Turns out the ransomware problem might be even worse than we thought.
The numbers related to ransomware are alarming, and for all of 2021, they’re getting worse. A projected $20 billion in damages from ransomware this year, with estimates of costs hitting $265 billion in 10 years. A 55 percent increase in ransomware activity in the second quarter of the year. Hundreds of businesses impacted at once by a single coordinated attack. And reports of attacks that have brought supply chains to a halt, stolen terabytes worth of data, even shut down hospital services.
Why, it’s all in a day’s headlines for the “IT” exploit of the 2020's. Ransomware, a nefarious form of computer fraud that has grown dramatically over the past decade, has arguably become the most talked about security issue in the industry. Based on news reports and government statistics, it’s a problem of epidemic proportions, with no end in sight and bad news all around. For example, ransomware’s status as the killer app for Bitcoin is one reason cryptocurrencies are on government hit lists all over the world.
But is ransomware really all that terrible?
A banner year—for criminals
“At the moment, things aren’t getting better,” says Nigel Edwards, a fellow and vice president at Hewlett Packard Enterprise. “Let’s put it this way: I don’t see the industry turning the tide on this at the moment.”
Ransomware is proving difficult to effectively combat because it’s increasingly being operated as a long-term attack. Attackers know that high-quality backups provide an easy defense against ransomware, so high-grade ransomware now lies in wait for a lengthy period of time before it is activated. Attackers take their time to learn the environment, disable security systems, and corrupt backups before launching their strike.
“They have to pollute the backup and infect a number of nodes,” says Edwards. “This can take days or weeks.” A decade ago, if you were infected with malware, you generally knew about it immediately. Today’s attackers have learned that the longer you wait, the more impact you can have—and the bigger the ransom you can demand.
Even worse, ransomware is clearly becoming more sophisticated and targeted as attackers find ways to increase their potential payouts. Yesterday’s smash-and-grab tactics are giving way to a more nefarious, layered, and systematic attack strategy, one that finds patient attackers not just exploring multiple avenues to inject malware into the enterprise but also targeting executives, their teams, and even their families in extortion schemes. Such double extortion attacks threaten to not only delete critical business data but also release embarrassing or sensitive data—either business or personal—to the world. A business that can get by without a few weeks of enterprise data lost to a ransomware exploit may feel quite differently about its entire source code base or customer record database being publicly revealed.
“Double extortion has quickly become the new norm in ransomware,” says Thanos Karanasios, manager of HPE’s Cyber Defense Center. “Even if the business decides that no longer having access to certain data is acceptable, bad actors have been using the threat of publishing stolen data online as a way to make affected companies pay. This can make for a very convincing argument for companies which do not want to risk fines under certain regulations such as GDPR or the associated brand impact that entails.”
Evolving threats require evolving defenses
As ransomware attacks grow more sophisticated, what should organisations do about them?
“Sadly, there’s no silver bullet,” says Edwards. “It requires a sophisticated defense in-depth strategy. When you look at ransomware attacks against the enterprise, an attacker is likely to be resident for some time. There is therefore a window of opportunity to detect them and prevent the attack from propagating further.”
The detection process is becoming increasingly difficult. “Unfortunately, even in technologically sophisticated organisations, the methods and tools being employed don’t meet the security and control needs to combat today’s threats,” says Neil Jones, cybersecurity evangelist at Egnyte. “Senior executives and IT leaders should also be aware that no technological solution is 100 percent effective.”
Another big part of the 2022 playback is going to be zero trust frameworks, which virtually every cybersecurity expert is betting heavily on as a key solution for turning the tide. “Solutions such as software-defined perimeter make application access secure regardless of where users are coming from,” says Czarny. A wide range of zero trust initiatives are underway across the industry, including Project Aurora and several others at HPE. The ultimate goal: establish a new methodology for security that does away with traditional authentication techniques by eliminating the idea of a trusted user. Once implemented across the enterprise, zero trust could dramatically reduce the damage an intruder is able to inflict, even if login credentials are successfully stolen.
Zero trust even needs to extend to your backup strategy, says Edwards. “Are you analyzing your backup strategy with respect to how resilient is it to ransomware?” he asks. “Do you have multifactor authentication in place for the backup service, for instance, so that if a system administrator’s credentials are compromised, they can’t just get onto the backup service and destroy all the backups? Do you have backups that are offline altogether?”
Holding out while the industry catches up
Unfortunately, all of that is going to take time, and until these strategies become commonplace, IT departments will need to double down on diligence. That means extra attention paid to installing patches and security updates, stronger investment in intrusion detection and vulnerability scanning tools, retirement of outdated hardware and software, and, critically, more intensive training for users and IT staff alike.
As another potential fix, Karanasios points to managed security services that can be tailored with security monitoring and vulnerability management tools designed to fit each customer’s needs. Edwards notes that ensuring backups are regular, uncorrupted, redundant, and isolated from the primary network is also a key defense tactic.
“Ransomware is never going to go away in the foreseeable future, but we have to keep working on it,” says Edwards. “We can make things better, and that’s what we’re doing. It may be a cliché, but it really is an arms race.”