Immanuel Chavoya, emerging threat detection expert at SonicWall, discusses how businesses can stay protected against customisable ransomware and the wider cyber weapons arms race
The Chaos ransomware strain has recently developed its 6th version — dubbed ‘Yashma’ — based on its very own ‘builder’, which is unrecognisably advanced in comparison to where it first started. As this ransomware builder continues to rapidly evolve, it begs the question: how can the good guys keep up?
The incredible advantage of customised ransomware
Ransomware has exponentially evolved at an alarming rate, particularly in the past five years since WannaCry, not only in volume but in its attack vectors. In 2021 alone, there was a record 65 per cent increase in ‘never-seen-before’ malware strains. This proves how bad actors are getting smarter in the development of evolutionary strains, showcasing how the Chaos ransomware evolutionary journey is one small fish in a much larger sea.
Yet, what really sets this strain apart is its function as a ‘customisable ransomware builder’. This means it is on public sale, so any malicious actor can get their hands on it and later use it as the basis to develop their own insidious ransomware strains. In the past, threat actors had to recruit in dark web forums, including penetration testers and developers, to get their cyber threat groups off the ground. Today, however, with the development of commodity ransomware builders, as lucrative as ransomware is, the barrier to entry of networks is much lower. Now, less advanced threat actors can make their own attempts at wreaking havoc with a successful ransomware attack. This will most likely impact a further proliferation of attacks in the very near future.
Cyber criminals are ahead of the cyber security industry, and are at no shortage of skills within their organisations. Such agile processes adopted by threat actors can only mean we will see threats evolve faster than the defence can adapt with each new strain deployed. Seeing ransomware attacks proliferate a staggering 105 per cent last year, alongside the development of new strains, what does this ever-evolving cyber landscape mean for the enterprise?
No rest for the wicked
In the midst of the cyber weapons arms race, organisations are fighting to defend against increasingly sophisticated cyber criminals, but all is not lost; cyber security experts are working tirelessly to stay one step ahead. As threat actors adopt and leverage better tactics, so can security decision-makers in charge of enterprise safety.
Ransomware tends to generally result from Remote Desktop Protocol (RDP); secure network communications processes; being left open to the internet; as well as harmful phishing emails being delivered to unsuspecting end users. Although firewalls are not able to stop initial access, they are critical in identifying exfiltration when a malicious actor carries out an unauthorised data transfer from a computer. Next-generation models can detect and raise alerts of threat actors from both entering and exiting networks, so organisations can be proactive in their defences. The more advanced solutions will be able to keep pace with the onslaught of attacks by inspecting the traffic in real-time and identify any threatening activity or breaches.
Even as threat actors ramp up attacks, the sophistication of the cyber security industry in identifying and blocking new ransomware strains should not go unnoticed. Establishing partnerships between public and private sectors is imperative for detecting threats quicker and helping to develop a clear understanding of how critical emerging threats are and steps that can be taken to get ahead. As the cyber weapons arms race will likely never slow, neither must the cyber security sector’s efforts to become faster, stronger and more collaborative in the endeavour to protect organisations in the private and public sectors alike.
Vendor and victim duty
Most would not like to admit it, but vulnerabilities are inevitable. Although a ransomware event is likely to affect an organisation at some point, ransomware itself is not completely out of the control of a business. Vendors have an ethical imperative to be transparent with the customer community when they become aware of a vulnerability in their product, providing clear assessment of impact and steps to remediate. As soon as any vulnerability in its software is known, speed and effectiveness in sharing relevant information and patches with customers and stakeholders are crucial.
Once alerted, the impacted customer community then has a shared responsibility to action this information, in the context of the impact on their business and what that means for their resilience and continuity of operations. Here the vendor’s responsibility clearly becomes double-edged. Vendors must be transparent so their customers can apply the fix, yet this sets off a ticking time bomb as threat actors continuously scour the internet for this type of information, hoping to exploit the vulnerability before organisations have had time to apply the patch. Looking at the CISA‘s most exploited vulnerability list, it is also shocking to see most are several years old. This means the community is not patching, and threat actors like ransomware gangs can still pick from the low-hanging fruit without learning new interesting vulnerabilities.
The exchange of this critical threat intelligence, coupled with a feed of vulnerabilities, can help orient security teams towards which vulnerabilities to prioritise. Only those who help themselves can take full advantage of security vendors’ protective measures and prevent the proliferation of cyber risks. Whilst dealing with vulnerabilities, security practitioners can also consider a few important elements, such as ‘are there proof of concept exploits available?’, or ‘does this impact critical infrastructure in our business?’.
Staying ahead of the threats
Unfortunately, we have not yet seen the peak of the cyber weapons arms race. Evolving ransomware and increasingly sophisticated defensive technology serve an essential lesson about the importance of both transparency and proactivity in preventing vulnerabilities. Of course, the implementation of next-generation firewalls and anti-virus software is a given, yet the effective proactive collaboration of all stakeholders must be pushed to the forefront. This is the true enterprise security strategy that has the ability to thwart bad actors in their tracks.
Related:
Overcoming the biggest cyber security staff challenges — Andrew Rose, resident CISO EMEA at Proofpoint, discusses the biggest cyber security staff challenges facing organisations, and how to overcome them.
The security implications of the hybrid working mega-trend — With hybrid working looking set to continue long term across the tech industry, Kevin Peterson, senior cyber security strategist at Xalient, explores the security implications that could come with it.
