In the history of computer hostility, there has never been a threat type that inspires more alarm than ransomware. This isn’t fear, uncertainty and doubt – if anything, until recently, most often underestimated the threat posed by ransomware.
Experts divide most cyberattacks into three types: simply a denial of service (DoS), which make it impossible to use or access a resource, for example, a server, application, or website.
The second type targets data, corrupting, stealing, or making it unavailable somehow, for example, data breaches. The third and final type tries to steal money directly, for example, business email compromise (BEC) or phishing attacks on bank customers.
What makes ransomware so devastating is that it uniquely does all three simultaneously, an incident load most organizations find almost impossible to manage.
Although the concept of computer extortion has been around since the late 1980s, ransomware, as we know it today, is a phenomenon that emerged in the early-to-mid 2000s. The first examples were experimental and lacked a reliable, untraceable payment mechanism for extortion demands. The invention of virtual currencies such as Bitcoins solved that issue, and around 2013, commercial ransomware attacks surged.
The first attacks encrypted the files of single users, demanding small-dollar sums for a decryption key. Eventually, the attackers started targeting small businesses, at which point the ransom got bigger. These days, attacks target organizations of any size, reaching millions of ransoms.
Eventually, defenders countered with better backup routines, which prompted attackers to move to a second tactic: stealing data and ransoming that on pain of public release. In 2021, attackers started adding a third approach by threatening to extort a company’s customers and partners directly. Around the same time, ransomware gangs added a fourth attack that they used in early attacks, DDoS, sometimes targeted at VoIP phone lines as well as websites and email servers. The genius of extortion as a crime is no end to the possibilities.
This shows the evolution move from single extortion (encryption) to double extortion (data exfiltration) to triple extortion (attacking customers directly) to quadruple extortion (DDoS). Ransomware gangs have recently added a fifth and final tactic, that of destructive wiper attacks.
Recent ransomware is so challenging because all of these could occur in one attack from integrated ransomware-as-a-service (RaaS) platforms.
What, if anything, can we do to counter ransomware?
Every ransomware advice section tells defenders to make sure they have good backups. Whereas implementing this can be more complicated than simply scheduling more regular offline backups.
Ransomware targets backups which is why organizations have moved to a system of immutable backups. These backups can’t be changed or modified within a pre-set period of hours or days. While useful, this is not a magic shield. It does not, for instance, guarantee the immutability of data held in the past where attackers have penetrated the network weeks or months back.
Likewise, some immutable systems don’t secure metadata and indexes, which attackers can still target. As with any backup, restoring a backup can be time-consuming.
Virtually all ransomware attacks start with a compromise of the endpoint, typically a PC or server. Protecting these is vital, with the traditional defence being a security agent. Unfortunately, these will occasionally fail, which leaves most organizations relying on network security tools to spot anomalous traffic.
One of the most typical reasons that ransomware attacks have become so severe is that attackers can lurk inside infrastructure for a long time. With MDR it is more likely to spot any incursions sooner rather than later. The benefit of MDR is that it integrates endpoint and network tools under one platform, allowing better detection and automated remediation, alert prioritization, and response.
Zero trust isn’t a technology but a set of principles that can help lock down a company’s infrastructure from attacks. The basic tenet is that no connection or user should be automatically trusted. Every new access should be subject to a range of checks and adequately authenticated. This process should be applied to all accounts, incredibly privileged admin accounts for access, such as RDP, often targeted by ransomware, service providers, and supply chain partners.
Patching often catches organizations out. A good example is the 2021 ProxyLogon vulnerability affecting Microsoft Exchange, which attackers rapidly exploited. Many servers had yet to be patched despite the urgency, encouraging ransomware attacks. The lesson? This universal vulnerability will be exploited soon after becoming public knowledge, and defenders must treat repairing it as an emergency.
Assume a compromise will happen. What then? Every ransomware 101 mentions having a response plan. However in many cases, it’s not the lack of a plan that catches organizations out so much that it hasn’t been stress tested. This will look at the human response and communication chain and the integration between different layers of technology.
The final process is clean-up and forensics, where organisation iron out mistakes to prevent repeat incidents. A common weakness is that organizations’ logs don’t go far enough. Many ransomware attacks probably go back months. Thus it’s best to assume that 30 days of logs won’t be enough to spot the source of a compromise.