ransomware evolution has been driven by more sophisticated attacks and the shrinking barrier of entry for cybercriminal groups, largely due to the rise of RaaS. This model, where threat actors sell their code and services on the dark web, has gained popularity in recent years.

Another notable trend in 2023 is the growth of encryption-less extortion attacks, prioritizing data exfiltration over encryption. This approach threatens to leak stolen data if the victim does not pay, resulting in faster and larger profits for ransomware gangs. These attacks are harder to detect and receive less attention from authorities.

“The threat landscape continues to evolve, with the emergence of encryptionless ransom attacks gaining traction. This insidious approach presents a new challenge as attackers bypass encryption to directly target and compromise vital systems and data,” the research report said.

The U.S. was the most targeted country for double-extortion attacks -- accounting for nearly half of ransomware campaigns over the last 12 months -- with manufacturing being the most targeted sector globally.

In 2021, ThreatLabz observed the launch of 19 new ransomware families that used double or multi-extortion tactics. Twenty-five new ransomware families were identified as using double extortion or encryption-less extortion attacks this year.

Telcos play a ‘critical’ role in ransomware defense

As ransomware becomes insidious across verticals, telcos have a “critical role" as an essential service provider for all businesses and should continue to prioritize implementing strong security measures, Desai told Fierce.

ThreatLabz indicated that to effectively counter the growing wave of sophisticated ransomware attacks, businesses need to embrace a comprehensive security strategy based on the principles of zero trust.

This means implementing a range of robust measures, including the adoption of zero-trust network access (ZTNA) architecture, granular segmentation, browser isolation, advanced sandboxing, deception technology and cloud access security broker (CASB) solutions.

The research report said that to their detriment, many businesses have particularly neglected the importance of data loss prevention (DLP) technology.

Desai said telco operators can do their part by collaborating with networking and security vendors to conduct security audits, integrate zero-trust network segmentation and enforce strict authentication and access controls.

“Working closely with vendors during the network design phase to incorporate zero-trust network segmentation principles helps to prevent lateral threat movement and limit the overall damage of ransomware attacks,” he said.

Telcos should also consider developing programs to help educate vendors on the importance of implementing zero-trust security architecture and provide services to assist vendors in deploying, configuring and enabling these capabilities along with regularly sharing best practices and security intelligence.

By sharing information and conducting regular security audits, vendors can "proactively identify security gaps and take the necessary steps to address them, such as applying patches, updating firmware, or strengthening controls,” Desai said.

“Telcos also play an important role in protecting organizations by collaborating with law enforcement agencies and participating in cybercrime investigations that contribute to the overall defense against ransomware attacks,” he added.

Attacks targeting cities, states, municipalities, law enforcement, K-12 schools and other public institutions ramped up in 2023, and ThreatLabz expects that pattern to continue.

Desai encouraged telcos to partner with these types of organizations that often have limited resources to help mitigate the risk of ransomware attacks by providing valuable information from threat intel, training and security audits, to offering more affordable security solutions including discounted software, tools and services.

ISPs specifically can help protect organizations by employing zero-trust security solutions, sandboxing and traffic filtering techniques to uncover and block ransomware threats, he said. And ISPs can help budget restrained institutions by offering affordable backup/recovery and distributed denial of service (DDoS) mitigation services to customers that help minimize the impacts of ransomware attacks.

ThreatLabz expects that encryptionless attacks, targeting of public institutions and RaaS will all continue to ramp up through 2024.

The Zscaler research group also predicts to see more artificial intelligence (AI)-powered attacks and threats to cloud services and additional operating systems or platforms (threat actors have increasingly built ransomware to encrypt files on Linux and ESXi servers, and some have also shown interest in developing ransomware for macOS, the report noted.)