Ransomware: A world under threat

Ransomware has threatened many organizations over the past few years. In this article, Robert Sheldon explains the history of ransomware and what needs to be done to protect against it.

Ransomware represents one of the biggest security threats faced by today’s organizations. A ransomware attack can have a devastating impact on an organization, and few organizations are immune from the threat. It doesn’t matter the organization’s size, type, or location. It could be a university, city government, school district, small business, private corporation, or another type of institution. Any entity whose operations rely on computers and the flow of data is at risk from a ransomware attack, and if the attack is successful, it could cost the organization millions, whether or not the ransom is paid.

What is ransomware?

Ransomware is a form of malware that prevents organizations from accessing their data or systems. Threat actors who carry out ransomware attacks hold the data or systems hostage until a ransom is paid. Individuals can also be hit with ransomware, but most crooks are looking for bigger payoffs, and those come from public and private organizations, especially those that rely heavily on their data to carry out day-to-day operations. A ransomware attack can, in fact, bring an organization to its knees, preventing it from conducting business and often leading to the loss of critical data.

Ransomware attacks vary substantially from one to the next and are continuously evolving. They range in scope, types of targets, and amounts of ransoms they demand. Even so, they generally follow similar steps:

  1. Threat actors use an attack vector to gain access to a target system or network, where they introduce the ransomware. Common attack vectors include phishing, spear phishing, malvertising, malicious websites, stolen credentials, and social engineering campaigns. Ransomware can also be introduced through the use of other malware.
  2. After the ransomware penetrates a system, it carries out whatever operations it was designed to do, often spreading to other nodes on the network. Threat actors might introduce ransomware that exploits known vulnerabilities in order to gain access to restricted resources, or they might use social engineering techniques in conjunction with ransomware to get to these resources. Most ransomware either locks up computers or encrypts files. However, attacks against organizations commonly use encryption. In most cases, ransomware victims are not aware of an attack until it’s too late.
  3. Once the ransomware has taken control of the data or systems, the threat actors make their ransom demands known to the victim. For example, if the ransomware has encrypted sensitive data, the threat actors might demand that the victim make a payment in the form of cryptocurrency (such as Bitcoin). In exchange, the victim will receive the decryption key. If the victim does not make the payment within the deadline, the threat actors might demand a higher ransom. If the victim refuses to pay the ransom altogether, the data will never be decrypted.

When planning their ransomware attacks, threat actors often carry out extensive research on the target organizations, discovering what they can about their financial circumstances, the types of regulations that govern their data, what it could cost them to have their data locked, and any other information that might be useful when making their ransom demands. It cannot be overemphasized how sophisticated ransomware attacks have become and the planning and research that often go in them.

An image representing a phishing attack

Figure 1. Threat actors commonly use phishing to introduce ransomware into a target system (image by Mohamed Hassan).

In the early days of ransomware, attacks primarily targeted individual users, and although this still occurs, threat actors have come to realize that they can make a lot more money by going after organizations—disrupting their business and threatening their data.

Organizations large and small are at risk from ransomware. In some cases, threat actors might launch an attack against an organization because it appears easier to infiltrate and control, such as a school district with a limited IT budget, or they might take on organizations that seems more likely to pay, such a hospital that relies on continuous access to patient data. In recent years, universities, financial institutions, and healthcare organizations have been hit particularly hard by ransomware.

Ransomware’s insidious spread

A number of factors have helped fuel the rise in ransomware. One of the most important was the introduction of cryptocurrency, which facilitated anonymous payments and made it difficult to prosecute the criminals who launched the attacks. The dark web has also played an important role by providing threat actors with resources for carrying out their attacks. Would-be attackers can surf ransomware marketplaces, purchase malware kits, or find developers who sell ransomware as a service (RaaS), which offers ransomware for a cut of the take.

It’s no surprise that threat actors are drawn to ransomware, given the ease of getting into the business and the potential big pay-offs, and in such a climate, ransomware attacks are likely to grow more sophisticated and aggressive. According to the Sophos State of Ransomware 2021 report, which is based on the company’s annual ransomware survey, 37% of the surveyed organizations were hit by ransomware in the last year—over one-third of the 5,400 surveyed. The report also includes other notable findings:

  • Mid-sized organizations paid an average ransom of US$170,404.
  • The total costs of a ransomware attack averaged US$1.85 million, when taking into account ransom payments, downtime, personnel time, device and network costs, lost opportunity, and other factors.
  • Of those organizations that suffered a ransomware attack, 54% stated that the cybercriminals succeeded in encrypting their data in the most significant attack.
  • Of these organizations, 96% got their data back, but only 65% of the encrypted data was restored after the ransom was paid.
  • Extortion-style attacks more than doubled in the last year, up from 3% to 7%. In these attacks, cybercriminals threatened to publish the data, rather than encrypting it. It should also be noted, however, that threat actors have started to carry out double-extortion attacks in which they steal and encrypt the data and threaten to publish it online.

The rate of attacks is actually down from the previous year, when 51% of the surveyed organizations stated that they had been hit, but the drop might be due in part to evolving attack approaches, according to the Sophos report. “For instance, many attackers have moved from larger scale, generic, automated attacks to more targeted attacks that include human operated, hands-on-keyboard hacking. While the overall number of attacks is lower, our experience shows that the potential for damage from these targeted attacks is much higher.”

An image that represents ransomware

Figure 2. Ransomware attacks continue to grow more sophisticated, targeted, and aggressive (image by Katie White).

The first recognized instances of ransomware occurred in the 1980s, but it wasn’t until the 2000s that modern forms of ransomware started to appear. Initially, such attacks were confined mostly to Russia, but the picture changed dramatically by 2012, when ransomware attacks proliferated and spread across the globe. This was in large part because of the emergence of Bitcoin, which provided an anonymous platform for receiving ransom payments.

Since then, ransomware has become one of the most dominant forces in the threat landscape, producing a wide range of variants, including the following:

  • CryptoLocker. A highly powerful form of malware that first emerged in 2013 and set the stage for the type of ransomware that encrypts files on hard drives and connected devices, spreading much easier than earlier variants.
  • WannaCry. One of the most well-known and damaging types of ransomware to hit cyberspace. WannaCry leveraged EternalBlue, a Windows exploit allegedly developed by the US National Security Agency (NSA) and then stolen by a group of hackers known as Shadow Brokers. The NotPetya ransomware also used the EternalBlue exploit.
  • SamSam. Ransomware that exploits server vulnerabilities to gain access to a network, where it lingers undetected for long periods of time. Attackers have often used the Remote Desktop Protocol (RDP) in conjunction with SamSam to infiltrate the network and search for valuable targets. One of the most notable SamSam attacks occurred in 2018 against the city of Atlanta, Georgia, which spent over $2.6 million to recover from the incident.
  • Ryuk. Ransomware often used along with other malware (such as the TrickBot banking Trojan) to infect vulnerable or high-profile targets. Ryuk emerged in 2018 and has since wreaked havoc on news agencies, healthcare organizations, school systems, and other institutions. According to the CrowdStrike 2020 Global Threat Report, Ryuk accounted for three of the top seven ransom demands for that year: USD $5.3 million, $9.9 million, and $12.5 million.
  • Egregor. Malware first identified in September 2020 that was once considered a high-severity threat until US and Ukraine authorities worked together to stop operations. Despite its demise, Egregor represented two significant ransomware trends: RaaS and the double extortion attack.

There are plenty of other examples of ransomware out there, and there are a growing number of examples of its consequences. Earlier this year, for instance, Colonial Pipeline fell victim to a major ransomware attack, causing the company to shut down its fuel distribution operations. Not only did this lead to widespread fuel shortages, but it also resulted in personal information being compromised. Colonial Pipeline paid $4.4 million in ransom for the decryption key.

Protecting against ransomware

According to prevailing wisdom, the best way to protect against ransomware is to prevent it from happening in the first place. This is no doubt true enough, but implementing these protections can be a significant undertaking, even under the best circumstances. That said, IT and security teams have no choice. They must be aggressive in the steps they take to protect their systems and data while at the same time, prepare for how to respond to a ransomware attack if one occurs.

To protect against ransomware and other security risks, an organization needs to employ a defense-in-depth strategy that takes a multi-layer approach to security. Not only can this help to protect against different types of threats, including ransomware, but it can also minimize the impact of an attack if it should occur. Such an approach requires careful planning that takes into account ransomware protections. To this end, here are four general guidelines to consider when mapping out your security strategy:

  1. Create secure backups. Backups are your best protection against ransomware, but the backups themselves must also be safeguarded. They should be secured with the strictest protections, and at least one copy of each backup should be immutable and disconnected from the computers and networks that you’re backing up. You should also verify that your backups are complete and viable, and you should regularly test your restoration process.
  2. Secure your environment. This is a broad category that is typically part of a larger security strategy. It includes the use of security software that includes ransomware protection, and it incorporates other best practices, such as keeping all software updated and patched, controlling which applications users can install, performing regular vulnerability scans, maintaining strong access controls, using multi-factor authentication (MFA), implementing robust email security, running penetration tests, and continuously monitoring your environment for malicious activity.
  3. Train and educate personnel. An organization should have in place an awareness and training program that educates users in how to avoid ransomware and other threats. The better they understand the threat landscape, the less likely they’ll be to carry out risky behavior. For example, they should be trained in how to safely surf the web and what to do if they receive suspicious emails. IT and security teams should also receive the training they need to stay current on ransomware threats and what steps to take to best mitigate risks.
  4. Create an incident recovery plan. Regardless of how diligent an organization might be when it comes to security, no one is completely free from risk. The organization should implement an incident recovery plan that defines the roles, responsibilities, and procedures to follow when responding to a ransomware attack. The plan should also include a list of individuals and organizations to contact in the event of an attack. In addition, it should identify critical processes that need to continue uninterrupted if an attack occurs and what it will take to maintain operations without access to certain systems. IT and security teams should also practice their incident responses to ensure a smooth operation in the event of a real attack.

If a ransomware attack were to occur, an organization would immediately implement its incident recovery plan. In most cases, the first step would be to identify and isolate the infected devices to stop the spread as quickly as possible. If the devices can’t be disconnected from the network, they should be powered down, but this should be a last resort to avoid losing forensic evidence.

The response team should also report the incident to the appropriate law enforcement and regulatory agencies and to any key players that need to be informed of the attack. The team should then fully investigate the incident, taking such steps as identifying the ransomware and assessing the damage. Once they understand the full extent of the attack, they can take the steps necessary to recover their data from the backups.

The continuous threat of ransomware

When organizations are victims of ransomware attacks, the question always arises of whether they should pay the ransom. Law enforcement agencies such as the FBI generally advise against paying. One reason for this is that the attackers might never provide the decryption key. And even if organizations pay, they might be targeted again by the same attackers or gain a reputation as susceptible targets. Some would also argue that paying the ransom only encourages more such attacks. Even so, many organizations pay the ransom anyway, seeing it as a better option than losing all their data, especially if they cannot operate without that data.

Whether or not they pay, ransomware is here to stay. It will continue to evolve, and attacks will become more sophisticated and targeted. It might not be long before criminals move from computers and data to critical infrastructure, such as smart cities or industrial control systems, hijacking an entire ecosystem until the ransom is paid. Yet even in its current form, ransomware represents a significant threat to both public and private sectors, targeting organizations at all levels. Only by taking steps to protect against ransomware and to prepare for a possible attack can organizations hope to avoid or minimize the potential havoc that ransomware can wreak.