BYOD Should Stand For Bring Your Own Disaster, According To Microsoft Ransomware Data

Microsoft research says that 80-90 percent of ransomware attacks over the past year originated from unmanaged devices.

Organizations that welcome a "bring your own device" (BYOD) policy are opening up their networks to serious attacks due to personal devices brought in from home typically lacking adequate security measures.

That's according to data from Microsoft's latest Digital Defense Report 2023, which also highlights a sharp increase in global attacks to the tune of more than 200 percent.

How much control does your org have of users' BYOD?

BYOD is a controversial approach to organizational IT. Some take the stance that it can never match the security levels of a fully managed and provisioned approach, while others are more open to the idea in certain cases.

The UK's National Cyber Security Centre (NCSC), for example, offers guidance on how to effectively implement a BYOD policy in the workplace, recognizing the benefits for some users, such as being able to use the IT with which they feel comfortable (and the reduction in overheads for the business.)

"Although the conceptual aims of BYOD are an attractive prospect to most organizations, it comes with a conflicting set of security risks and challenges," it says.

Ultimately, the effectiveness of BYOD can be determined by how thoroughly the owner allows their personal device to be managed by the organization and how thoughtfully their employer has weighed the balance of usability against security.

Microsoft itself also offers guidance on how to secure organizations running BYOD policies, not outright discouraging the practice.

Given the high proportion of successful attacks using these unmanaged devices, the latest data will likely rekindle conversations around the suitability of the practice in modern organizations.

Ransomware continues to rise

The threat BYOD presents is compounded by the steep rise in overall ransomware incidents this year; Microsoft says human-operated ransomware attacks are up by more than 200 percent since September 2022.

Human-operated ransomware attacks refer to what many people would consider the "normal" type of ransomware – cybercriminals use manual, sophisticated techniques to break into an organization, elevate their privileges, and launch an attack from the inside.

It differs from commodity ransomware attacks, which Microsoft says are typically automated and rely on spreading mechanisms like those used by viruses and worms, as well as phishing for initial access.

The telemetry of other security outfits has offered mixed insights on the state of ransomware in 2023. Some, like SonicWall's mid-year data, showed a 41 percent decline in attacks since the start of 2023, while others reported increases by a similar rate.

Organizations will welcome the news from Microsoft that of these vastly increased ransomware attack attempts between July 2022 and June 2023, the period in which Microsoft's data was pulled, the success of these is low.

• Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts
• Red Cross lays down hacktivism law as Ukraine war rages on
• Feds hopelessly behind the times on ransomware trends in alert to industry
• Security researchers believe mass exploitation attempts against WS_FTP have begun

Just 2 percent of human-operated attack attempts led to the deployment of ransomware against victims, Microsoft says, adding that strong security policies in organizations offer a highly effective defensive capability to modern ransomware attacks.

Advice to organizations that want to be part of the 98 percent has not changed from that of years gone by: Implement zero trust and least-privilege measures; have effective backups in place; deploy solutions that detect attackers based on known signals and autonomously remediate threats.

Microsoft says attacks are expected to continue growing in 2024, largely due to a rise in known ransomware-as-a-service (RaaS) affiliates.

Most of the human-operated attacks that took place in June 2023 were carried out by a group of 123 known affiliates to RaaS groups – a year-on-year growth rate of 12 percent that shows no signs of slowing.

The strains belonging to the top four RaaS groups – Magniber, LockBit, Hive, and BlackCat – were responsible for nearly two-thirds (65 percent) of all ransomware attacks globally last year. 

Magniber was the most effective of the top four, accounting for more than 20 percent of successful attacks worldwide. It's also the only automated variant in the group with no known leak site – a typical hallmark of a leading RaaS organization.

Criminals pivot to remote encryption for stealthier attacks

A key trend observed in the activity of ransomware criminals over the past year was a "sharp increase" in remote encryption practices used by human ransomware operators.

A Microsoft spokesperson told us: "Remote encryption is when a computer program encrypts a file on a different computer, and then sends the encrypted file to the original computer. This can happen if one computer on a network is hacked and has access to another computer with the compromised user account(s).

"The encrypted file replaces the original file on the original computer. This can happen without the hacker needing to install any additional software on the original computer. An example of this is when files are encrypted on a shared folder or when files are encrypted during a remote desktop session where the hacker has access to the file system."

With the system process doing the encryption, Microsoft says process-based remediation of the attack is then rendered ineffective.

"On average 60 percent of human-operated ransomware attacks used remote encryption over the past year. This is a sign of attackers evolving to further minimize their footprint." ®