More Destructive and Costly Ransomware Attacks Are on the Rise

On June 30 2023, Bloomberg reported that cybercriminals, known as ALPHV or BlackCat, breached one of UK’s largest hospital groups, threatening illegal public release of their confidential data. This was not an isolated case.

The number of malicious groups is on the rise, and BlackCat is part of a new category of hacking groups, known as ransomware-as-a-service (RaaS). The threats that they unleash are very destructive and costly. For example, BlackCat Ransomware can target Windows platforms. This malware has been used to target a variety of industries and can perform operations such as encrypt files, terminate specific services and processes, delete volume shadow copies, drop a ransom note and more.

According to IBM’s Cost of a Data Breach 2022 Report, the share of breaches attributed to ransomware grew 41% during the previous year, took 49 days longer to identify and contain these attacks, and incurred damages increased in cost by USD 430,000.

Amongst the targeted industries, healthcare was impacted hard, as the cost of the breach for that sector went up 42% since 2020, and it had the highest average data breach cost of any industry, according to the same report.

As ransomware actors are stepping up their activities, the proactive assessment of network security control policies becomes an essential part of the defense against these or other types of cyber-attacks. Threat assessments need to occur on a continuous basis with up-to-date attack scenarios. This must become a part of an organization’s normal performance and security validation process, especially as they plan to work on developing their infrastructure or workloads to meet future demand.

Effective testing strategies against ransomware attacks

To help organizations keep their network security controls and infrastructure safe in this new era of ransomware, Spirent is offering a powerful, comprehensive test solution to enable users to quickly assess and validate the performance, scalability, and security effectiveness of networks and security solutions across on-prem, cloud, and hybrid deployments.

A key component of the CyberFlood test solution is TestCloud, with thousands of ready-to-run performance and security scenarios for a wide range of up-to-date applications, malware, and attacks. With this tool, users can mix non-malicious and malicious traffic, as well as add realistic hacker behavior with evasion techniques to put their security controls to the test.

For example, if a healthcare organization is looking to validate their firewall against the latest malware, including BlackCat ransomware, they could leverage CyberFlood CyberThreat Assessment to validate security policies of the firewall against a selected list of malware with and without evasion techniques.

The following summary shows the CyberThreat Assessment of the firewall with a list of malware (this is a sample only):

Once you validate the security efficacy of the security solution with the latest threat vectors, as the next step, organizations will want to verify the maximum performance of the security solution.

Typically, most organizations start with a HTTP bandwidth test with no CyberFlood security load and no inspection engine (e.g., Anti-Virus, IPS, etc.) turned on for the firewall to baseline the performance. Next, they will configure CyberFlood security load to include a list of malware with 10 concurrent instances of each during sustained load to enable firewall inspection engines and policies.

The following table shows results of HTTP traffic without and with security load and firewall inspection engines. In both cases, CyberFlood GoalSeeking capability was used to help expedite finding the maximum bandwidth.

Once baseline is determined, the same healthcare organization should be looking to validate the firewall bandwidth with more realistic traffic mix that is typically seen in their networks with security under load. CyberFlood Test Builder enables users to mix malicious and non-malicious traffic in the same test.

For example in the diagram below, NetSecOPEN - CyberFlood healthcare industry traffic mix is combined with a list of malware to measure realistic performance of a firewall while forwarding a realistic traffic load and with security engines enabled.

NetSecOPEN - CyberFlood healthcare mix consists of:

• HTTP1.1: 5%

• HTTPS1.1: 28%

• QUIC: 8%

• Facebook: 6%

• Netflix: 2%

• iTunes: 2%

• Facebook TLS: 10%

• MS-SQL: 3%

• SMBv2: 36%

The following summary shows results from a healthcare traffic mix with security mix under load.

This last result indicates that the firewall was able to sustain 770Mb/s of the healthcare traffic mix, while mitigating 10 concurrent instances of each detected malware over the sustained period of time. These results were obtained with a low-end next-generation firewall (NGFW), however, this methodology can be used by organizations to right-size their firewalls for their networks to ensure performance, Quality of Experience (QoE) for various applications, and validate security effectiveness against the latest threat vectors including debilitating ransomware threat vectors.

Ransomware preparedness for organization needs to start with proactive assessment of security controls that are responsible for detecting and mitigating against those destructive and costly threats.

CyberFlood CyberThreat Assessment provides realistic emulation of recent ransomware with or without hacker-like evasion techniques so that security controls can be validated. As of August 2023, CyberFlood TestCloud contains over 1,000 ransomware scenarios and that list will continue to grow. The solution also provides traffic and security mixes to help test security services under load.

Complex, advanced cyber threats are emerging every day. Learn how Spirent security testing solutions can help assess the performance and security strength of your organization against the latest attacks, including malware and ransomware.