ransomware has long been a cybersecurity problem, but last year it went mainstream.
What was once a small cybercriminal industry based on encrypting files on personal computers and demanding several hundred dollars for a decryption key has evolved into a vast ecosystem designed to hold critical services and infrastructure for ransom demands. — and extortion demands of millions of dollars†
No wonder Lindy Cameron, head of Britain’s National Cyber Security Center (NCSC), has described ransomware as “the biggest global cyber threat”†
Ransomware is constantly evolving, with new variants appearing, new ransomware groups, and new techniques and tactics designed to make the most money from attacks.
And as the recent Conti ransomware leaks showedthe most successful ransomware gangs are organized as if they were another group of software developers.
“They really act like a company. Other than being registered not legitimately, they really are. They function like a real company and sometimes the number of people within these organizations is greater than some startups,” says Christine Bejerasco , CTO at WithSecure.
“They’ve shown a lot of resilience and agility in adapting to what’s new,” she adds.
It is this resilience and adaptability that has led to a series of ransomware attacks around the world, often with cybercriminals running off with millions of dollars†
And that only explains the ransomware incidents we hear about — many are simply not reported†
“The biggest challenge is that we don’t know what the trends really are because most companies don’t disclose incidents,” said Brett Callow, threat analyst at Emsisoft. “What you don’t measure, you can’t manage.”
Ransomware attacks on smaller victims are not reported
While ransomware attacks against large organizations are noticed, a ransomware attack on a small or local business, where the victim quickly pays the ransom because they feel they have no other choice, may not be reported at all.
Individual attacks on smaller targets won’t reap huge rewards as a successful attack on a large corporation would, but by linking together a series of attacks against a series of smaller victims, ransomware attackers can still make a significant profit.
Small and medium-sized businesses are unlikely to invest as much in cybersecurity as large companies, so getting into networks may be easier. That means ransomware groups can hit different targets in a short time, which is crucial if they want to make as much money as possible.
“Obviously they won’t get the same huge payouts as they could from a larger company, which means they’ll have to go from initial penetration to successful extortion much faster,” says Callow, who suggests going after smaller companies. also brings another benefit to cyber criminals.
“Attacks on small businesses may not attract the same level of attention — targeting local grocery stores may mean the risks of being sued by US Cyber Command are slightly smaller,” he says.
After the attack on the colonial pipeline, the US Department of Justice succeeded, most of the multimillion dollar ransom seized and returned that is made. And while it is still rare for individuals involved in ransomware attacks to be tracked down or arrested, it is possible that this direct action against the DarkSide ransomware the ability of gangs to make money changed the outlook of cybercriminals.
“Since that event, the reality is that threat actors have changed their understanding of the world a little bit. They’ve seen consequences that they really hadn’t seen before,” said Sherrod DeGrippo, senior director of threat research and direction of Pilot Point.
“Since then, we’ve seen other major ransomware events, but we’ve never seen the random hammering of everyone, like we’ve seen in the past,” she adds.
Ransomware is loud – some criminals may switch to quieter alternatives
Gangs could still be laying the groundwork for another wave of ransomware attacks — or, as DeGrippo suggests, some hacking groups could turn their attention to other cyberattacks that are less vociferous but nonetheless profitable.
“We’re going to see that first access being widely leveraged, so it could be ransomware in the last stage of the payload, maybe something else — we could see a big return to banking Trojans,” she says, adding: “There are options that are a lot quieter, under the radar, that still offer significant paydays, but don’t grab the attention of law enforcement.”
There is another problem that could persuade some cyber criminals who use ransomware to go this route: cryptocurrency is volatile. So a ransom payment stored in Bitcoin could end up being worth much less by the time the attackers choose to pay out. It can be tempting for cyber criminals to turn their attention to using malware to steal hard money again.
“You tell a threat actor that you can get the equivalent of a million dollars in bitcoin today or you can get a million dollars of hard currency from a banking Trojan ported to wherever you launder your money — I think a lot of them would now take the money,” says DeGrippo.
But that doesn’t mean ransomware will go away anytime soon. While some may look elsewhere, ransomware attacks are still a lucrative way to make money illegally – and ransomware attacks continue to evolve.
For example, ransomware groups now regularly target cloud applications as a gateway for attacks.
It seems inevitable that some of the most sophisticated, well-equipped ransomware gangs could turn their attention to compromising cloud service providers in attacks that would affect not just one company, but thousands.
That approach would give the attackers a lot of leverage to demand a large ransom from their target – one that could be quickly paid due to the widespread disruption.
“If ransomware actors move in that direction, effectively encrypting the data in the cloud and holding it for ransom, can you imagine that all customer data in a service would be encrypted because they accessed an organization and encrypted all data? ? That would bring an organization to its knees,” says Bejerasco of WithSecure.
How to protect your network from ransomware attacks
Ransomware is a major threat to cybersecurity, but there are steps organizations of all sizes can take to avoid falling victim. In most cases, ransomware gangs are not looking for a specific target, they just take advantage of security vulnerabilities where they can find them†
That is why it is important to apply security updates and software patches as soon as possible, especially when it comes to critical vulnerabilities, because that prevents cybercriminals from exploiting them to gain access to or maintain networks. Applying security updates to entire networks can be challenging, but it’s one of the most important things an IT department can do to protect the business from cyber-attacks.
Multi-factor authentication (MFA) can also provide an important defense against ransomware and other cyber-attacks. Many ransomware campaigns start with cyber criminals stealing usernames and passwords and misusing them to move around on networks. Rolling out MFA to users makes it more difficult for cybercriminals to use stolen passwords. Unexpected login messages can indicate that something is wrong and needs to be investigated.
It’s also useful for ensuring that employees use unique, complex passwords that cannot be easily guessed — or cracked with brute-force attacks — to make the network as robust as possible against unauthorized intrusions.
And since ransomware is based on encrypting data, it is vital that organizations back up their data regularly — and do this offline. If the worst happens and the network is hit by ransomware, there is the option to recover the data without paying the ransom to cyber criminals, although the rise of duplicate extortion attacks means that stolen data can still be published because the ransom is not paid. paid.
Law enforcement officers and government officials strongly discourage companies from paying ransoms. Not only does it encourage further ransomware attacks, but you also don’t know who is paying you – and your money could go to a sanctioned or rogue state.
But whether a victim decides to pay the ransom or not, according to DeGrippo, it’s vital that a plan is made ahead of time about what to do — because have a strategy in advance is much more preferable than to panic someone after falling victim to a ransomware attack.
“Every organization needs to decide how they will handle the ransomware event well in advance of the ransomware event, and yes, that includes the dollar amount you may or may not want to pay,” she says.
“These are not fun discussions to have. But they are incredibly devastating and painful to have while a ransomware event is going on.”