Despite spending billions on cybersecurity tools, businesses are alleged still to be poorly prepared for ransomware attacks. What is the solution?
And he adds. "The sad truth is that, despite spending billions on cybersecurity tools, businesses are still poorly prepared for ransomware attacks. For this reason, companies must take a new approach to data resilience. They must strengthen their disaster-recovery strategies, backup systems and immutable storage solutions to prevent the loss of mission-critical data." He offers five steps that organisations can take to reduce their exposure to ransomware and "avoid staggering losses":
Educate employees. "It's essential to invest in training for staff, so that they're aware of how ransomware works. From there, employees will be better prepared to recognise and prevent it."
Focus on cures, as well as prevention. "It's time for companies to stop focusing entirely on prevention. They should also invest in curative measures like backup & recovery and immutable storage that allow them to quickly restore their data and avoid paying the ransom when attackers break in."
Brett Raybould, Menlo Security: in the past two years, threat actors have become more sophisticated and bolder, with devastating consequences.
Place a premium on data resilience. "Your data resilience is only as strong as your weakest link. Monitor your weaknesses, fix them when you find them, and you can bounce back quickly from disruption and return to normal operation. To do this, you must have the technologies required to back up your data and recover it, if necessary, along with the proper mindset."
Know what data is most critical. "Data varies in value. If you're concerned about costs, as most organisations are these days, you don't have to store or back up all your data in the same place. Look into storage solutions that provide options like data tiering. These enable you to place less-important data in less-expensive levels of storage or 'tiers'."
Put a disaster-recovery plan in place. "A good disaster-recovery solution will back up your data to a location of your choice and on a schedule that suits you. It will also be easy to test, which is crucial because testing is the only way you can validate that your recovery-time goals can be met."
Nigel Thorpe, SecureAge: cybercriminals continually use new techniques to prevent their malware from being identified.
SOPHISTICATED AND BOLDER Year on year, threat actors have ramped up ransomware activities. But, in the past two years, they have become more sophisticated and bolder, with devastating consequences, points out Brett Raybould, EMEA solutions architect, Menlo Security. "Critical infrastructure attacks are on the rise, with the Colonial Pipeline attack perhaps the most well-known example. Sadly in 2021, one ransomware attack on a hospital in Duesseldorf led to the death of a woman after she was diverted to another city to be treated. The year also saw a record $70m ransom demand from Kaseya, the company affected by a zero-day exploitation that went on to affect 1,500 businesses - a supply chain attack rivalling that of the SolarWinds incident of 2020."
Since the pandemic, and the transition to remote and hybrid working models, companies continue to expand their digital footprint and reliance on web-based applications, leading to a greater volume of ransomware attacks exploiting vulnerabilities in cloud applications and tools. "For ransomware to be curbed effectively, there needs to be a greater focus on business continuity and disaster recovery strategies, so firms can limit the damages inflicted by a potential attack," he adds. "Greater attention must be placed on the threat of supply chain attacks and third-party connectivity. This involves a mindset shift to prepare for the risks presented by third parties to reduce what is a growing attack surface among organisations."
Right now, this largely requires a proactive initiative from companies, states Raybould. "But we could see a change in regulations and government guidance in the future." According to a Menlo Security poll, over half (55%) of respondents felt that responsibility for protection should fall to government.
James Tamblin, BlueVoyant UK: "The cyber-criminal economy presents a cybercrime-as-a-service (CaaS) model that provides ready-made tools and services.
"For more organisations to pay attention, governments may need to take greater action in the fight against ransomware. We're already seeing mandatory reporting procedures on ransomware in APAC, so I wouldn't be surprised to see this elsewhere.
"We also anticipate greater collaboration between governments and large corporations like Google and Microsoft - initiatives that are beginning to gather momentum already, as demonstrated by DMARC email authentication. Such initiatives provide the building blocks for something greater. Without question, open collaboration and the sharing of tools across the industry could really help to address the ransomware challenges businesses and governments currently face."
EASY ACCESS FOR CYBERCRIMINALS The explanation for the exponential growth of ransomware attacks, which sometimes doubles or even quadruples, year-on-year, can be attributed to the highly agile nature of the market, states James Tamblin, president, BlueVoyant UK. "The cyber-criminal economy presents a cybercrime-as-a-service (CaaS) model that provides ready-made tools and services, lowering the barriers to entry for newcomers and groups alike. It allows less 'tech savvy' cyber criminals easy access to the market which ensures even more organisations fall victim. Not to mention, the increased digitalisation over the last two years where organisations and services rapidly shifted online and, in parallel, rapidly increased their attack vectors, leaving their digital front door open to threat."
Another explanation for the increase is new tactics, including double extortion, where criminals exfiltrate data in addition to encrypting it. "Double extortion has now escalated to triple extortion with tactics such as leak sites, a hugely successful method used in ransomware attacks. Triple extortion often leads to associated media publicity, ensuring companies 'pay the piper'."
Sashank Tadimeti, Protiviti: evolution of 'Ransomware as a Service' [RaaS] has enabled non-skilled malicious actors to hire cyber-criminals to target CNI entities.
This public extortion method has reduced the ability to contain an attack, adds Tamblin. "Ransomware attacks have a huge knock-on effect, not only fiscally, but it is also almost impossible to quantify the final impact of the attack after reputation is damaged, customer relationships sullied and operations affected. The burden of compliance fines further increases the secrecy shrouding ransomware, as companies may choose to pay the ransomware in secret. Companies can expect this cost to rise as regulations tighten and future government policy may increasingly need to address this burden."
In this climate, companies and organisations must increase their awareness and risk tolerance toward cyber threats, he continues. "There are a range of ways organisations can reduce this risk and contain the threat, starting with implementing multi-factor authentication (MFA) across all accounts. BlueVoyant has observed that cyber attackers will often move on to easier targets when MFA is used effectively. Other important methods include implementing both a Zero-Trust approach and the 'principle of least privilege', a security concept wherein employees only hold access they need."
BEYOND THE DISCONNECT While newfound awareness of the existing cyber threat landscape is a critical first step towards building a robust defence, this has yet to be paired with the necessary security measures and strategies, argues Mike Varley, threat consultant at Adarma. "For the most part, there appears to be a disconnect between how prepared businesses believe themselves to be and where they truly stand. Despite 96% of respondents stating that they were confident in their existing deterrents and preventive measures, a staggering 58% of businesses surveyed have already been hit with ransomware," he comments. "Moreover, more than one in every five companies does not have an incident plan in place, suggesting that cybersecurity is not as much of a priority as they claim. To put it simply, many are failing to walk the talk."
Organisations must also take a proactive approach to mitigating ransomware attacks, Varley says - "that is, prevent, prepare, detect and eliminate" - while recommending the following actions:
Keep software updated - "Keeping systems up to date should be a priority. Organisations must ensure effective management of their technology infrastructure, systems and services, including the adequate patching of devices and systems, ensure sufficient network security and replace unsupported software."
Adopt a proactive mindset - "Organisations need to adopt a proactive approach to cybersecurity to ensure that essential functions and operations can continue even after a cyber-criminal has penetrated defences and compromised digital assets."
Utilise better threat detection - "When ransomware worms its way past your defences, damage is measured by the time taken to detect, investigate, contain and resolve the threat. The longer your exposure, the greater the incident impact. It's more efficient to stop a ransomware attack before it has a chance to do any damage."
Regularly back up data - "To prevent ransomware disrupting business operations, it's vital that organisations regularly back up company data. If a cyber incident occurs, the organisation will be able to quickly fall back on a recent backup version."
Improve employee cyber awareness - "Ransomware attacks can be the result of poor employee cyber awareness or bad habits. For example, employees may use easily guessable passwords or the same password for multiple accounts. Organisations can mitigate this risk by providing employee training and running regular attack simulations/digital health check-ups to see if their employees are practising good cyber hygiene."
ONE STEP AHEAD The traditional way to prevent ransomware is to identify and then block malicious activities, points out Nigel Thorpe, technical director at SecureAge. "But cybercriminals have a habit of being one step ahead and continually use new techniques to prevent their malware from being identified."
In a business environment, there is generally no reason for a previously unknown executable or script to run, he says. "The software for a typical business PC is built to a standard design that includes all the tools that its user will require. A better way is to block all unauthorised processes which are not on the 'allow list' from executing. So, if a malicious executable or script attempts to run, it is simply blocked.
"The other mainstream approach to protecting data is to encrypt it using tools such as database and full disk encryption, such as BitLocker. But while full disk encryption is fine, if you lose your laptop; on a running system, it will simply hand over decrypted data to every process that asks for it - legitimate or malicious. As cybercriminals can only steal data from running systems, full disk encryption cannot prevent this theft."
As you can't demand a ransom for data that is already encrypted, the answer is to encrypt all of your data, all of the time, at rest, in transit and in use and no matter where it gets copied - including when it is stolen, Thorpe states. "This way, stolen data remains worthless - reverse ransomware you might say. We must stop believing that it's possible to block all data exfiltration and accept that, at some time, someone will gain access to the network with the aim to steal data and that they will succeed."
Only by encrypting data at source, and by maintaining data encryption throughout its lifecycle can ransomware be truly defeated, he adds. "File-level encryption works silently in the background so that neither the user nor the administrator needs to make any decisions about what should or should not be encrypted. Data-centric security goes to the heart of the whole ransomware attack problem by securing data against both theft and crypto attacks."
CRITICAL NATIONAL INFRASTRUCTURE Cyber-attacks on Critical National Infrastructure (CNI), which largely comprise of industrial entities are usually politically motivated and carried out by 'cyber terrorists' from adversarial nation states; where the hacker's goal is to disrupt operations or steal confidential information which does not necessarily have a direct financial reward. Ransomware in the context of CNI brings a different threat actor to the forefront - financial cyber-criminals. "Financial cyber-crime has found a sweet spot in banking and retail sectors, but the shift in focus to the industrial sector/CNI is enabled firstly by a general lack of cyber-awareness and cyber-investment in these areas, which makes hacking a CNI or process industry easier in comparison to banking infrastructure," says Sashank Tadimeti, a manager in Protiviti's Technology Consulting Group.
"Secondly, evolution of 'Ransomware as a Service' [RaaS] has enabled non-skilled malicious actors to hire cyber-criminals to target CNI entities, increasing the number of ransomware incidents. Thirdly, and most importantly, the anonymity of cryptocurrency transactions makes it easier for these malicious actors to extort money, with a reduced threat of being identified. All these factors make ransomware a huge success, leading to the manifestation of a new threat in the CNI cyber-space."
The compounded risk arising from these factors concerns even the most cyber matured organisations; testimony to which are well known CNI attacks such as Stuxnet, Shamoon and more recently the Colonial Pipeline incident, he adds.
"Whilst there is a limited role individual organisations can play in combating the risk arising from RaaS and anonymity of crypto-transactions; 'Cyber-Awareness' must be a key focus for CNI organisations and government entities. CNI organisations historically have placed a lot of importance on 'safety' and often have well-structured and effective safety awareness programs. CNI Organisations should consider leveraging these models in internally advocating cyber awareness and must ensure the training material stays at pace with the ever-evolving digital space."
Tadimeti also advises that organisations should not limit cybersecurity to a compliance exercise, but aspire to adopt cybersecurity in its essence. Adopting new technology/digital solutions without understanding its ramifications to security or spending heavily on cyber tools without properly configuring them result in half-baked solutions, leaving organisations vulnerable to ransomware and other cyber threats.
"Whilst we are just getting started on our 'CNI - Security journey', the threat actors and their methodologies are evolving. The emergence of 'RaaS' and 'Double-Extortion Ransomware'; where hackers demand a ransom payment from the attacked organisation and simultaneously seek buyers for the attacked organisation's confidential data to optimise their profits, are testimony to this evolution. Awareness, vigilance and intelligence are key to combating this growing epidemic."
MONEY SPEAKS LOUDEST Ransomware is a variation on the old data breach, points out Tim Mackey, who is principal security strategist at the Synopsys Cybersecurity Research Centre. "In effect, the cyber criminals have discovered a new way to monetise their investment in both attack techniques and processes. If my comments make it sound like cyber criminals are behaving like businesses, that's because they are. If you consider the lifecycle of an attack, the entry point might be a phishing attack or the exploitation of a vulnerability.
"The team discovering that entry point might then install some command-and-control software, at which point they can sell access to the system. A buyer of that access then uses the compromised systems for their purposes, which might include exfiltration of data or a combination of ransomware and data exfiltration.
"Defending against these attacks starts with first principles. If an attacker is unable to readily exploit a weakness in people, process or technology, then they can't execute their attack and move on an easier target. Identifying weaknesses is the province of threat models and such models recognise that no security is perfect. Instead, they focus on identifying the threat, then defining reasonable protections to mitigate the threat, and lastly monitoring for indications that someone has successfully used the threat in an attack.
"Avoiding being targeted is easy - resist the urge to pay the ransom. There is no guarantee that decryption keys provided by an attacker will completely restore a system and, once you pay, your identity and willingness to pay ransoms is data that can be sold as part of a post-attack monetisation plan," he concludes.
