The Rise of Ransomware

The Rise Of Ransomware-As-A-Service: Prevention Is Better Than Cure

The Rise of Ransomware
It is critical to firm up defenses by adding layers of security and air-locking data and other digital assets, but so is changing employee behaviors

The forced adoption of a fully-remote workforce opened Pandora's box for cybersecurity experts. Data transfer was stretched across millions of devices, locations, and nodes and each became a potential access point for hackers. As a result, businesses are expected to face ransomware attacks once every 11 seconds by the end of 2021 – a four-fold increase in the past five years, according to CyberSecurity Ventures. The organization also calculates the total cost of cybercrime is expected to grow to US$10 trillion by 2025.

Technology and business leaders agonize over the right strategic approach to data security. The answer lies in a bold reimagining of cybersecurity and technological innovation – two of The Art of Smart’s four pillars to smarter decision making.

The average attack can cost businesses US$1 million while shutting down operations for five to 10 days. In ransomware-as-a-service (RaaS), cybercriminals have found a lucrative operations model that lowers the technical expertise required. Anyone on the dark web can rent ransomware tools from RaaS gangs. Many even offer to manage negotiations on behalf of those utilizing their tools and the ransom is split among participants.

Instead of casting a wide net, as malicious actors did in the past, some have found going after top company executives to be a more efficient pressure tactic for getting paid. With the corporatization of cybercrime, well-funded criminals find themselves with time, resources and, often, political backing. Going "big-game hunting" is becoming widespread for these syndicates. By creating highly-targeted, sophisticated attacks against large, corporate victims, perpetrators can claim payouts in the several millions of dollars. 

Ransomware: holding data hostage

At its simplest, by penetrating cybersecurity using increasingly sophisticated methods, a ransomware attacker infiltrates a business system, locates sensitive information such as user data and holds it hostage, denying the company access until they pay a ransom. They can do so by encrypting the data or threatening to release it publicly.

With a RaaS model, and the corporatization of cybercrime, the scale and volume of attacks have increased – since RaaS sellers do the hard work of technically creating and designing ransomware. This is a low-effort, low-risk, get-rich-quick activity with a virtually unlimited supply of potential victims.

Over the past year, ransomware allegedly triggered  the first reported death from a cyberattack when hackers seized control of the Duesseldorf University Hospital in Germany. Since then, cybercriminals have hit everything from businesses to healthcare facilities, vaccine manufacturers, schools, and public housing. When public services and critical infrastructure come under threat, failing to pay the ransom seems essential.  

For example, in May, the Colonial Pipeline (an American oil pipeline), found itself the victim of a RaaS attack and, controversially, paid the US$4.4 million ransom demand, on the basis that it was “for the good of the country.”

"Paying the ransom neither guarantees that data will not be leaked, nor the smooth recovery of systems," says Xueyin Peh, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a company that designs digital risk-protection software. After a ransomware attack, the costs of recovering systems can be high.

 Businesses face revenue losses due to system downtime, reputational damage, and customers leaving. In addition, recovery can involve additional costs, such as procuring new equipment and hiring experts to help resume operations.

With the European Union’s General Data Protection Regulation, and other policies, victim organizations must disclose data breaches to a regulatory body and face the likelihood of a high financial penalty. Peh cites the Colonial attack: "The decryptor provided by ransomware group DarkSide was reportedly so slow that the company ended up restoring backups on their own."

Significantly, while 96 percent of victims gain their data back after an attack, according to a recent Sophos report, a third of the data is never recovered. 

An immediate response for an eminent threat

With every subsequent use of RaaS, attackers have become more sophisticated. For most businesses, these attacks are no longer a question of "if" but "when." Phishing attacks and compromised credentials remain the leading "unlocked doors" for data breaches. The best defense is to avoid becoming the victim – prevention is better than cure. This requires creating distance between the malware and the IT systems and data by introducing layers of security.

For Andrew Rose, Resident Chief Information Security Officer at Proofpoint, an American enterprise security firm, these critical layers include phishing detection through email filtering, multi-factor passwordless user authentication, endpoint protection, and network segmentation. "Vitally, firms need immutable, offline backups of data and system builds to rebuild after an attack," he says.

However, most successful cyber attacks target people, not technology. Cybersecurity software leader Bitdefender reports that 93 percent of human risk factors involve employees using old passwords for accounts. “Employees must be thoroughly trained and aware of the potential threat,” warns Rose. Incorporating passwordless authentication technology in a cyber defense plan has been shown to reduce such attacks by 74 percent.

There exists a vast gulf of understanding between attackers and most organizations’ defenders. Bill Santos, President of Cerberus Sentinel, a US-based IT services company, says: "Many organizations don't have a plan in place to detect or shut down hackers and, far too often, the plan starts and stops with the antivirus software."

He suggests a three-step approach. First, run regular penetration tests on your external-facing infrastructure with a strong testing firm. "You are not looking to just ‘check a box’ with this exercise, but rather to get an aggressive assessment of your vulnerabilities. Address them immediately."

Second, offer ongoing training and testing for employees and end-users around sophisticated phishing attacks. "A monthly training, followed by testing, can dramatically reduce the risk of end-user caused events." Finally, scan regularly for potential "sleeping" ransomware. "Ransomware is often deployed within a client for months before being used," he says, meaning that even if backups are used to restore a company’s core data the virus might still be present.

Santos’ parting advice is: "Unless you have strong internal cybersecurity capabilities, bring on an external partner who understands the hacker mindset to help."

Reimagining cybersecurity with granular encryption

Operational expenses, regulatory fines, and ransom demands are not the only costs businesses need to worry about. They also need to factor in data leaks and IP theft resulting from these attacks. The Ponemon Institute, a US-based research firm, studied three recent, large-scale attacks against Fortune 100 companies and found that the ransomware was a smokescreen. Larry Ponemon, the Institute's founder and chairman, says: "These attackers were backed by nation-states."

By implementing traditional castle-and-moat methods of protection, many organizations have played into the hands of cybercriminals. When the gangs can reside anywhere, local law enforcement and regulations do little to deter them.

Nigel Thorpe, Technical Director at SecureAge Technologies, a Singapore-based data security solutions provider, suggests changing the game entirely by building security into the data. "If all data is encrypted before a ransomware attack takes place, it is useless to the cybercriminal. They can't decrypt the data and they can't demand a ransom for data that is already encrypted."

This strategy requires a long-term overhaul of IT security and only works if all data is encrypted – not only at rest, but also in transit and in use on site, on a remote device, or in the cloud.

Though governments globally have begun to take notice, politically-charged rhetoric serves only to exacerbate the situation. Ransomware attacks will continue to evolve and to wreak havoc. To protect themselves, businesses need rapid, decisive decision making. The time for business leaders to act is now – before they are poached by these big-game hunters.

Bill Santos
Many organizations don't have a plan in place to detect or shut down hackers and, far too often, the plan starts and stops with the antivirus software.
Bill Santos
Bill Santos
Cerberus Sentinel