Ransomware: a crime by any other name

Ransomware continues to make headlines and cause disruptions. Unfortunately, no one is immune: recent research found that around 40% of companies were hit with a ransomware attack in 2020. A new report from Orange Cyberdefense explains how to combat this persistent scourge.

In just the last month, many different types of organizations have been hit by ransomware attacks: from a key energy supplier in the U,S, to the world’s largest meatpacking company and a provider of specialist backup appliances.

Demands are also on the rise. The average ransom payment tripled to more than $300,000 in 2020 compared to the previous year. No one is safe from this most high-profile of crimes.

But despite the high-tech appearance of ransomware, the crime is quite simple. Its perpetrators know that if they steal something precious from a company, the victim will often pay to get it back. In effect, ransomware is extortion using modern tools, and tackling it will require more than just technology solutions.

Even if organizations pay the ransoms, this doesn’t necessarily prevent damage both to reputation and data and only serves to encourage the crime wave. The stolen data will more than likely end up being released or sold somewhere despite what the attackers say. They are criminals, after all. Even if they provide a working decryptor, they are notorious for struggling with large files, especially databases, so there is no guarantee that all the data can be recovered.

“Cyber extortion is a crime like any other, and a crime first and foremost,” says Charl van der Walt, Head of the Security Research Center at Orange Cyberdefense. “While addressing the challenges in the technology landscape under your control will help mitigate the risk of ransomware, it is essential to note that cyber extortion is not actually a ‘technology’ problem. This means that technical controls alone will ultimately not fully resolve it.”

ransomeware payments

To understand the cybercrime problem, enterprises need to recognize that factors like innovation in crime business models, monetization, and markets by criminals have a significant impact. Ransomware attacks simply take advantage of the deep-rooted security debt accumulated in technology stacks over the last three decades as the world moves towards an “everything digital” society.

Cyber extortion persists because the technology landscape can’t be realistically protected in the face of such overwhelming systemic criminal forces. Although technology solutions alone won’t be able to resolve the issue of extortion attacks, they can impose extra costs on the attacker, slow their rate of movement, minimize the impact of a breach and ensure a rapid and robust recovery.

Disrupting the kill chain

Ransomware attacks should also not be viewed in isolation. In fact, a confirmed ransomware incident is the last stage of a very long and complex chain of events described by the so-called cyber “kill chain”. This provides ample opportunities for enterprises to disrupt any potential attack before it happens.

A typical attack will look something like the following. In the first phase, criminals will carry out external reconnaissance by scanning for vulnerabilities and searching for compromised accounts. Next, they will look for opportunities for intrusion, such as phishing or exploiting the discovered vulnerabilities.

Once they have gained access to the system, they will carry out internal reconnaissance looking for domain servers and backup locations. They will then look to escalate their access privileges using tools such as Mimikatz or LaZagne. During the next step, the attackers will try to take control of the environment, using tools such as Cobalt Strike or legitimate remote access software. And only then will they be able to unleash a ransomware attack by encrypting files, destroying backups and stealing information.

This whole kill chain process can take considerable time. And each of these phases of the kill chain requires specific tools and techniques, which leave a predictable set of breadcrumbs. If defenders can detect these, they can disrupt an attack in progress before it has caused too much damage.

“As we know, a chain is only as strong as its weakest link, and so it is with the cyber kill chain,” explains van der Walt. “By breaking or disrupting any of the tools or techniques on the kill chain at any point, we can prevent an attack from developing to its final phase. So this war of several small battles and victory, at any stage of the kill chain, could mean averting a crisis!”

Holistic approach

To help enterprises tackle the ransomware threat, Orange Cyberdefense has developed a holistic framework, which is outlined in full in our ransomware report. It consists of four steps:

  • First, anticipate the latest cyber threats and prevent digital risk
  • Second, identify your critical assets, data and vulnerabilities to prepare your security strategy
  • Third, protect your organization with the right technology and skills and detect cyberattacks by analyzing alerts and behaviors
  • And fourth, respond to cyber-attacks with proper containment and remediation plans

None of the controls will individually prevent an extortion disaster, but collectively they significantly improve security and strengthen cyber resilience. Ultimately by improving their position again the ransomware threat, enterprises will be able to improve their general cybersecurity posture overall. This will stand them in good stead for future cyber threats that will emerge.

For more information, download the Orange Cyberdefense report: Beating ransomware: A comprehensive guide to tackling the cyber extortion threat.