[MUSIC PLAYING] Welcome to One Identity Resilience, Deconstructing a Ransomware Attack. My name is Stacey Blanchard. I am the sales engineering director for One Identity in our North America territory. And today, as I mentioned, I will be deconstructing a ransomware attack. We'll cover topics such as what is ransomware and how does it differ from other types of breaches, who's responsible for these types of breaches, and how do they achieve what they do. We'll break down the parts to a ransomware attack and how devastating they can be.
And woven throughout, we'll share tips for how to prevent this from happening to you and your organization, and what measures to have in place to best move forward when it does happen to you. What is ransomware? So what elements make it different from a historical breach? Not only are these hackers using, selling, or leaking your data or credentials, they've upped the ante and have found ways to make hacking even more lucrative.
It's a business now. Ransomware attacks involve malware designed to encrypt a company's files, making any files or systems that rely on them unusable until the victim pays a sum of money in exchange for the encryption keys required to decrypt. Later, we'll talk about how cyber insurance companies play into this, and also the views of the governments of many countries, including the US and France.
With ransomware, you want to always assume a breach mindset, as you would with any other type of hack, or at least assume that hackers will attempt an attack. The success of that attack will depend on how you prepare and the layers of security you have in place. If the hackers are successful, then the damage that they can inflict will also depend on what measures you've taken. Don't just prepare for prevention, also prepare for recovery. The question is, will you have to pay?
So 44% of all organizations have experienced a data breach in the last 12 months. That's almost half of all organizations. And 51% of those that had a breach had a third-party data breach after overlooking external access privileges. So when you think about this, consider not just your own organization's security, but also those you do business with, so whether contractor, vendor, partner, or supplier, even outsourced parts of your business. Parts of our case study today, you'll see this. You have to make sure that all of the security is in place both internally and externally as well.
And our 45 number, what does that mean? So in 2021 already, by June, $45 million in payments for ransomware have been paid out. That's 6 hacker groups responsible for hacking more than 290 enterprises so far in 2021. And of those, as of June, this $45 million number has been paid out in ransom. So here we have a chart, as you can see, of the ransomware attacks so far in 2021 and the industries that have been hit by ransomware this year. So as you can see, government is leading-- and this is throughout the world, government, state, local, and national governments, and then health care, technology, manufacturing.
Listen, what you can get from this is the basics is no one is safe. Everyone is potentially a victim. Anybody who has sensitive data, a reputation to uphold, or-- here's a good one-- good insurance or the ability to pay out ransom. And here we look at year over year, month by month, the comparison. So the blue you're seeing here is in 2020, how many ransomware attacks per month. And the green is in 2021, how many ransomware attacks per month.
So in the beginning of 2021, the numbers are going up. But the US government and others have been fighting back, tracking bitcoin payments, uncovering both the hacking groups and even the encryption keys that they use. Additionally, there have been discussions regarding fining companies who pay the ransom. So you see in August and September the numbers starting to drop compared to last year.
So what does that coincide with? It's the fact that several well-known ransomware organizations have gone to ground or closed up shop completely over the last few months. But that doesn't mean they're gone forever or others won't sprout up in the void that they leave. Here on this slide, you'll see the 10 biggest ransomware attacks that made headlines in just the first half of 2021. Some of these attacks you'll certainly recognize from the news, others may be a surprise to you.
The most public and sweeping impacts in the United States were felt by the Colonial Pipeline attack and JBS Foods. These impacts were felt in the supply chain and all the way to the consumer to you. Colonial Pipeline was hacked by the DarkSide gang. This hack sent people on the East Coast of the US buying out gas stations and gas prices being driven up to ridiculous heights. Then DarkSide called it quits after pressures from the US government following this attack, but not before Colonial Pipeline paid out $4.4 million in ransom.
REvil evil, another organization, was responsible for the JBS foods hack and at least two major computer manufacturers that you see here on this slide. REvil, or otherwise known as Ransomware Evil, is a Russia-based, or at least Russian speaking, private ransomware as a service operation. After an attack, REvil would threaten to publish the information on their page, Happy Blog, unless the ransom was received. And JBS Foods paid them $11 million in ransom.
In another high-profile case REvil, attacked a supplier of the tech giant Apple-- this was Quanta Computer you see here-- and stole confidential schematics of their upcoming products. So remember that in the supply chain, that matters too. And REvil is said to have brought in at least $100 million in ransom in 2020. Other logos you're likely familiar with on this slide, so the NBA. Kia Motors, that's the black one on the far right of the slide.
And for the purposes of our discussion today, we're going to focus on that one right in the middle. It is AXA, an insurance company headquartered in Europe. So have you heard that song by Alanis Morissette, "Isn't it Ironic?" I chose this ransomware attack to focus on due to the irony of this attack. This may, the European insurance company AXA was attacked by the Avaddon gang. This Russian-based hacker group had been active for about a year and was offering ransomware as a service.
That's right, they create the malware, and then offer it to other criminals as a service. It's getting really, really smart here. The attack happened soon after the company announced important changes to their insurance policy. So what do you think those changes were? Essentially, AXA stated they would stop reimbursing many of their clients for ransomware payments in France. So you could see how this stance would threaten the hacker groups, as companies would be unable or unwilling to pay the ransom required.
This unique and somewhat ironic attack on a cyber insurance firm made headlines. And the hacker group gained access to a massive three terabytes of data. They accessed AXA's networks in the Azure Assistance Division. So this was data being processed by Inter Partners Asia and Thailand. It was a third-party partner, so not even internal AXA. The AXA group warning you see here was taken straight from the Avaddon ransomware gang's website on the dark web.
They gave them 248 hours to start negotiations, about 10 days. After that time elapsed, they threatened to start leaking data, such as customer medical reports, customer claims, ID cards, and bank account information, also, hospital and doctor reserved materials , such as private investigation information and ID cards of the doctors. They also threatened a distributed denial of service attack on AXA group's website.
So let's deconstruct. First, how do they break in? So two ways really, only two you have to worry about. The first is leveraging human beings, so social engineering, email phishing, or even watering hole attacks. That's when they will use a site that your organization frequents, like the lunch spot down the street that everybody's going to order from. In addition to that, the second way is by attacking internet-accessible services, so anything that's internet facing.
You can see here, 74% of organizations breached within the last year said that the exposure originated from granting too much privileged access to third parties. So just like we heard about from AXA, third parties, again, a problem, especially with internet-facing assets. So you really need to think about your digital footprint. You must understand it. Do you even know all of these services and systems that are internet-facing? Are there developers standing up virtual machines in AWS that you aren't even aware of.
And also, think about patching, right? Patching and authentication to internet-facing must be top notch. So we need to think about privileged access management solutions in order to help combat both social engineering and attacking internet-facing assets. The first way to do that is that no one knows the password to their privileged accounts. Vault them up. Require them to check them out when they need to use them. Even better, require multifactor, not just for your regular user accounts, but also for your privileged accounts.
And finally, make sure that you're using secure remote access technology. So those third parties that need to be coming into your systems they need to be doing so in a secure manner using a privileged access management solution. Other things you should be doing as well, patch-- patch, patch, patch, especially externally-facing systems and employee and third party training. So credible controls and less gullible employees.
So what do they do next? Once they are in, they're going to escalate privilege and move laterally throughout your organization. When activated, the Avaddon malware first checks the target systems keyboard and language settings to verify it is not located in the Commonwealth of Independent States of Eurasia. This is basically Russia and a bunch of other post-Soviet nations that have formed together. So if the attack is not within those areas, then the attack will continue. If it is within the area, it will cease automatically.
So ways to combat this portion of the attack. With a privileged access management solution, you can put together a zero trust mindset so elevation of privilege is only allowed when needed. You won't have systems or accounts within your environment that can elevate on demand, so the hackers can't use those accounts. In addition to that, you want to rotate passwords all the time. And finally, you want session management technologies so you can protect certain sensitive data. Systems that host this data should be protected behind another layer of session management technology.
And finally, the gut punch. So once they're in, what are they going to do? They've elevated privilege already. Now they're going to really deliver that gut punch. And that is copying your data out, encrypting the data in place, and then even this big denial of service attack on your websites, pay up or public data leak, basically. So the ransomware that Avaddon used is unique and uses a strong AES 256 encryption key. The stolen data is published on an underground data lake site if the victims don't pay. The average ransom demand is $40,000 US in bitcoin.
So this denial of service, you may not have heard of this before with a ransomware attack. But this is a way to invoke extra leverage. So Avaddon ransomware gang first announced in January of 2021 that they will launch distributed denial of service attacks to take down victim sites or web networks until they reach out and begin negotiating to pay the ransom. As you can see from the screenshot here, that's exactly what happened when AXA failed to begin negotiations after the allotted time.
So it's unknown at this point whether AXA paid the ransom or not. Ways to combat this portion, the real gut punch portion, you want to make sure that you have systems in place that you're going to know if anomalous activity begins to occur on your network, so things like file transfer commands are being run that aren't normally run, either by that account or from that system, large chunks of data being copied out. Also, you want step up authentication in place for any system or any command that could deliver this kind of impact to you. And finally, logging and alerting, very important to know what's going on in your environment and, most importantly, what's different from normal activity in your environment.
So what you choose not to do is as important as what you do. And after all of that, in June, Avaddon closed up shop. Bleeping Computer revealed that they had released more than 2000 decryption keys to the technology news site. So we can roughly break down the analysis you need to take of your security operations as such. First, number one, how easy is it to break into your environment? So think about the analogy of a locked car on the street. A hacker like this who's just doing it for the money is going to find the easy break in. So if your security is in place and there's an unlocked car right next to yours or a few down from yours, they're going to break into that car. So lock your car put those measures in place.
It's different from a nation state attack that is malicious in nature. These guys just want the money. They just want to do it for the ransom. So second, once in, how difficult is it for the attacker to escalate privilege, move laterally, and get access to critical data and systems. So you can equate this in the locked car, unlocked car scenario to do you have your garage door opener or your purse in the car? Once they're in, how easy is it going to be for them to leverage damage against you?
And then third, have you identified your key and critical data and have a handle on how easy it would be to exfiltrate this data without detection? So back to the car, do you have your car alarm on? Is it going to go off as soon as somebody breaks in? Do you have motion sensor cameras on outside the front of your house so you can see who broke in or sense that somebody has broken into your car? And number four, finally, how confident are you in your backup strategy? Is it a quick and effective restore? Make sure your backups are in place.
And the preparation, what do you need to do beyond a multilayer PAM approach? How easily can you restore your data? So for backups, you want redundant backups for critical data that are stored both online and offline. For authentication, you want to make sure you have multifactor with strong passwords.
And educate your employees about reusing passwords, particularly from social networking sites. Those are much easier to hack. So for example, don't use the same password on your Facebook site as you use for your corporate credentials or, even worse, for some privileged account that you're using. And monitor the publication of compromised VPN login credentials. And finally, patch, patch, patch-- I could say it over and over and over-- patch again.
I hope you got a lot out of this information which I've shared with you and that you'll be better positioned to prepare, prevent, and recover from ransomware and other cybersecurity attacks in the future. Please feel free to use the Q&A and to ask anything you'd like to me or my colleagues to answer. And I wanted to thank our sponsors and you, our customers and partners, for tuning in today. Thank you.
[MUSIC PLAYING]