Ransomware attacks saw a dramatic upswing in 2020 even as much of the world was distracted by the pandemic, the U.S. presidential elections and other major events. This presents the cybersecurity world with a particularly thorny challenge given that, due to the pandemic, the data firewall quickly extended beyond traditional workplace IT to the newly established work-from-home (WFH) infrastructure.
What’s more, the risk level for ransomware attacks continues to grow as cybercriminals become more brazen in their demands. If these trends continue, the amount lost to these attacks could start to rival the GDP of some of the world’s leading economies by mid-decade. (Read also: Cybersecurity Predictions for 2021.)
But the news is not all bad. New defenses are emerging from the lab every day, and with the heightened awareness of the consequences posed by ransomware and other forms of cybercrime, organizations are starting to implement a wide array of high-tech and low-tech (but still highly effective) means to protect themselves. What remains is convincing businesses that are still reluctant to spend money on more and more controls, with the mindset of thinking "it will never happen to us."
According to the World Economic Forum, incidences of targeted ransomware attacks have doubled since the beginning of 2020. The nature of the attacks vary, but in general, the goal is to interrupt business processes by hacking into remote work services platforms and encrypt business-critical systems, then demand a ransom to restore these systems, or sometimes blackmail individuals into committing further crimes.
This is why it is of paramount importance to adopt a Zero Trust Policy: Trust, but Verify. Apply Least Privilege to all users, giving them just-in-time permissions and only enough freedom to carry out a specific task or role. If an attacker steals the credentials of a highly permissioned user, the damage can be critical. If an attacker steals credentials from a user with Least Privilege and Just-in-time access, then the attacker is limited to how much damage they can do.
In some cases, larger companies are targeted by exploiting vulnerabilities in small companies within the supply chain. These are particularly difficult to detect and prevent because smaller firms generally lack the highly sophisticated tools and technologies available to larger firms. Yet the impact can be just as great – particularly in cases when the supplier provides a singularly important function that cannot be easily transitioned to another provider. Once an attack on a supplier is known, all ties, connections must be blocked temporarily until the danger has been contained and eradicated.
While the government and manufacturing sector remain the top targets of ransomware, the past year saw a dramatic uptick in attacks against healthcare entities. Recently, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Health and Human Services (HHS) department issued an advisory outlining “an increased and imminent cybercrime threat to US hospitals and healthcare providers.”
While the full nature of the threat was not revealed, the agencies did say that malicious groups are targeting the sector using the Ryuk ransomware system to obtain critical data and disrupt healthcare services. One death has already been attributed to this effort.
In December 2020, the FBI issued a warning regarding DoppelPayer ransomware, whose perpetrators used a multipronged attack, including phone calls to pressure intended victims.
2020 has also seen a shift in tactics by ransomware perpetrators, according to securityintelligence.com. In the past, the goal was merely to lock down systems or encrypt data in order to demand a ransom for their return. Lately, however, a new “blended extortion” approach has emerged in which sensitive data is stolen before it is encrypted. If the victim refuses to pay up, not only is the data lost but it is released publicly, subjecting the target enterprise to a wide array of regulatory and/or civil penalties.
It opens up a host of problems, as the Treasury's Office of Foreign Assets Control and its Financial Crimes Enforcement Network warned that paying ransomware demands may be illegal and that companies that do so could be prosecuted.
What to Do?
What, then, is the enterprise to do, particularly in times such as these where business has been disrupted by the pandemic, profits are hurting and margins are becoming increasingly tight? (Read also: The Biggest Ransomware Mistakes Businesses are Making in 2020.)
While there are numerous software and service platforms designed to identify and disrupt ransomware attacks, perhaps the most effective strategy is for all organizations to first recognize the seriousness of the threat and then work together to protect themselves. Security Magazine’s Diana Salazar says that the first thing to understand is that attackers do not choose their victims at random – some are surveilled for months, even years, before the attack is launched. Others however, can be opportunistic – the attackers' motive is primarily profit, with as little risk and effort as possible.
The main problem here, though, isn’t that systems have been compromised, it’s that most victim organizations tend to keep things quiet after a breach. Current regulations establish thresholds regarding when and how information is to be released, but beyond that most companies are loathe to share details as to exactly how the attack was carried out, in part because it might reveal sensitive information regarding IT infrastructure, business processes and customer data.
In fact, many organizations choose to pay the ransom quietly rather than risk the embarrassment of public exposure. Ultimately, this simply encourages the bad actors to continue their attacks and prevents other businesses from gaining insight into how the latest threats are evolving, which leaves entire industries vulnerable to continued attack.
In addition, there is no guarantee that the Encryption Key will be handed over to the victim. Plus, there is a feeling that if you do pay, and access to your data is restored, attackers may think you are an easy target.
Businesses should also keep in mind that simply protecting their own infrastructure and that of their employees is no longer adequate. With so much of the IT footprint pushed out to the cloud and, lately, the internet of things (IoT) edge, defensive policies must account for this new reality. While no solution is 100 percent effective, U.K. security firm Sophos advises managed service providers (MSPs) adopt a number of key safeguards:
- Widespread awareness of education of the threat, including the adoption of two-factor authentication and the ability to spot fraudulent emails. Multi-Factor Authentication (MFA) is a must when it comes to cloud access.
- Continuous improvement of security systems and procedures for production environments as well as any and all back-up facilities. Make sure there are stringent security measures in place when running a Continuous Integration (CI)/Continuous Delivery (CD) pipeline software delivery system. In other words make sure your DEV-Ops includes security.
- Deployment of endpoint detection and response (EDR) tools to oversee the entire data chain. Outsourcing may be a viable option if resources are limited.
- Robust human intervention, up to the creation of elite threat management teams to provide proactive and reactive response to attacks.
- Rapid incident response tools that specialize in neutralizing threats and mitigating damage.
Ransomware, and cybercrime in general, is a problem that will never go away. The same underlying tools and technologies that can be used to defend the enterprise can be used to attack it. But this should not dissuade all organizations, large or small, critical or non-critical, from maintaining constant vigilance.
As with any crime, the best defense is to remain continually vigilant regarding your environment and your own vulnerabilities. (Read also: 5 Cybersecurity Predictions for 2021.)