Ransomware, an advanced form of cyberattack, is one of the biggest threats that security teams around the world are facing. All organizations have become a target, from small teams to large enterprises, state systems and government networks. In this blog post we discuss why ransomware has become so prevalent and how to prevent ransomware attacks.
In the last decade, we’ve seen ransomware attacks increase exponentially:
- Ransomware is part of 10% of all cybersecurity breaches. It doubled in frequency in 2021 (Verizon Data Breach Investigations Report).
- Approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021 (2021 Ransomware Study).
- The FBI’s Internet Crime Complaint Center reported 2,084 ransomware complaints from January to July 31, 2021. This represents a 62% year-over-year increase.
- Since 2020, there have been more than 130 different ransomware strains detected (VirusTotal Ransomware in a Global Context Report):
- The GandCrab ransomware family was the most prevalent at 78.5% of all samples it received.
- 95% of all the ransomware samples are Windows-based executable files — or dynamic link libraries.
This particular year, 2021, was a banner year for ransomware attackers–beyond targeting any particular organization, it wreaked havoc on supply chains, affecting people’s ability to get medication, buy groceries and purchase gas for their vehicles.
A few key ransomware trends emerged over the past year:
- Supply chain attacks: instead of attacking a single victim, supply chain attacks extended the blast radius. A prime example of a 2021 ransomware attack is the Kaseya attack, which affected at least 1,500 of its managed service provider customers.
- Double extortion. In the past, ransomware was about attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. There, it can be used for other purposes, including leaking the information to a public website, if a payment is not received.
- Ransomware as a service (RaaS): gone are the days when every attacker had to write their own ransomware code and run a unique set of activities. RaaS is a pay-for-use malware. It enables attackers to use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
- Attacking unpatched systems: this is not a new trend for 2021, but it is one that continues to be an issue year after year. While there are ransomware attacks that do make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
- Phishing: while ransomware attacks can infect organizations in different ways, in 2021, various forms of phishing emails were more often than not a root cause.
What is Ransomware?
While the internet is fraught with peril these days, nothing strikes more fear into users and IT security professionals than the threat of ransomware. While simple in concept, ransomware is extremely damaging. It is a form of malware that, usually using encryption, blocks or limits access to data until a ransom is paid.
Then & Now: How Ransomware Has Evolved
Three decades ago the youngest strains of ransomware (e.g., AIDS Trojan) used weak symmetric encryption that a victim could undo with some effort. Today’s ransomware is another story, with asymmetric encryption methods that are nearly impossible to break. Ransomware gangs often deploy AES-256 to encrypt and decrypt an organization’s files. Furthermore, today’s ransomware attacks increasingly have the capabilities to exfiltrate network data prior to encryption. So on top of threatening to leave files encrypted, data exfiltration means the malicious actors can also threaten to release the organization’s sensitive data. With a copy of network data, the organization is also at risk of a double-extortion attack as the group could come back asking for more at a later date.
How Does Ransomware Work?
It’s important to understand that ransomware isn’t a single event but rather a series of events. There are many different types of ransomware but most ransomware attacks tend to follow a similar pattern. Let’s walk through the distinct stages of a ransomware kill chain designed to disrupt and disable systems and to force organizations to pay large sums to recover data and get back online (the term “kill chain referring to the steps an enemy follows during an attack):
Stage 1: Setting Up the Ransomware Attack
This first stage is where the attacker sets up the ransomware to infiltrate your system. This can be done in several ways including sending out phishing email attacks, setting up malicious websites, exploiting weaknesses in RDP connections, or attacking software vulnerabilities directly. It only takes one user to make a mistake and execute the ransomware code, infiltrating the system, so the more users in your network means the more vulnerable you are to a ransomware attack.
Stage 2: Ransomware Infiltration
At this stage, the ransomware has infiltrated your system unbeknownst to you. The malicious code will set up a communication line back to the attacker. The ransomware attacker may download additional malware using this communication line. It’s important to note that the ransomware may lay hidden and dormant for days, weeks, or months before the attacker chooses the optimal time to unleash the attack. Additionally, the ransomware can move laterally across other systems in your organization to access as much critical data as possible. At this point, many ransomware variants now also target backup systems to eliminate the chance for you as the victim to restore data.
Stage 3: Activation of the Ransomware
This is when the attacker activates, or executes, the ransomware attack remotely. This can happen at any time the attacker chooses and catches your organization completely off guard.
Stage 4: Holding Data Hostage through Encryption
Ransomware holds data hostage through encryption. Different ransomware variants use different encryption methods which range from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. Some ransomware variants also target backup systems that may delete or encrypt the backups to prevent recovery. Decrypting the data on your own is highly unlikely, so your organization will have three choices: lose the data, recover from a replica or backup, or pay the ransom.
Stage 5: Ransom Request
You’re officially the victim and the ransomware has encrypted the data. You’re presented with information on how to pay a ransom via a cryptocurrency transaction. At this stage, not only will data be inaccessible, but applications and entire systems can be disabled by the encryption. Operations can be severely impacted without access to data or services (imagine mission-critical infrastructure, and supply chains we alluded to earlier in the article).
Stage 6: Recovery or Ransom
If you do not have an effective recovery method, you will most likely be stuck paying ransom. Even if the data can be recovered, at least partially, the cost of doing so may exceed the cost of paying the ransom. However, if your organization has an effective recovery plan in place, you may be able to recover the data quickly with minimal disruption and no need to pay a ransom, eliminating the negative publicity of downtime and paying an exorbitant ransom.
Stage 7: Clean Up
It’s important to note that paying a ransom or even recovering data from a backup or replica does not necessarily eliminate the ransomware on the system. The malicious files and code may still be present and need to be removed. Doing an “autopsy” of the attack itself will likely reveal the type of ransomware and make it easier to locate and purge from the system.
Why is Ransomware so Damaging?
Ransomware attacks can cripple, or even cause catastrophic harm to company data and its operations, especially in organizations where the data is mission critical, such as in hospitals, emergency call centers, communications, energy, government and more. Furthermore, a ransomware attack can cause both reputation damage and even tremendous financial loss, with estimates that ransomware will cost as much as $6 trillion per year starting in 2021 (Cybersecurity Ventures).
Data loss has the potential to negatively impact organizations, and the amount of ransom hackers are now demanding is increasing. Petya1 developers originally asked for $300 in bitcoins. Newer ransomware versions ask for hundreds of thousands of dollars in cryptocurrency. Ransomware can be hugely damaging to businesses, causing loss of productivity and often financial losses. Most obviously there is the loss of files and data, which may represent hundreds of hours of work, or customer data that is critical to the smooth running of your organization.
There is also the loss of productivity as machines will be unusable. According to Kaspersky it takes organizations at least a week to recover their data in most cases. Then of course there is the financial loss of needing to completely format infected machines, reinstall all software and restore the data, not to mention adding protection in place to stop it from happening again.
For these reasons many businesses feel they have no choice but to pay the ransom, although it is highly recommended that they do not. Ransomware generates over $25 million in revenue for hackers each year, which demonstrates how effective it is to extort money from organizations.
Additionally, here are some more statistics related to the financial losses of ransomware attacks:
- In 95% of the cases where there were ransomware-related costs, the median loss was $11,150. However, losses ranged from a low of $70 to a high of $1.2 million (Verizon Data Breach Investigations Report 2021).
- Twelve percent of victims paid out on ransomware attacks in the third quarter of 2021 (Corvus Risk Insights Index). The 2021 figure is a decrease from the 44% of victims that paid ransomware demands in the third quarter of 2020.
- In the first six months of 2021, there was $590 million in ransomware-related activity (U.S. Treasury’s Financial Crimes Enforcement Network – FinCEN), compared to 2020’s reported $416 million in ransomware-related costs.
What Can Your Organization Do to Prevent Ransomware Attacks?
The good news is that with good cyber hygiene – including employee training, robust configuration management and security systems in place – organizations can mitigate ransomware vulnerabilities and prepare for the worst-case scenario.
Here are a couple of IT best practices that every organization should implement:
- Stay up-to-date with the latest operating software at all times. WannaCry, one of the most famous ransomware variants in existence, is an example of a ransomware worm. Rather than relying upon phishing emails or RDP to gain access to target systems, WannaCry spread itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol.
- At the time of the famous WannaCry attack in May 2017, a patch existed for the EternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in a ransomware outbreak that infected 200,000 computers within three days.
- Backups – Because paying the ransom does not guarantee that you will get the private key to restore your data, therefore in case of an attack, you can return files to their original state. Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
- Continuously and vigorously evaluate your security posture to ensure that you have the right protections in place.
Safeguard the Point of Entry of Ransomware Attacks
Beyond deploying strong, reputable endpoint antivirus security, web filtering, isolation technologies, robust backup and recovery, and overall comprehensive security training, it is important to remember that to prevent ransomware attacks, IT security professionals need to shift from a detection approach to a prevention approach. With the nature of ransomware attacks, detection after the fact is too late, as the hacker is already inside the organization and the race to stop the damage is a difficult one to win.
This is why it is critical to protect every channel through which content is entering into the organization. Withemail still being the dominant entry point for cybersecurity attacks, it continues to remain a weak point in many businesses’ security infrastructure. Even the most experienced users are not immune to cyberattackers who continue to develop more sophisticated techniques to deliver ransomware via email.
Advanced Email Security to Prevent Ransomware Attacks
Despite the availability of many email security solutions on the market, why do most organizations remain exposed?
- Traditional sandboxing technology, used by many of the email security solutions, has become outdated and not up to par to meet the challenges posed by sophisticated hackers, who employ several levels of attacks with multiple evasion techniques.
- Most email security solutions are slow and unable to scale up to support required performance needs, thus security professionals are forced to choose between delaying all email traffic to scanning less than 100% of emails, and only remediating threats after delivery. This imposes a huge risk on the security of their organizations.
What should you look for in an advanced email security solution in order to prevent ransomware?
- Dynamic scanning – Many of the email security solutions are built to just statically scan content (simple AV) or use CDR (Content Disarm & Reconstruction technology). AV technology is dependent on what is already known while the latter tampers files and changes them. Dynamic scanning is the process of actually detonating files & URLs inside an isolated environment in order to detect malicious code execution.
- Recursive unpacking — the ability to find threats underlying any nesting level inside the content. This is a key capability in protecting against evasion attempts – without that, an attack can go undetected, when the attacker buries a threat deep inside the content.
- Speed and scale – a common problem with incumbent security solutions is managing scale at the required speed. Legacy solutions have indeed migrated to the cloud but are not designed for scaling. When workloads grow, they are forced to be selective on what they scan – which increases the risk for the infiltration of malicious content, and this is exactly what attackers are waiting to exploit.
- Engine optimization – advanced threat protection solutions require engine optimization, which should be performed continuously, as organizations are constantly exposed to and need to efficiently protect themselves from new types of threats. If not optimized, security performance degrades over time, which is a commonly experienced problem. Engine optimization is a combination of the email security solution’s agility – the ability to define new rules and policies on the go, together with a skilled cybersecurity workforce that is able to identify the threats and perform these optimizations on an ongoing basis.
Ransomware attacks infiltrate systems despite the best efforts of prevention and preparation. Attackers that are successfully able to inject ransomware into your systems are not only able to hold your files hostage by encrypting them, but the ransomware itself frequently contains extraction capabilities that can steal critical information like usernames and passwords.
That being said, understanding how ransomware attacks work is the first step in preventing ransomware attacks. In addition to conducting robust staff training, implementing a strong backup program, deploying a strong network security system, organizations need to take a look at their cybersecurity defenses holistically in order to identify potential risks and channels, including email and cloud collaboration tools, that could lead to ransomware exploitation.
Preventing ransomware attacks is serious business because ultimately ransomware attacks are rooted in exploiting unsuspecting and unaware users.
Here’s some related content you may enjoy: How to Prevent Phishing Attacks
1Petya is a family of encrypting ransomware that was first discovered in 2016 – a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. This ransomware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive’s file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.