Simon Roe, Application Security Product Manager at the cloud and wireless threat detection platform Outpost24 looks at ransomware and how to protect your business.
Ransomware is a form of malicious malware that encrypts a victim’s files in exchange for economical gain. Affected organisations are often given detailed instructions for how to pay a ransom fee or get the decryption key and these costs can range from a few thousand dollars to millions, payable to cybercriminals in cryptocurrency. In recent years, ransomware has gone from a niche threat to a global menace following high profile incidents, seeing attacks soar by 288pc in the first half of the year alone. Worryingly for security professionals, the scale and impact of these attacks have exploded with the use of double extortion technique that sees data not just encrypted, but also stolen and posted to the Dark Web for maximum impact. Hackers are even using sales best practices in ransomware attacks, suggesting that they are part of a well-drilled and organised machine targeting unknowing victims including one in three hospitals.
Despite the news coverage that it has received, many businesses are not prepared for the risk of ransomware. But how has ransomware evolved to become so efficient and ruthless in 2021?
Business Model Evolution: Ransomware-as-a-service
As the pandemic gripped the world, businesses were forced to adapt as many were in a sink-or-swim predicament, and this led to a proliferation of gaping attack vectors for potential exploitation. Seeing the opportunity, a growing number of hacking organisations have set up ransomware as a service (RaaS) franchises, collaborating and permitting other hackers to use their tried and tested encryption tools and infrastructure for a percentage of the ransom profit collected. This allows the RaaS franchise to scale their operations by attracting talented hackers (as franchisees) and perform more attacks without doing the heavy lifting. The common situation that we have observed is ransomware gangs using initial access brokers (IABs) to gain a foothold in an organisation’s network. These are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting known vulnerabilities.
Some of the most notorious threat actors operating on the RaaS market are Darkside, Avaddon, Lockbit, and REvil, to name but a few. These gangs have formed working business relationships with IABs as they present a unified front against vulnerable businesses.
Kaseya
One of the most devastating ransomware attacks in recent history is the unfortunate attack on IT platform, Kaseya. A malicious update of Kaseya’s BSA software, which had a custom drop and was embedded on an older version of Windows Defender, was developed and deployed on customer infrastructure to deploy the malicious payload. While Kaseya estimates that 40 organisations were impacted, the attack was successful due to a vulnerability that managed to slip under the radar. The problem is that the company itself doesn’t know how the threat-actor found a way of exploiting this modality, leaving them open to such a devastating event.
Colonial Pipeline
Colonial Pipeline was forced to shut down its entire IT infrastructure following a ransomware attack at the hands of the cybercrime gang DarkSide. The group stole over 100Gb of data from the pipeline company after infiltrating its network and demanded around $5 million ransom from the victim organization. DarkSide, an Eastern European group, caused a six-day outage for Colonial Pipeline; while no pipelines were physically affected, its fuel flows were cut off as a result of the company’s customer billing system being taken down following the attack. To contain the attack, Colonial Pipeline had to shut down 5,500 miles of fuel pipeline supplying the US East Coast, causing an increase in oil prices. The company Colonial Pipeline in fact met the ransom demand, an amount close to US$5 million, in order to get the necessary decryptors. However, the decryptors were “too slow”, so the company’s backup was also used to restore normal service.
Limiting your security exposure with risk-based vulnerability management
When we think about the previously mentioned attack scenarios, it may conjure a sense of fear, but this is exactly what the cybercriminals want. However, there are several steps that businesses can take to gain the upper hand against the nefarious techniques of cybercriminals. One of the key entry points into corporate networks are common vulnerabilities and exposures (CVEs).
CVEs are usually a criminal’s first entrance to a company, but they can also be the deciding factor for blue team cybersecurity units to lock down suspicious activity before it occurs. This allows you to effectively shrink your attack surface, helping to manage risk. This acts as a deterrent for many cybercriminals who often look for the easiest target.
If you are taking note of ransomware as it hits the news, then it may already be too late. Cybercriminals work quickly with ruthless efficiency meaning that you should have an evolving understanding of your potential threat profile in real-time. To do this, enterprises must practice continuous vulnerability assessment and make the most of threat intelligence, to detect and mitigate risks in your unique digital environment. This will help to level up your security hygiene and prevent ransomware before it could make its way in. By constantly scanning your internal systems against the external threat landscape, businesses are able to have a better view of their risk profile and take relevant action. In the age of ‘alert fatigue’ having access to threat intelligence is pivotal to any risk based security strategy and allows businesses to focus on fixing vulnerabilities that pose a real risk, rather than making assumption-driven remediation decisions.
If the past several months are anything to go by, then the ransomware epidemic will likely become worse before it gets better. If you fail to prepare and follow security best practice, then you should prepare a contingency plan for a ransom hit. No business wants to be forced to shut down operations due to a security incident, and potential customers have a long memory when it comes to high-profile data breach and buying decisions. This means that cybersecurity could be a business differential, not just by preventing ransomware from impacting your critical systems, but by allowing you to gain customer trust ahead of the competition and limiting disruption for vital services like healthcare.
