According to a recent report, ransomware attacks increased almost three-fold between the first and second quarters of 2021. Criminals were quick to piggyback on the disruption caused by the pandemic and mass homeworking to exploit new weaknesses in company defenses. Ransomware demands are also on the increase, with the average extortion amount doubling in 2020.
Perhaps even more concerning is the threat to critical infrastructure. Earlier in the year, a ransomware attack crippled the Colonial Pipeline network in the U.S. The pipeline carries fuel from Texas to New York, supplying gasoline, home heating oil and aviation fuel. The ransomware attack used a compromised VPN password and led to the pipeline being shut down for five days, causing fuel shortages across the East Coast. The company reportedly paid $4.5 million in ransom to get its systems back online.
And it is not just your own systems that are under threat; supply chains are increasingly a target. There have been several high-profile attacks to supply chains, notably the SolarWinds hack in December 2020. The attack hijacked SolarWinds trusted software update distribution system to deliver malware to thousands of public sector and private organizations worldwide.
While the SolarWinds hack didn’t specifically deliver ransomware, the mechanism would have been a reliable method for its distribution. In fact, the attack targeting Kaseya in July 2020 did just that, with ransomware being distributed to customers of a remote network monitoring product. The software is used by managed service providers worldwide, affecting a wide range of companies, including a Scandinavian grocery chain.
Symptomatic of wider threat
However, ransomware shouldn’t be considered in isolation from other cyber attacks despite hogging the headlines for the past few years. Essentially, ransomware is just another technique in the hacker’s toolbox. Dubbed by Orange Cyberdefense as “cyber extortion,” ransomware incidents are typically the culmination of a longer attack on company systems. They use a three-pronged approach to force their victim to pay the ransom: encrypt company files, leak data and damage reputations through media and customer contact.
The attacker has had to do much work to get to this point. To start the process, they will need to gain access to company systems. Hackers will typically look to compromise a user with phishing or social engineering, or just look for vulnerable systems that they can use blunt force against. Once they have a foothold in the network, they have an opportunity to move within it and take over as much as they can.
Targeting the perfect victim
The large sums in ransomware have sparked a range of innovations among attacker groups, and it has become quite possible to outsource the initial work in gaining access. A recent report looked at communications between criminal gangs on the dark web. It found that many potential ransomware attackers were willing to pay large sums to get initial access into key targets. Most in-demand were U.S. companies with revenues over $100 million, with network access to them being bought for up to $100,000. While Russian companies and those based in developing countries were less popular, access to those in Europe, Canada and Australia were also in demand.
In addition, many criminal gangs also offer ransomware as a service to other parties. The Kaseya attack described above was linked to a group called REvil, which has reportedly been offering ransomware as a service since April 2019 to allow associates to attack third parties. They provide the necessary software and processes for the attack and then take a cut of the ransom extracted from the victim. In fact, nearly 40% of the conversations on the dark web regarding initial access involved criminals in the ransomware-as-a-service value chain.
Protecting yourself from the initial compromise that can lead to ransomware has become more difficult with the massive increase of homeworking. The extension of the attack surface has provided criminals with greater potential to get a foothold in corporate networks. Holiday periods and weekends when IT staff are away from the office are another great opportunity. In fact, the latter is considered such a big problem that the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about just that.
It said that cybercriminals “have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months” and called upon organizations to be “especially diligent in your network defense practices in the run up to holidays and weekends.”
While larger organizations are more lucrative for criminals to target, no organization is safe from attack. As Orange Cyberdefense points out, cyber extortion is a crime like any other, and a crime first and foremost, rather than a technology problem. However, you can still address the challenges in the technology landscape under your control to protect yourself from a ransomware attack.
Looking for trends and emerging threats around ransomware will help prepare you for any attack. It is also essential to carry out basic security hygiene practices that will help you restrict and contain a ransomware attack to give you time to eradicate it from your network. These include the principle of least privilege and network segmentation. Others include regular patching and educating your users.
However, despite your best efforts, you also need to plan for an attacker slipping your defenses and succeeding in encrypting data and disabling systems. In the worst-case scenario, you may well only be aware of an attack after it has already happened, so it is essential to prepare your response in advance.
To learn more about how to tackle the ransomware scourge, read this Orange Cyberdefense report. It outlines a framework for protection against ransomware built on five pillars: anticipate the latest cyber threats, identify your critical assets, protect your organization, detect cyberattacks, and respond and contain any successful attacks.
Depuis plus de 22 ans, je signe des articles sur les technologies pour des magazines et des sites Web tels que ComputerActive, IQ et Signum. Correspondante de ComputerWorld à Sydney, j’ai également travaillé pour la chaîne de Ziff Davis à New York.