Where is ransomware headed next and what can businesses do to defend themselves? Security professionals have been asking themselves these questions with increasing frequency ever since this type of malware attack first emerged as a criminal business around 15 years ago. The problem is that every time the questions are posed, a slightly different answer comes back.
The evolution of ransomware has been so rapid in the last five years that getting a handle on it can be a challenge. It started as a simple denial-of-data-attack, encrypting business critical files to extort a few hundred dollars. Eventually, the attackers noticed that they were catching out even bigger companies and sensed the desperation of their victims. Ransom demands then started to rise, quickly spiralling from hundreds into thousands and eventually millions.
The latest trend is double-extortion, where attackers use the threat of releasing the data to increase pressure on victims; and triple-extortion when the attackers reach out to the victim’s clients or suppliers threatening to expose their data gathered from the victim’s network. An example of triple extortion was seen at Vastaamo, a physiotherapy clinic in Finland earlier this year. That’s the thing about ransomware: every time you think you’ve seen the last and best innovation, cyber criminals come up with something new.
But the most important innovation of all has been happening behind the scenes to the ransomware business model. At some point, criminal groups realised they could market their malware systems by turning ransomware into a service, otherwise known as ransomware-as-a-service (RaaS). The genius of this isn’t that it makes ransomware more sophisticated or effective – it reached those goals long ago – but more accessible. Suddenly, ransomware has become a service like any other and criminals who lack the technical ability to engineer their own malware can get a cut of the action by renting the know-how.
While traditional attacks and ransomware often share many of the initial attack vectors, it is their impact that sets them apart. While traditional exfiltration attacks largely result in secondary losses: reputational damage, regulatory fines or litigation – ransomware in contrast results in primary losses: an organisation’s inability to deliver its mission. Now this democratisation raises ransomware’s risk profile another notch by raising the frequency component of risk too. High profile attacks by specialist threat groups such as REvil, Conti and BlackMatter get most of the attention, but it is the numerous less well known groups that have adopted RaaS that might end up doing more damage. For most organisations, RaaS-style attacks are now the threat to watch.
2022 cyber surge of ransomware
Can anything stop it?
It’s become obvious from the number of successful attacks and the constant effort in recovering from malware outbreaks that traditional security layers such as endpoint and network security can provide the degree of protection affording an acceptable level of residual risk. This remains true even as many products have been rebranded anti-ransomware products, and despite record investments in cyber security generally. Clearly, something deeper is amiss.
The confidence crisis engendered by attacks has driven the market for cyber insurance, which has grown from almost nothing around 2013 to a booming market sector today. The effect of insurance is controversial on several levels. Some argue this makes organisations more likely to pay ransoms in the knowledge that some or all these costs will be covered by their policy. If attackers have factored in this willingness to pay, then it’s plausible that ransomware insurance is making things worse in the long run. In addition, the role of insurance is for high-impact, low-frequency events, and as discussed the growth of RaaS in the headlines have shown ransomware is rapidly becoming a high-impact high-frequency event.
There is already pressure from US lawmakers to regulate the response to ransomware attacks by making payments illegal, limiting their size, or expanding mandatory notification. These calls have been given extra impetus by US Treasury figures showing that ransomware transactions have reached record highs during the first half of 2021.
The takeaway message for organisations worried about ransomware is don’t believe the hype. You can stick the word anti in front of the word ransomware as often as you like but what saves organisations in the end is not the attest voodoo technology but the quality of their internal assessment, organisational cyber resilience, recovery and incident response.
Enterprises can have as many as 130 different security tools at their disposal. By that stage, what counts isn’t how good any one of these is at detecting ransomware but how well orchestrated and automated they are as a whole system. For organisations, frameworks such as MITRE D3FEND (for defensive tools) and ATT&CK (for threat tools techniques and procedures, or TTPs) are a huge aid when it comes to assessing the security claims of vendors and matching threats to defences.
A fundamental part of resilience and response is the level of integration between the IT and cyber security functions. Today, in many organisations, they are either separate or merely overlap in some areas. This means that prevention and detection will be the job of the security team, while incident response straddles the two. Recovery, the most important function of all, will be entirely down to the IT team.
This might have worked for old-world cyber security incidents, but is a glaring weakness against ransomware where every second counts. In practice, every element of response must happen at the same time with detection and remediation with recovery being parallel rather than sequential processes, and ideally these elements should support automation and orchestration from the tools in use within the two teams, lowering costs and driving up efficiency and effectiveness. That implies a single team with different tasks rather than separate departments relying on personal relationships and ad-hoc communication.
It’s critical that organisations grasp that the current era of ransomware is not going to end so long as cyber criminals are able to evade the law and reap huge profits. It’s far too tempting a business model, made even easier to gain entry to by the advent of RaaS.
Ransomware, in any form, is not a temporary problem or passing fad. Dating from 1989, it’s been a steadily growing menace for most of the last 20 years. What is certain is it will continue to evolve – ransomware’s innovations have a way to go yet. Defenders should assume the worst and hope for the best in a world in which outwitting and surviving extortion attacks has become the next must-have competitive advantage.