Ransomware is still a relatively new form of attack that enterprises and government entities are facing. It is the act of loading malware that will, in some way, restrict access to data or systems until the organization is willing to pay a ransom to the attacking group. The attacking group may or may not release the data, computer systems, or assets from the malware.
In the early days, ransomware attacks were relatively benign. Most that were attempted were reversed and the successes of attackers were few and far between. But with the rise of new hacker groups that mimic well-known cybercrime gangs, successful defenses against ransomware attacks have become less common. Partly, this momentum shift is due to an increase in the variety of attacks that malicious actors have at their disposal.
The past year has seen a new wave of ransomware-based attacks that rely on non-typical attack techniques. One prominent type is destructionware, where the malware imitates ransomware, but the attackers will never reverse the encryption or damage done, as their goal was to destroy the data and cause as much damage as possible.
The second is the evolution of ransomware that involves not only encrypting data or locking up systems but also exfiltrating data from the organization. Once the data is removed from the organization, the attackers will not only demand a ransom to reverse their encryption but also to prevent the release of the data.
Since its introduction, ransomware has not slowed down. The reality is that these attacks are now often successful in extreme ways because it takes just one employee to slip up and download the malware.
Because the impact is large, and because news of successful attacks spreads instantly, more attackers are joining the game modeling previously effective techniques. Ransomware has become one of the biggest and most expensive types of data breach.
It is such a critical issue that many cybersecurity insurance policies have separate underwriters just to assess the potential cost and impact of ransomware attacks on an organization.
Payments Down, Damage Up
While the likelihood of an organization paying the ransom has gone down, this has not decreased the number of attackers utilizing it as a mode of attack. With ransoms of multiple millions being paid, it is a highly lucrative attack strategy even if the probability of financial success is low.
But despite the decrease in payments, Ransomware attacks have become extremely destructive for organizations. The ransom is often the lowest cost of the event. A ransom event will often entail a months-long recovery effort that may see hundreds of thousands of hours of lost productivity for employees, lost production or operation, and lost revenue from systems being down.
Even this only just covers the direct impact on the business. There are additional costs that add up quickly, related to fines and consumer class action lawsuits. Further, the impact on reputation and future revenue is not easily calculated for many organizations. In fact, with these items considered, ransom attacks can be considered an organization-killing event, if uninsured.
Prevention is Better Than Cure
What can organizations do to lower their risk of a ransomware attack? Taking a risk-based approach is the best way to plan and address potential ransom attacks.
Some key areas to focus on are related to access. Because most ransomware will attempt to elevate to admin credentials, keeping domain admin accounts to a minimum and deploying a privileged access management system are great ways to help prevent the damage potential of any attack.
Another important step is to implement robust segmentation within the network. This will help to limit the scope of an attack and reduce the potential impact on the business.
Other controls to implement are endpoint detection and response tools, robust logging that involves behavior analytics, and strong email-based controls to help prevent phishing attacks. While all of these can help prevent or limit the impact of a ransom attack, none of them will fully immunize an organization from the threat.
What Comes Next?
As better controls are implemented, attackers will continue to evolve to evade these controls. This is something that is already happening on a monthly basis. For example, attackers have moved to nullify the security measures implemented to protect backups, by exfiltrating data from the network before encrypting. Afterward, some attacks moved to destroy the organization’s data after exfiltrating to increase the likelihood of payment.
We will likely see attacks continue to focus on exfiltrating data or proof of attack to extort payment to save a company’s reputation. Further, cloud-based backups will likely be a primary target with vendors being included in the attack.
While possible attack trends can be debated, one point of consensus among cybersecurity professionals is that attackers will continue to focus on getting data and deploying attack techniques that will increase the likelihood of payment.