Ransomware attacks continues to plague businesses of all sizes, in practically all industries.
In this video, Tanner Johnson, principal analyst of data security and IoT cybersecurity at research firm Omdia, explains why ransomware became the widespread threat it is today. In addition, Johnson discusses how ransomware can be prevented, highlighting countermeasures prescribed by the U.S. Cybersecurity and Infrastructure Security Agency.
Transcript follows below. Minor edits have been made for clarity.
Why is the threat of ransomware on the rise?
Tanner Johnson: Sadly, the harsh reality is that anyone connected to the internet is a potential victim. Ransomware is proven to be a successful business model for would-be cybercriminals. The proliferation and overall advancement of the threat itself is combined with ease of access to ransomware toolkits and even the development of ransomware customer service agencies, believe it or not, that assist victims and walk them through the process of attaining Bitcoin to pay their ransom.
We’ve seen a severe evolution, from what five, 10 years ago was a simple annoyance -- maybe the largest, most common ransom payment was for probably less than $300 -- to now where we are seeing a multibillion-dollar international criminal undertaking with some of these ransoms being in the tens of millions of dollars. So, it's a definite increase in growth.
I think the biggest single impact, what has allowed ransomware to proliferate, is the advancement of cryptocurrencies. It’s the way to make payments totally anonymized and untraceable, for the most part. And that is what has facilitated the widespread adoption of ransomware by criminals.
What are examples of ransomware attacks?
Johnson: One of the larger ones that comes to mind that had such a prevalence several years ago is WannaCry. That was a ransomware attack that exploited a Windows Server Message Block vulnerability, and it spread like wildfire throughout the internet.
There are others like TeslaCrypt. This is another vulnerability exploit that utilized browser exploitation kits to distribute malware across particular systems. But they ultimately released a master decryption key and closed their doors.
NotPetya is another one. The attackers were more infrastructure-focused -- utilities, oil and gas, power grids, those kind of components. It was discovered in Ukraine and plagued a lot of Europe.
REvil is something that's more or less a ransomware group in addition to a type of ransomware. They were responsible for the Colonial Pipeline attack that shut down oil processing on the East Coast for several days.
Another one is SamSam, a more of a targeted campaign used against entities whose access to data is extensively critical, like hospitals or even schools. Those organizations may not necessarily have the IT security budgets to have rapid response capabilities in place.
What methods do ransomware attackers use?
Johnson: Social engineering is actively underway. Some of the largest breaches that have occurred have not resulted from exploiting a vulnerability in the software or hardware components, that gave someone unauthorized access. A lot of the largest attacks as of late have occurred with legitimate credentials being obtained.
Now, unfortunately, if there's not some other multifactor authentication form in place, then those legitimate credentials give unfettered access to the system and can do so for an indefinite period of time, until the organization is able to determine that they've even had a breach.
So, there are multiple factors involved in the process.
What is preventing organizations from investing in ransomware security?
Johnson: A lot of organizations have restrictions when it comes to their overall strategy. They can do things quick, they can do things cheap, or they can do things securely. And sadly, the last leg is often the first thing on the chopping block, because they want their capabilities out yesterday and at as minimal overhead cost as possible.
It's difficult also when it comes to investment in security capabilities and responses. If you're unable to see an immediate return on your investment, it's hard to justify that initial expense, at least when it comes to the board of particular organizations. So, without understanding the threat, it's difficult to understand the need and requirement for the investment behind it.
The reason why most cybersecurity incidents occur is because we are a reactionary society. We wait for bad crap to happen and then decide, “OK, we should probably do something to prevent that,” after we've already suffered from it.
Many organizations see themselves as small fish and not that primary target. But any mom-and-pop shop can be targeted for a ransomware attack -- as well as doctor offices and smaller businesses that don’t have the resources to throw at an IT department or even a security division.
Say you’re dealing with confidential patient information like in a hospital or a specialized doctor's office. If that information becomes leaked, then in addition to major HIPAA violations and fines you'd be lucky to continue to survive operating after that.
So, there are considerable reasons to take ransomware into evaluation when it comes to strategy. But sadly, most organizations wait. And it's unfortunate that they wait until they are hit to say, “Oh. Let's develop some strategy to prevent this from occurring in the future.”
What can organizations do to protect themselves?
Johnson: The U.S. Cybersecurity and Infrastructure Security Agency, CISA, provided an official ransomware guide to assist organizations with their respective mitigation efforts. This guidance ultimately outlines the importance of being prepared for such an attack.
Part of this preparation should be the establishment of a comprehensive data lifecycle management strategy. It's one of the strongest countermeasures: being able to ultimately understand the secure creation, storage, transfer, and destruction of data in all steps of that lifecycle. Organizations need to securely encrypt and backup the gold images, if you will, of their critical operational data, and have that backup offline in order to mitigate any potential exposure. So, if the data is encrypted or becomes unavailable or denied via ransomware, you have access to the data in an offline format that can easily replace the encrypted and unusable data.
As part of this, you need to regularly verify and update the gold images of your critical information to make sure that it's available when necessary if system restoral should require complete rebuilding.
CISA also outlines the importance of being prepared for an attack by actively planning for one by developing a cyber incident response plan. This can be integrated into business continuity and disaster recovery plans.
CISA further highlighted some of the general best practices to help reduce the opportunities for compromise. These include conducting regular audits that help to discover any security gaps that ultimately need addressing.
CISA also released a Ransomware Readiness Assessment (RRA) module for its cybersecurity evaluation tool. The RRA is a self-assessment security tool that any organization can utilize to gain further insight into how prepared they are to handle a cyberattack and help prepare their cyber defenses.
Any substantive protection and response efforts against the threat of ransomware must involve developing a comprehensive assessment of your own organization's security posture. As each individual organization is likely to have unique security requirements, priorities, and risk tolerances, it's essential that each entity develop a customized response plan to fit their own unique needs.
This can also include purchasing offline equipment that can rapidly be used to replace equipment infected by ransomware -- clean equipment that can easily replace and be populated with the gold image information that's necessary for business continuity.
These are some of the basic digital diligence efforts that can be taken.
What’s the bottom line for businesses?
Johnson: Ultimately, be prepared. I cannot emphasize this enough. I don't know how to drill this into individual organizations’ heads: the need to have a plan in place. The best time to develop a ransomware plan is not in the middle of an attack. It's prior to getting struck by one.
If you are dealing with a ransomware attack and you have no guidelines, no outlined protocols, no rules and regulations to follow, and you don't know necessarily where the jurisdiction from one individual's responsibilities and roles fall and where yours begin, it is only going to feed into the chaos that's generated from that immediate lack of access.
So, it is a complex and challenging situation that that no longer can be taken lightly.