Ransomware has been the scourge of businesses for some time now, and it doesn’t seem that there is an end in sight where the impact to business is concerned.
Recent research found the average ransom payment paid had decreased by a third in the final quarter of 2020, dropping to $154,108 in Q4 from $233,817 in Q3. This was attributed to victims choosing not to give into demands for payment, not that attacks are diminishing overall.
Ransomware purveyors have responded to these trends by adapting their techniques to increase compliance for payment demands. In the past, organizations could take precautionary steps against ransomware attacks by assuring critical data was backed up off-site so it can be restored in the case of a successful attack.
Adversaries introduced a “double extortion” strategy where the target’s data is not just encrypted and held for ransom, but is exfiltrated first with the threat of being made public if the victim refuses to pay the ransom demand, effectively undermining data backups as an effective remediation tactic.
Speaking on a recent SANS Institute keynote, Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States Department of Homeland Security said one of the issues around ransomware was that businesses were unaware of how much impact there was.
“We are on the verge of a national emergency, if we’re not already there, just because of the death of a thousand cuts that ransomware actors lob against us” Krebs said. He also claimed that while nation state actors will tend to be more elusive after entering a network, ransomware attackers “walk in, waving their flag on your screen and telling you what they are up to.”
According to one study, one in four incident response engagements were related to ransomware in 2020, an increase from one in ten in 2018. Brian Honan, CEO of BH Consulting, said a client had 15 out of 16 servers locked down by ransomware, and they had to be recovered manually.
“Not all clients have been as lucky, we have been called in to help some companies but because they have had poor backup practises in place have not been able to recover their systems,” Honan said.
The fact is that ransomware attacks are still happening regularly, and it is still hitting businesses hard despite all of the warnings from the past about city councils going back to pen and paper and having services affected for weeks. As Krebs said, the attackers do not enter and operate silently; their malware is noisy and demands attention from the victim.
So is it considered who was behind the attack when it comes to recovery? Honan said none of the victims he had dealt with had considered who was behind the attacks, they were more concerned with how to recover and how to prevent it happening again.
“While many cybersecurity professionals may like to think their adversaries are high tech nation sponsored actors and APTs, the real threat is coming from ordinary cyber-criminals,” he said. “Many of these cyber-criminals are successful not because they are sophisticated, but rather that many of their attacks are successful due to poor security hygiene in the victim companies.”
The tactics for attack are all too easy: access via insecure Remote Desktop Protocol (RDP) configurations, clever phishing emails, browsing to a site infected with malware from a computer that was not fully patched or had up to date anti-virus installed, or not having effective backup controls in place. Defence can seem all too easy, but the attacks are just easy too.
Stuart Coulson, director at Hidden Text, said three factors have enabled ransomware to be an issue. The first involves criminals who have access to tooling that can create an entire ransomware campaign in seconds, creating a believable email campaign that would fool most average users using a click-and-create template.
“The outcome is paid in an untraceable way back to them, and so it is a fairly safe criminal campaign to run,” Coulson said. “All they need now are targets that are easy to penetrate through the human intuition and security tooling to infect the critical parts of the company to make the maximum effect.”
The second factor is the media, as where a small organisation being hit with ransomware would have not been covered, newswires were able to publish “pages, blogs, videos, panel debates and so on” on a smaller incident, as people are more likely to pick up on keywords.
Coulson said: “We also have to tie in that the general internet population are apathetic to cyber news, so everything is now becoming amped up and I would argue to an unreasonable level too.”
The third factor is the global pandemic, which he called “possibly one of the greatest opportunities for any criminal” as the workforce was suddenly displaced, working on kit being shared with other people, away from the security of the office, on insecure internet connections and under a great deal of stress caused by the uncertainty created by the pandemic.
“So many companies were left wide open to attack, and so the criminals exploited the vulnerable stressed employees on insecure internet connections and were able to infect entire companies, all with a simple click,” Coulson said.
Coulson argued that this is the reason why we see more awareness of ransomware, and it is not the case that there are more attacks. “I think they are consistent, but I do think with increased reporting, slower news cycles and this new style of attack, the stories are certainly circulating more.”
I’ve personally been covering ransomware for the best part of a decade and it’s a shame that it has continued to be such an issue for businesses, and they don’t seem to be learning anything from other instances. Focusing less on who did it and more on how to keep your organisations from being impacted by ransomware would be a great starting point.
Raywood has covered ground-breaking stories such as Stuxnet, Flame and Conficker, the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law (now a major part of the GDPR). In his day job at Infosecurity Magazine, he looked after the official webinar channel and contributed to the twice-annual Online Summit, writing articles for the print magazine and website. He has spoken at events including 44CON, SteelCon, Infosecurity Europe, SecuriTay and BSides Scotland.