From its start as a minor annoyance to the significant threat it currently poses to organizations across the globe, ransomware has been evolving at a monumental pace. Even the most optimistic of cybersecurity professionals must agree that attempts to counter the spread and growth of this menace have been failing; and doing so poorly.
Ransomware has matured
Recently, ransomware has been making the news in a big way, and for good reason. Ransomware is causing big issues, endangering lives and impacting our critical infrastructure in ways the U.S. has not seen before. Cyber criminals typically have one goal in mind and that is to make money. The methods that they deploy and their general lack of morals is no surprise to anyone. Criminals, cyber or standard ones, tend not to be troubled by the trouble and hardships they cause others. Things have escalated, however.
Imagine for a moment, armed robbers holding up, not convenience stores or banks, but hospitals, fire departments, ambulances or schools. It would be unthinkable, however, that is exactly what is happening now, only it is being done virtually and from a distance.
In late 2020, a German hospital was hit with ransomware, requiring people to be rerouted for emergency services as they could not function without these systems. One person, who was rerouted to an alternate hospital 19 miles away, died on the way. Would that person have survived with quicker medical care? It is possible. As recently as May of 2021, Scripps Health was hit with ransomware, shutting down trauma and emergency services and forcing ambulances to once again reroute.
Even without imminent death as an option, ransomware is risking lives and destroying businesses. Back in late 2019, California-based Wood Ranch Medical was forced to shut their doors after a ransomware attack destroyed their electronic health records and they were unable to rebuild them.
It is not just healthcare being victimized either. Countless schools, local and state governments, police departments, manufacturing facilities, law firms, not-for-profits and just about any other type of organization has been indiscriminately attacked by cyber criminals who lack a moral compass.
Recently, the FBI released a flash alert regarding the Conti ransomware group and their specific targeting of healthcare and first responders. Conti operates under a RaaS (Ransomware-as-a-Service) model, where the ransomware developers recruit people to carry out the attacks in a profit-sharing agreement, freeing them up to maintain the required infrastructure and to continue to improve the ransomware. This profit sharing often sees the attackers, also known as affiliates, earning as much as 70 percent of the profit, with 30 percent going to the developers. In the case of Conti, it appears they do not accept just any affiliates, but are selective in who they partner with.
Offensive strategies as ransomware evolved
As ransomware has evolved and caused so much trouble, the defensive tactics have also evolved. Initially, ransomware was almost entirely automated and simply encrypted files on a single computer and potentially any mapped network drives connected to it. This limited the damage it could do and generally had low ransom amounts, sometimes no more than a few hundred dollars per infected machine. In the event the ransomware was launched, the best method of recovery was to have backups that were well tested, protected and could be quickly deployed.
As things progressed, the cyber criminals started using automation for a smaller portion of the attack, instead gaining a foothold in the victim’s network where they could look for backups to encrypt, or to ensure the backups were also infected and to identify the most valuable targets in the network before launching the encryption. Time was no longer being wasted encrypting low-value files and file shares, it was now going for the crown jewels. In addition, attackers quickly learned that they could trigger the encryption at times when personnel were unavailable or slower to respond, such as holiday weekends or late at night. Still, a quick restoration from good backups was a great method to recover, however, it made sense now to rebuild the machines from scratch, then restore only data, as the attackers would often have their method of entry, such as remote access trojans, restored along with the impacted machines.
As time went on, organizations became much more adept at recovering from these attacks and payouts to the bad actors started to drop again. This triggered the latest phase in ransomware trickery – data exfiltration. Many modern ransomware infections do much more than just encrypt files. Like before, the attackers gain access to the network and seek out the really valuable data and services. The big difference is that now they take a copy of the data with them before they trigger the encryption routines.
This is a real game changer on the defensive side, as just restoring the data and getting systems back online is only part of it. Organizations also have to deal with a data breach and all that entails. The cyber criminals, being the entrepreneurial people they are, are willing to help though. They make the offer that if you pay the ransom, the data is destroyed and will not be dumped to the public. The bad news is, no matter how you look at it, a breach has still occurred, and the proverbial ‘genie’ is out of the bottle. To add insult to injury, attackers have even been known to contact the customers of the victim organization and demand a ransom from them, or demand that they put pressure on the victim organization to pay up, lest their sensitive information makes its way onto the internet.
Let’s say the organization pays the ransom so the data is not dumped. Besides the issue of still having a breach on their hands, can they trust the people who held the organization hostage, threatening to do irreparable harm? That would be a tough thing to accept. What is more likely to happen is that the data may not be dumped on the public internet now, but would mostly likely be sold on the dark web for use by other cyber criminals.
On a positive note, ransomware groups are seeing a change in the law enforcement focus due to several recent, high-profile events. After feeling the squeeze of law enforcement pressure, one group offered refunds to past victims and even the Darkside ransomware group stated they would be vetting any future targets their affiliates were after, but ended up shutting down shortly after the announcements when law enforcement took down their infrastructure.
The evolution of defense
As the offensive tactics improved, the defensive ones did as well. While having good, tested backups is still a key portion of recovery, it is no longer the ‘get out of jail free card’ as discussed. EDR/antivirus has always played a role in ransomware defense, however, while still needed, it is generally one of the least effective controls in defending against ransomware. It was even found that 75 percent of organizations hit with ransomware had up to date antivirus running.
As mentioned, having good backups is still a solid recovery plan, however, when organizations started using it, and the ability to quickly restore devices was the key component, the error in that strategy was quickly revealed with the adoption of data exfiltration.
Even in current times, the occasional comment is made to the effect that ‘Ransomware defense is easy, just protect the backups’. Nothing could be further from the truth as evidenced through the weekly reports that make the news, and the multitude that do not.
A wise man once said, “Simple things are not the same as easy”. His example was weight loss, “Barring a medical condition, it is simple, exercise more and eat less”. It is no secret that the actual task is more difficult than the simplicity of the solution suggests. This concept applies to a number of defensive strategies that are being touted as a solution to the ransomware issue.
One suggestion revolves around making paying the ransom illegal, thereby making the attacks pointless and not worth the effort. While the statement seems sensible on the surface, the idea does not stand up to scrutiny. Advocates for the legislation often say that if an organization can pay a ransom, they can certainly pay for better defenses instead. While this may seem logical at first, this mentality often excludes the small organizations that make up the bulk of American businesses and not-for-profits. These are family-owned companies producing t-shirts, running restaurants, family practice medical facilities and similar organizations. Their ransoms are often not in the millions of dollars that we see in the news. They are small amounts, often $10,000 to $100,000. The owners of these businesses often mortgage their homes or take out high interest loans to keep the doors open and their staff employed. These are the groups that would suffer when they could not pay the low ransom amount and lose the business, rather than recovering, learning and spreading the word to their peers. This also opens the doors to organizations in other countries that could be hired to remediate the problem, at a hefty fee, which they would do by paying the ransom and restoring anyway.
Another issue that may impact organizations is that cyber insurers are feeling the sting of ransomware. Some are looking to leave the scene entirely, while others are looking to really tighten up requirements and exemptions from coverage. The huge payouts by cyber insurance can arguably be said to help continue to make ransomware such a profitable scheme.
Beefing up DLP (Data Loss Prevention) controls can help with the data exfiltration issue and should be considered by many organizations. This is just good cyber hygiene anyway, as it is not unusual for organizations to find themselves accidentally emailing or copying sensitive data on accident.
The simple fact is, many approaches also focus on the recovery after an attack, when we should be concentrating on preventing it in the first place. Organizations should focus on how they can move their defenses to actions taken before the user clicks. An ounce of prevention really is worth of a pound (or more) of cure.
To prevent these attacks from being successful, it is important to understand how they are taking place. Statista.com has a chart listing the most common delivery methods and cybersecurity vulnerabilities causing ransomware infections according to MSPs worldwide as of 2020. The list is as follows:
Most common delivery methods and cybersecurity vulnerabilities causing ransomware infections according to MSPs worldwide as of 2020 (https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/)
Poor user practices/gullibility
Lack of cyber security training
Weak passwords/ access management
Malicious websites/ web ads
Open RDP access
Lost/stolen user credentials
Lack of funding for IT security solutions
Lack of executive buy-in for adopting security solutions
There were multiple answers possible in the survey.
One thing should be very clear, the most significant number of these delivery methods is a human problem, followed by open RDP. This has been documented many times by other reports as well. So, if these are the biggest distribution points, it would be wise to focus on them for prevention.
Open RDP (Remote Desktop Protocol) instances have been a problem for years, but the problem has been exacerbated by the quick move to working from home due to COVID-19. Many RDP instances suddenly showed up on the internet, but were poorly configured due to the haste of the move to working from home. Organizations that use RDP should review security settings on these, paying careful attention to brute force lockout prevention and notification, and if possible, through firewall settings, limiting access by geographical location and only during certain hours. Another suggestion is to have users connect to a VPN first, then use RDP to access the device.
With respect to the human factors, many of these can be mitigated with a high-quality security awareness program. These programs should focus on changing behavior and creating a strong security culture within the organization, not just making people aware of the dangers. For example, teaching people not only how to create a secure password, but why it is important and why should not be reused for other services. Investing in tools to help them be successful can be very helpful. For example, providing a password vault service to help them succeed at wiping out reuse would be an inexpensive and useful way to help them with the password issues.
The programs should run as a continuous effort as well, not simply an annual training event. Rather than a single, 60-minute training session, organizations would benefit greatly from breaking the training up into to smaller segments, as little as 10 to 15 minutes long, but providing them monthly or quarterly. To reinforce the training segments, simulated phishing, vishing and smishing attacks can help employees learn to quickly identify and report these attacks, but in an environment where a failure is not catastrophic to the organization. Along with the benefits of honing skills, these simulated attacks keep the employees looking for unusual messages with the side effect that they spot real attacks more readily.
To help with engagement, many organizations have had great success with gamification of the simulated tests. This can be as simple as announcing the lowest simulated attack failure rates by individual or department, and providing small prizes, trophies, a dedicated parking spot or other items that generate a competitive spirit. The options with gamification are nearly limitless, however, organizations should consider what type of reward will be given, how often the games are run and what makes sense based on the organization’s culture.
Ransomware has quickly grown from an annoyance to a life-threatening problem plaguing organizations in all industries. Unfortunately, earlier ransomware defenses are no long viable protection against the threat. As ransomware has evolved in its offensive strategy, organizations must also evolve their defenses. Legislation will not stop the threat and relying on good backups and fast recovery times is no longer a valid strategy against the threat of data exfiltration and more complex attacks. Instead, organizations should focus on preventative measures that address the two most common attack vectors, open RDP on the internet and the human factor. Only then will we be able to gain significant ground in the war against ransomware.