Photo by Michael Geiger on Unsplash
2021 was the year of ransomware. Ballooning into a multi-million-dollar problem, cybercriminals are becoming increasingly adept at automating one of the scariest forms of cyberattack. Furthermore, the attack pattern itself is evolving: not only is your company data suddenly irretrievably locked behind uncrackable encryption; attackers are also regularly exfiltrating and selling this data. Such highly-replicable attacks now demand that your organization maintains a highly airtight security fabric.
Ransomware: The Ever-Expanding Threat
Ransomware first hit the mainstream cybercrime scene in 2013, when the major adoption of cryptocurrencies such as Bitcoin suddenly supported remote, anonymous ransom payment. Cryptolocker raced through personal and business devices alike, fueled by a relative lack of ransomware training. In the few months that this ransomware was active, it infected a quarter of a million systems and earned its creators millions of dollars. An international sting operation pulled the Gameover ZeuS Botnet – the ransomware’s foundation – offline by 2014, but its creators had already demonstrated the sheer financial possibilities of ransomware.
Traditional ransomware aims to gain entry onto a device – disguised as an email attachment, or via a tiny gap in your tech stack – and systematically block access to the user’s files. This is achieved via encryption, as the program scrambles the code of every file, making it unreadable. Military-grade encryption is now relatively easy to pull off – even the most cutting-edge processors would struggle to decrypt this data within your lifetime. With the payload detonated, and the organization thoroughly cornered, the two options are either to abandon this data, or to pay the ransom in the hope that the data is returned. The success of this attack requires the victim to be desperate enough to cough up the ransom. Replacing terabytes of sensitive data can cripple even established companies, and a growing number of organizations choose to pay up. The downside of this response is that it directly supports criminal activity.
Unsurprisingly, companies that choose to pay up are often hit with yet more ransom attacks shortly thereafter. Sophos’ State of Ransomware 2021 report lends some eye-opening data to the ransomware revolution. For mid-sized organizations, the average ransom paid last year was $170,404, while the average total cost of resolving a ransomware attack reached a staggering $1.85 million. This includes the price of downtime, replaced devices, lost opportunity, and of course the ransom itself. The cost of this ransomware resolution more than doubled since 2020.
Not only are ransomware attacks becoming more expensive; they’ve also exploded in frequency. Throughout just September 2021, security providers reported 500 million attempted ransomware attacks. This means that each company was facing almost 10 ransomware attempts per day. SonicWall’s 2021 Cyber Threat Report also supported Sophos’ research, as global ransomware attacks increased another 48% in frequency. The UK was battling a 233% surge in cases, while American companies were embroiled in a 127% increase.
Removing Ransomware At Its Roots
On the attacker’s side, the wave of ransomware is partly fueled by the professional commercialization of attacks. Ransomware as a Service (RaaS) offers money-hungry wannabe cybercriminals the opportunity to steal, extort and sell highly confidential data – removing the previous skill barrier of code development. Cybercriminal developers handle the technical side of the ransomware, offering already-developed scripts to affiliates who then unleash attacks on victims of their choosing. RaaS kits are advertised in a similar fashion to their SaaS counterparts, with optional extras including customer support, access to affiliate forums, and bundled offers. On conducting a successful attack, a portion of the ransom is paid to the developing party. The spiraling ransom costs have resulted in swarms of RaaS affiliates, hoping to make thousands per attack. The distinct industrialization of ransomware has seen specialized roles develop within the black market. Access brokers are one such example; these sell access to already-established networks. Thanks to the flourishing criminal market, major ransomware cases now involve multiple individuals, each acting at different stages within the intrusion process, drastically slowing the legal backlash against the criminals.
The other side of this arms race reveals how these low-skilled script kiddies have been so successful. A recent report from Microsoft clarified that 80% of ransomware attacks stem from common configuration errors in widely-used software. One of the worst offenders is the Remote Desktop Protocol (RDP). Following 2020’s surge in work from home employees, RDP services have often been left as a loaded gun: cyber criminals freely exploited this throughout 2021. Though not inherently unsafe, company-wide RDP implementation can lack a shocking number of Identity and Access Management (IAM) protocols. Without any 2-Factor Authentication, or by failing to maintain a strict enough password policy, it’s possible for attackers to brute-force their way into an employee’s device. Phishing is also a powerful way of gaining login credentials. RDP is a particularly potent weak point, as – once illicit access is gained – attackers can now snoop throughout the network, disguised under the legitimate user’s account, leaving very little trace until the payload is dropped.
How to Reduce the Ransomware Threat
Managing the threat of ransomware demands an airtight cybersecurity suite. Leading your security decisions should be a data-centric approach that prioritizes compliance. The foundation of data-centric security is data visibility. Keeping an accurate and up-to-date overview of sensitive data within your company can feel like a constant battle, as overloaded staff and rapid technology changes muddy the water. Fundamentally, enterprise-wide data compliance is no longer achievable on your own. Security and compliance teams often struggle, lacking the resources to protect each and every component of the modern hybrid data environment.
Your security solution provider needs to recognize and mitigate these demands placed upon you. Their solution needs to offer comprehensive, unified insight into enterprise data. Only once this solid foundation has been established, is it possible to guarantee your company does not fall foul to the small but deadly misconfigurations that pave the way for 2022’s ever-expanding ransoms.