On-Prem

CxO

BYOD should stand for bring your own disaster, according to Microsoft ransomware data

Rising number of RaaS baddies drive global attack numbers up 200%


Microsoft research says that 80-90 percent of ransomware attacks over the past year originated from unmanaged devices.

Organizations that welcome a "bring your own device" (BYOD) policy are opening up their networks to serious attacks due to personal devices brought in from home typically lacking adequate security measures.

That's according to data from Microsoft's latest Digital Defense Report 2023, which also highlights a sharp increase in global attacks to the tune of more than 200 percent.

How much control does your org have of users' BYOD?

BYOD is a controversial approach to organizational IT. Some take the stance that it can never match the security levels of a fully managed and provisioned approach, while others are more open to the idea in certain cases.

The UK's National Cyber Security Centre (NCSC), for example, offers guidance on how to effectively implement a BYOD policy in the workplace, recognizing the benefits for some users, such as being able to use the IT with which they feel comfortable (and the reduction in overheads for the business.)

"Although the conceptual aims of BYOD are an attractive prospect to most organizations, it comes with a conflicting set of security risks and challenges," it says.

Ultimately, the effectiveness of BYOD can be determined by how thoroughly the owner allows their personal device to be managed by the organization and how thoughtfully their employer has weighed the balance of usability against security.

Microsoft itself also offers guidance on how to secure organizations running BYOD policies, not outright discouraging the practice.

Given the high proportion of successful attacks using these unmanaged devices, the latest data will likely rekindle conversations around the suitability of the practice in modern organizations.

Ransomware continues to rise

The threat BYOD presents is compounded by the steep rise in overall ransomware incidents this year; Microsoft says human-operated ransomware attacks are up by more than 200 percent since September 2022.

Human-operated ransomware attacks refer to what many people would consider the "normal" type of ransomware – cybercriminals use manual, sophisticated techniques to break into an organization, elevate their privileges, and launch an attack from the inside.

It differs from commodity ransomware attacks, which Microsoft says are typically automated and rely on spreading mechanisms like those used by viruses and worms, as well as phishing for initial access.

The telemetry of other security outfits has offered mixed insights on the state of ransomware in 2023. Some, like SonicWall's mid-year data, showed a 41 percent decline in attacks since the start of 2023, while others reported increases by a similar rate.

Organizations will welcome the news from Microsoft that of these vastly increased ransomware attack attempts between July 2022 and June 2023, the period in which Microsoft's data was pulled, the success of these is low.

Just 2 percent of human-operated attack attempts led to the deployment of ransomware against victims, Microsoft says, adding that strong security policies in organizations offer a highly effective defensive capability to modern ransomware attacks.

Advice to organizations that want to be part of the 98 percent has not changed from that of years gone by: Implement zero trust and least-privilege measures; have effective backups in place; deploy solutions that detect attackers based on known signals and autonomously remediate threats.

Microsoft says attacks are expected to continue growing in 2024, largely due to a rise in known ransomware-as-a-service (RaaS) affiliates.

Most of the human-operated attacks that took place in June 2023 were carried out by a group of 123 known affiliates to RaaS groups – a year-on-year growth rate of 12 percent that shows no signs of slowing.

The strains belonging to the top four RaaS groups – Magniber, LockBit, Hive, and BlackCat – were responsible for nearly two-thirds (65 percent) of all ransomware attacks globally last year. 

Magniber was the most effective of the top four, accounting for more than 20 percent of successful attacks worldwide. It's also the only automated variant in the group with no known leak site – a typical hallmark of a leading RaaS organization.

Criminals pivot to remote encryption for stealthier attacks

A key trend observed in the activity of ransomware criminals over the past year was a "sharp increase" in remote encryption practices used by human ransomware operators.

A Microsoft spokesperson told us: "Remote encryption is when a computer program encrypts a file on a different computer, and then sends the encrypted file to the original computer. This can happen if one computer on a network is hacked and has access to another computer with the compromised user account(s).

"The encrypted file replaces the original file on the original computer. This can happen without the hacker needing to install any additional software on the original computer. An example of this is when files are encrypted on a shared folder or when files are encrypted during a remote desktop session where the hacker has access to the file system."

With the system process doing the encryption, Microsoft says process-based remediation of the attack is then rendered ineffective.

"On average 60 percent of human-operated ransomware attacks used remote encryption over the past year. This is a sign of attackers evolving to further minimize their footprint." ®

Send us news
9 Comments

Ransomware scum make it personal for <i>Reg</i> readers by impersonating tech support

That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed

How Windows got to version 3 – an illustrated history

With added manga and snark. What's not to like?

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says

UK floats ransomware payout ban for public sector

Stronger proposals may also see private sector applying for a payment 'license'

Microsoft joins CISPE, the Euro cloud crew that tried to curb its licensing

From fighters to friends in six months, despite AWS voting against it

Where does Microsoft's NPU obsession leave Nvidia's AI PC ambitions?

While Microsoft pushes AI PC experiences, Nvidia is busy wooing developers

Medusa ransomware group claims attack on UK's Gateshead Council

Pastes allegedly stolen documents on leak site with £600K demand

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Microsoft tests 45% M365 price hikes in Asia-Pacific to see how much you enjoy AI

Won’t say if other nations will be hit, but will ‘listen, learn, and improve’ as buyers react – so far with anger

Real datacenter emissions are a dirty secret

Amazon doesn't break out figures, but then again neither do Microsoft nor Google

Microsoft fixes under-attack privilege-escalation holes in Hyper-V

Plus: Excel hell, angst for Adobe fans, and life's too Snort for Cisco