Ransomware, which has been a steady scourge for business and government organizations for about a decade, is now evolving into an even bigger, more insidious threat as attacks become more common, sophisticated and potentially expensive for victims. Criminal organizations and state-sponsored actors raised the stakes over the past year, targeting high-profile organizations, increasing the size of ransom demands and raising the specter of serious damage, while adding new wrinkles into their methods of coercing victims to pay up.
Are organizations prepared for ransomware attacks going to the next level? Even those that so far have avoided or successfully fended off attacks may need to revisit their cybersecurity practices.
O’Reilly Media recently conducted a survey of 950 respondents to answer this very question. The survey found that only 6% of respondents had experienced a ransomware attack directly against the company they worked for, likely because those organizations generally have strong security practices. But the survey also revealed some potential weaknesses. For example, although 70% of those organizations regularly perform backups, only 48% said they practice restoring operations from backups—which is essential to recovering from an attack if organizations follow the FBI’s advice and refuse to pay a ransom.
The threats from ransomware are getting even more serious, and not just in terms of monetary costs. In the first half of 2021, the average ransomware payment rose to $570,000, an increase of 82% from 2020, according to Palo Alto Network’s Unit 42 Ransomware Threat Report. Healthcare organizations also are becoming a more common target, which can put lives in jeopardy if hospitals and clinics can’t access patient data. And as recent attacks such as those of the Colonial Pipeline and JBS Foods demonstrated, ransomware attacks can also threaten critical infrastructure.
To keep from being caught in the next wave of attacks, businesses and other organizations need to reinforce their cybersecurity postures, starting with basic, thorough cyber hygiene. Paying attention to the basics can make all the difference – not only against ransomware but other forms of cybercrime as well. There are a lot of security tools on the market that can—and do—help, but ultimately good security is a matter of diligence.
Ransomware’s Footprint Expands
Ransomware has become big business since it first surfaced around 2012. In its early years, attackers focused on small to mid-size businesses with little or no IT security staff. They gained access to systems, often via phishing, encrypted an organization’s data and kept ransom demands small enough to make it cheaper to pay than to remediate the attack.
Like any profitable business, however, it has grown and branched out. These days, some criminal organizations have help desks of a sort, with agents who guide victims through making their payments, which typically are made in bitcoins, and in the decrypting of their data. Some criminal outfits develop attacks and then sell them, while others offer ransomware as a service, conducting attacks on behalf of their clients for a price. They’ll even provide clients with a dashboard showing the attack’s status.
Meanwhile, attack techniques have become more sophisticated and specialized, and the size of ransom demands has grown. Some attackers—including groups suspected of being state-sponsored—have abandoned the idea of operating under the radar while going after high-profile targets.
In addition to the established tactic of encrypting data and demanding ransom, attackers are employing other methods to make victims pay. A notable and increasingly common tactic is extortion. While encrypting the data, attackers also steal confidential information, threatening to publish it, which could put organizations in violation of data privacy laws like GDPR or CCPA. The FBI recommends that victims refuse to pay a ransom, not least because paying will only help perpetuate ransomware’s profitability. But organizations facing extortion tactics involving their data, especially in light of privacy law violations, may ultimately decide to pay anyway.
The widespread use of mobile devices and cloud infrastructures has also created new avenues for cybercriminals to compromise credentials and gain access for ransomware attacks. This provides yet another advantage to attackers.
The Foundations of Good Security
Attacks may have grown more sophisticated, but the most effective way to defend against ransomware—or any other type of attack, for that matter—is still to focus on the essentials of security. Organizations need to recognize the layers required for good cyber hygiene—and accept the fact that bolstering them is going to take work. Good security isn’t easy, but it is necessary. Automation can help with some functions, but you can’t really automate cybersecurity.
Authentication. Passwords are so common that their importance can sometimes be overlooked. Employees can’t have trivial passwords, nor should they ever share them. Beyond that, two-factor authentication must be a strict practice, not just a policy. Too many organizations have two-factor capability but don’t require their people to use it. In O’Reilly’s survey, 76% of respondents said that their company uses two-factor or multi-factor authentication, while nearly a quarter said they weren’t using it or weren’t sure.
Train Users. Organizations must make their users aware of phishing and other tactics, training them as well as possible not to be clicking on links (type the URL instead) or opening attachments in email, even when it seems to come from a trusted source.
Backups in Practice. Being able to restore from backups is critical to surviving a ransomware attack and limiting the damage. Organizations can’t just rely on cloud storage. They need to back up data to physical drives, and then keep those drives offline whenever a backup is not in progress. And critically, they have to test the process of restoring systems from their backups to know that it works. Seventy percent of the survey respondents said their companies perform regular backups, but only 48% test them. Being able to restore from backups gives you the wherewithal to refuse to pay a ransom, but if it doesn’t work, you don’t really have other options. And testing restoration processes also train staff on what to do when a real crisis strikes.
Update and Patch. Unpatched software is as common as weak passwords in the enterprise, and it’s been a common source of breaches. Microsoft had issued a patch for the vulnerability exploited by the WannaCry ransomware before it struck in 2017, but a lot of companies and individuals hadn’t installed it. The worm encrypted hundreds of thousands of computers in 150 countries in a matter of hours. Organizations should be sure to keep software, including operating systems and browsers, up to date. Again, many companies are aware of the need—79% in the survey said their companies had processes for updating critical software—but the proof is in actually applying updates regularly.
Least Privilege. Making sure users don’t have permissions they don’t need can limit the spread of an attack. The same principle can be applied to software and hardware, as part of a “defense in depth” strategy. Software services need to communicate with each other, but they should have to authenticate themselves and should be limited to making appropriate requests. Hardware systems need to be kept separate, whether they’re physical or virtual. An attack that enters through a finance system shouldn’t be able to spread to HR or vice versa.
IAM and Zero Trust. Least-privilege policies contribute to Identity and Access Management, giving an organization visibility into and control over the human and non-human identities on its network. Many organizations are moving toward a zero trust model, which assumes the network is hostile and continuously authenticates users, devices and network flows.
Measure Entropy. Unencrypted files are ordered, with a low degree of entropy. Encrypted files, by the nature of being encrypted, have a high degree of entropy, with a lot going on. The difference is easy to detect, and there are quite a few products available that can detect and stop a ransomware attack in desktop and laptop systems.
Fix What’s Broken. An alarming fact about ransomware victims is that a lot of them don’t fix the vulnerability that was exploited in the attack. But it’s not like being hit with ransomware builds up any viral immunity. The vulnerability still remains, and a few months after the first attack they’re sometimes hit again, via the same vulnerability and often by the same attacker. A ransomware attack is also a warning of future attacks. Regardless of whether an organization pays the ransom, it must find the exploited vulnerability and close it.
Bottom Line: Be Prepared
Ransomware isn’t going away any time soon as a preferred method of attack. It’s too profitable a business for cybercriminals who remain cloaked by the anonymity provided by the internet. As the O’Reilly survey shows, many organizations are practicing some of the basic steps involved in cybersecurity. But they need to be sure they have all of their bases covered in order to avoid becoming the next victim.
About the author:
