Businesses need to confront the growing threat from targeted ransomware before it’s too late.
2021 has seen a surge of ransomware attacks against targets ranging from international meat producers, oil pipelines, and global technology companies to regional victims like the ferries between Martha’s Vineyard and Nantucket.
Ransom demands are up, and the cost of clean-up has doubled in the last year. The average cost of a ransom situation is 10 times the ransom paid, according to Sophos research. Importantly, the same research indicates that only one in 10 of companies that paid the ransom got all of their data back.
Why are we seeing a spike in ransomware activity, who’s behind it, and what can organizations do to reduce the risk of falling victim to one of these attacks?
What we know
Let’s start by defining the problem. Ransomware is a type of malware that typically encrypts files on an organization’s computers and servers. Additionally, the attacker will often export sensitive data from the encrypted systems as a “hostage.” Once the systems have been encrypted, a ransom is demanded, usually in the form of cryptocurrency, in exchange for a decryption key and to prevent the confidential files from being released or sold on the dark web.
Ransomware attacks have spiked for a few reasons.
First, the availability of international cloud infrastructure has grown exponentially, providing crime gangs from across the globe with scalable and standardized environments that can be accessed from anywhere. This makes it possible for them to easily attack organizations within the United States and other countries using sophisticated cybersecurity programs—with little fear of extradition.
Additionally, a growing number of organizations, such as the DarkSide, REvil, and others, franchise their ransomware-as-a-service (RaaS) capabilities to attackers. The attackers are responsible for penetrating the organizations, while the franchisers provide the encryption tools, communications, ransom collection, etc., all for a percentage of the ransom collected. More ominously, the recent U.S. focus on ransomware could lead to even more attention from bad actors.
This RaaS model permits talented hackers to use sophisticated and proven tactics, techniques, and procedures to perpetrate the attack, while outsourcing the commodity infrastructure proven out in several years of ransomware attacks.
The attackers are increasingly targeting critical infrastructure and supply chains: energy, food, transportation, citizen services, healthcare. These organizations have a short window of acceptable downtime and are thus more likely to pay.
And while ransomware started as a source of cash for rank-and-file criminals, nation-state actors and other terrorists have entered the game. They win by inflicting both direct and collateral damage on their targets. This disruption before the ransom is a key outcome; ransom is frosting on the cake.
Covid-related infrastructure changes have laid bare new and unexpected vulnerabilities. Working from home, supply chain re-routing, digitalization of apps, and infection-related staffing shortages have created opportunities for mistakes, delays in maintenance, and “configuration drift” (the polite term for systems not being maintained according to best practices or policies).
Many victimized organizations lack the tools, resources, and expertise to keep up with the growing list of vulnerabilities, attack techniques, and security incidents. For example, the DarkSide attacks exploited “critical” (9 on a scale of 10) vulnerabilities that had been known for more than 90 days.
One way to tackle this backlog is to pay particular attention to what would most appeal to the bad actors—especially essential services supporting customers, employees, products, and services. You also need to think like a criminal by looking for secondary systems that may not themselves house sensitive data or be an obvious target. These systems often provide accessto the more desirable targets.
Reduce your exposure
While there are many things that can help protect your organization against ransomware specifically, most experts recommend proactive hygiene, continuous monitoring, and automated response to related and enabling attack elements (like phishing). Beyond ransomware, these efforts will reduce your exposure to an array of malicious attacks (and some human errors). Automation is critical because modern malware attacks move at machine speed. As a result, only machines can keep up.