One of the newest ransomware attack strategies played out in January when attackers released 4,000 files stolen from the Scottish Environment Protection Agency after government officials refused to pay to stop their release.
The SEPA attack isn’t an anomaly. It illustrates the expanding scope of damage that can come from ransomware attacks — and the urgency needed for organizations to step up their defenses.
“Ransomware is rampant, and there are a lot of resources being put into hitting companies. So, it’s something you have to be prepared for,” said Jesse Varsalone, associate professor of computer networks and cybersecurity at University of Maryland Global Campus (UMGC).
The scope of enterprise ransomware attacks continues to grow in terms of numbers, scale, sophistication and effect, and victims may not be able to restore backups and consider themselves recovered.
This evolving reality puts more pressure on security teams to refocus their enterprise ransomware prevention strategies by beefing up defensive measures and taking more proactive steps so they can identify and shut down bad actors before they strike.
The increase in ransomware attacks continues
Ransomware involves bad actors installing malware within an organization’s computer systems and then demanding payment — typically via bitcoin — to end the assault. Once the ransom is paid, the hackers then provide the victim organization with codes to decrypt or unlock affected files or systems.
It’s a form of extortion and should be labeled as such. “It’s going to become the preferred way to monetize cybercrime,” said Michael Hamilton, founder and CISO of CI Security, a cybersecurity consulting firm based in Bremerton, Wash., and former CISO for the city of Seattle.
Many organizations have refused to pay, opting to try to restore their computers or systems according to their incident response plans. Others have decided to pay the ransom and ended up victimized twice, either receiving ransom codes that didn’t work or being faced with hackers that wouldn’t go away.
Gary Pennington, partner at Alchemi Advisory Group LLC, a Dallas-based cybersecurity consulting and business continuity advisory company, said his firm worked with a 500-employee company in the aftermath of an attack. The company paid a $900,000 ransom to have its systems unlocked only to get a second message from the hackers demanding another $800,000 to leave the company alone.
These incidents illustrate the growing complexity and cost of dealing with ransomware attacks. Studies back up these assessments. A Skybox Security survey revealed the number of ransomware cases jumped 72% in the first half of 2020, while other studies have calculated the global cost of ransomware in 2020 at $20 billion, up from $11.5 billion in 2019.
Ransomware projected to rise in 2021
Experts have predicted the volume, scope and cost of ransomware attacks in 2021 will be even higher because:
- the types of ransomware attacks will evolve;
- bad actors will continue to exploit the pandemic and the weakened security that comes with vast work-from-home scenarios; and
- hackers have become more organized and entrepreneurial in their work.
“I see a continued upswing in the use of ransomware and ransom payouts. It’s a viable business model for people without a conscience because it allows for them to generate a large income from anywhere in the world,” said Matthew Rogers, CISO of managed cloud provider Syntax.
Most attacks still start with a successful phishing scam when an authorized user inadvertently opens an email attachment or clicks on a link thinking it is legitimate but instead releases malicious code. London-based Willis Towers Watson, a risk management, insurance brokerage and advisory company, analyzed its cyber claims data and found that an organization’s employees directly caused 63% of all cyber incidents, including inadvertent ransomware infection.
Moreover, phishing emails have become more sophisticated and better resemble legitimate content, experts said, noting that hackers increasingly design malicious code to better evade detection so they can lurk in organizational systems to study their targets. Alchemi’s Pennington said he worked with one company post-ransomware attack and determined the hackers had monitored activity for months so they could time their attack when the database administrator was on vacation.
In addition, hackers increasingly target their victims and shape attacks based on their profiles, further increasing the level of sophistication of these attacks. “The era of the shotgun blast, [with hackers] just trying to scope up anyone dumb enough to click, is coming to an end,” CI Security’s Hamilton said.
Hackers themselves are morphing, with more criminal enterprises and nation-states engaging in attacks and sometimes even working together, and offering ransomware as a service for anyone willing to pay.
At the same time, hackers are expanding the scope of damage they hope to carry out. In addition to encrypting organization’s systems, hackers also look to steal sensitive or regulated data and threaten to release it unless the organizations pay a ransom. Hackers use the victim’s systems to launch denial-of-service attacks, as well as use the initial victim’s systems to tunnel into more lucrative targets belonging to business partners or customers and then demanding ransoms from all involved.
Cybersecurity company FireEye confirmed these observations in its report, “A Global Reset: Cyber Security Predictions 2021,” stating that “ransomware varieties [are] increasing along with frequency of attacks. One troubling trend is that attackers are not only making adjustments to their ransomware TTPs [tactics, techniques and procedures], but also increasingly moving to ransomware as a service, which includes offering malware and the skills to deploy it on a one-time or ongoing basis.”
Expert tips for enterprise ransomware prevention
To help thwart successful attacks, experts recommend organizations take many steps, including the following:
- Strengthen user training and security awareness programs to help users avoid falling for phishing scams.
- Deploy email controls. Philip Chan, adjunct professor of cybersecurity at UMGC who works at the U.S. Army Combat Capabilities Development Command Data & Analysis Center cybersecurity division, Aberdeen Proving Ground, suggested the use of strong spam filters to block phishing email and an email authentication method known as DomainKeys Identified Mail to limit email spoofing. He also advised using Domain-based Message Authentication, Reporting and Conformance and Sender Policy Framework for better protection.
- Implement business processes that limit or even eliminate transactions via email. “That way emails with links and attachments stand out more and automatically become more suspicious,” Alchemi’s Pennington said.
- Develop and test incident response plans that identify by name the legal advisors, cyber insurance policy contacts and outside consultants who will play roles in recovery. “Have your contacts all lined up in advance,” Pennington said.
- Follow established security best practices, such as implementing a strong patch management program; keeping all systems up to date; using antivirus and antimalware software; and using the principle of least privilege for access control.
- Implement newer technologies to further limit vulnerabilities. “There are tried-and-true practices and security measures that are commonly used, but the issue is that just a single mistake can leave you vulnerable,” UMGC’s Varsalone said, adding that a layered approach to security can help address that. For example, change management tools track updates within corporate systems and create visibility into organizational systems, which, in turn, can help IT identify unauthorized changes that could indicate the presence of vulnerabilities or even malicious code. Security tools that use behavioral analytics can help identify normal user activities and catch anomalies that could indicate malicious actions. Experts also cite the use of modern endpoint detection and response.
- Adopt multifactor authentication, zero trust and security frameworks as part of a layered defense.
- Engage in more aggressive monitoring, threat detection and even threat hunting, and consolidate such activities within a security operations center — whether in-house or outsourced — that has the resources to respond to suspected threats. “If you detect something but then you let it sit for three days, you’re going to have a problem,” Syntax’s Rogers said.
“Prevention is the most powerful protection against any ransomware attack. Also, it is significant to take precautions for safety,” Chan said. “Any infections can be disastrous to an organization, and restoration may be complicated.”