Ransomware on the Rise — Again
No cybercrime conversation is complete without the inclusion of ransomware. Dating back to 1989, ransomware gangs have been targeting weak spots in organizations’ ecosystems in an attempt to extract cash and/or affect reputational damage. Ransomware’s success is tied to tried-and-true tactics that far pre-date the internet, and as long as criminals can exploit system or human weaknesses, ransomware attacks will continue. They’re — generally speaking — too easy to execute and too profitable to give up.
This article will look at some of the recent ransomware news and explore what layers end users can add to their cyber arsenal to prevent ransomware from propagating.
Ransomware is a constant concern for businesses. According to AAG, more than 623 million ransomware attacks were detected or executed in 2021. Over the last five years, ransomware has increased by 13%. The 2023 Verizon Data Breach Investigations Report (DBIR) shows that ransomware persists as a top attack tactic, accounting for 24% of breaches globally, and is present in 15.5% of reported incidents. If this isn’t enough data to convince you, I don’t know what is.
What’s so concerning about ransomware is that a lot of businesses still think it’s a social engineering problem — just tell employees not to click on suspicious links or attachments and that will solve your problems. Unfortunately, no amount of employee awareness is going to save your company from ransomware (or any other exploit attempt, really). It is a fact of corporate life that links need to be clicked and attachments need to be opened. The vast majority are safe, and the malicious ones can be hard to spot.
Ransomware, like any other cyber attack type, requires a multi-layered approach, and one that starts with access control and zero trust policies. It seems simple enough, yet, in the last few weeks, we’ve seen a New York state hospital fined $450,000 USD for spotty security that resulted in a ransomware attack; the U.S. Treasury Secretary, Janet Yellen, admit that a ransomware attack on a bank in China “may” have “minimally” affected the Treasury market; Toyota Financial Services confirm systems in Europe and Africa were taken down by a ransomware attack; and both Boeing and Allen and Overy (an international law firm) get hit by Lockbit.1
In every one of the incidents listed, as well as almost every cyber attack in the history of cyber attacks, success wasn’t achieved by a single point of failure. An infiltration point is like the start of a scavenger hunt — there are many more steps that need to be taken to finish the activity. And ransomware gangs have both time and motivation on their side.2 Still there are steps that can be taken to both prevent ransomware infections and stop the progression of a compromise if a threat actor is able penetrate initial access.
Be vigilant with security software: We’ve heard “antivirus is dead” a thousand times in the last decade. But that couldn’t be farther from the truth. Antivirus and anti-malware are not silver bullets, but investing in these tools (and keeping them up to date) will help eliminate the so-called low-hanging fruit of easy access for attackers.
Zone in on zero trust: You’ve heard it from me a zillion times, but a zero trust architecture will stop the progression of an attack, regardless of how it starts. Zero trust’s promise is to provide layered— and adaptive — protections, including:
Multi-factor authentication (MFA): MFA should be a standard authentication control for all users and all systems, especially critical systems or systems with sensitive and high-risk data.
Advanced access control policies: Least privilege access rights and permissions are a must for users and systems. Allowing only a minimum level of access on your networks will reduce the damage from a successful exploit.
Segment, segment, segment: A wide open network is a big no-no. Implement controls to divide data and systems and conquer unauthorized lateral movement across your networks.
Make sure to monitor: Ensure that deployed network monitoring tools are sufficient for your (undoubtedly) sprawling infrastructure. It’s not useful to monitor only what’s on-prem if a ransomware gang can access your cloud environments and all the juicy data stored there. And vice versa. Assess the network security tools you have deployed (e.g., EDR,/MDR/NDR, endpoint controls, NTA, IP/DS, etc.), regularly check (and tune) policies, analyze the data, and use it to quickly identify and eradicate bad network behavior.
Fix that hole in the bucket, dear Liza3: Unpatched software and systems are a beacon to threat actors. Savvy criminals will take advantage of lapses in patching, especially when a known vulnerability has been hanging around.
Further, please encrypt your data. This is what ransomware gangs are after, after all, so take away the “prize.” The latest attack on identity provider Okta, is the reminder that, when important files are stored in the clear, they will be weaponized.
When in doubt, back it up: Regularly backup your important data to an external drive or secure cloud service. If the worst happens, you won’t be held hostage for your own information and can recover quickly, decreasing downtime and reducing the cost of an incident.
A layered defense is the key to preventing and dealing with ransomware. OK, maybe an attacker is able to steal an employee’s credentials. Sadly, it happens. The attack can be stopped with deployed MFA and strict access controls. OK, they manage to circumvent access. They are skilled and sneaky. If your files are encrypted, the attacker can’t know if they’re valuable, a decoy, or just gibberish.
Harden your systems at each layer to avoid costly and disruptive incidents. It’s unlikely that we’ll see a decline in ransomware over time, especially if security fundamentals continue to receive less love than the new-and-exciting tech making security headlines. Attend to your basics to best your attackers. Then go worry about that fancy, new zero day.
These articles are written in advance, so don’t @ me if there’s a bigger ransomware story in the gap between writing and publishing.
Admittedly, though, several ransomware gangs have made ridiculous gaffs lately, including BlackCat/Alphv, which didn’t appear to actually infiltrate Dragos’ systems. The same group then tried to report another “victim” to the SEC, days ahead of the official requirement.