The landscape of malware has shifted dramatically in the past decade or so. Computer viruses that were developed to wreak havoc on companies and individuals by self-replicating, and slowing down or wiping out systems have evolved into big business. Not to diminish the severity of these types of malware, some of them caused billions of dollars in damage. However, the cost of these early viruses usually came in the form of lost revenue due to downtime while the systems were repaired, along with the hit to a company's reputation and customer confidence. Many also resulted in stolen data, leading to compromised credentials and identity theft. But more and more, attackers are shifting to a different type of malware for their attacks. Ransomware isn't a new type of virus. The first known variant was released in 1989. But it's quickly becoming the tool of choice for criminal organizations. The days of hackers being satisfied with simply costing a company large amounts of money are gone. The hackers' focus has shifted to making money from their attacks.
During the Nashville Cyber Security Summit in May, the morning keynote was a briefing from the FBI on the current landscape of cyber threats. It was no surprise to learn that ransomware is one of the most imminent threats they're tracking right now. In the past decade ransomware attacks have increased dramatically, and have become a serious threat to businesses, healthcare, and even to national security. The most notable recent attack, on the Colonial Pipeline, for example, caused a major bottle-neck in the gasoline supply chain that resulted in higher gas prices, and fuel shortages all along the east coast. While this most recent attack was widely publicized by the media, it's far from an isolated incident. According to the Emsisoft State of Ransomware Report at least 2,354 government, healthcare and educational institutions were hit with ransomware attacks in 2020. The report goes on to state,
"The attacks caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted."
And it's no wonder that we're seeing these attacks increase in frequency. It's an extremely lucrative business model for criminal organizations. A report released by the IST's Ransomware Task Force reports that ransomware victims paid a combined $350 million dollars to hackers in 2020, with an average payment of over $312,000.
But the fallout from ransomware attacks goes beyond the disruptions to public services and healthcare, and the serious threats posed to critical infrastructure. The proceeds paid to these criminal organizations are often used to fund other criminal activities like drug smuggling, human trafficking and terrorism. While law enforcement agencies are stepping up their efforts to combat ransomware, it's important that businesses do everything they can to harden their systems and prevent their organization from becoming a victim.
At it's most basic level ransomware is a type of computer virus that uses encryption to lock the files on a computer system. The user is then instructed, usually through a file placed on the system by the virus, to pay a specified amount of money to the attacker in order to have their files decrypted. The most common form of payment requested is through Bitcoin, due to the anonymity it provides. (Although a recent operation by the FBI may give the criminals second thoughts about how secure cryptocurrency really is.) Payment is made based on the promise that the hacker will unlock the encrypted files once the funds have been received.
The earliest known ransomware, the "AIDS Trojan" used a fairly simple encryption algorithm, and it wasn't long before a tool was developed that could decrypt infected systems. Modern ransomware variants have evolved a lot since the first generation. Using the latest encryption algorithms makes it nearly impossible for a victim to unlock the files themselves, without the private key. Additionally, current ransomware variants can do much more than simply encrypt the files on a system. These new variants can open backdoors to the attackers, who can perform reconnaissance activities to determine which files are most valuable to an organization. They may also steal any credentials found on the system and exfiltrate data to the attackers. Some variants will lay dormant for a significant period of time, ensuring that any backups that the organization may use to restore their system are also infected.
Just as the viruses have evolved, so have the tactics used by the attackers. Early mass attacks on individual users through SPAM phishing campaigns have given way to more targeted attacks on large organizations. The theory being that these types of targets have the ability to pay higher ransoms than individuals for the same level of effort on the attackers' part, and they're more likely to pay the ransom due to the nature of the data on their systems. There's also been a large increase in the use of extortion, with groups threatening to release a company's sensitive data if payment isn't made.
This is an extremely difficult question to answer. The Ransomware Task Force report dedicates an entire section to the topic, and whether or not the government should ban organizations from paying ransom. On one hand, this could potentially decrease the profitability of ransomware attacks, as well as keeping money that could be used for other criminal activity out of the attackers' bank accounts. On the other hand, this approach could lead attackers to target more critical systems, and would almost certainly result in the sale or public release of an organization's data. In the end, the Ransomware Task Force was not able to reach a consensus on whether payments should be prohibited or not, but they did state that they should be discouraged as much as possible.
Whether a victim should pay the ransom or not has to be considered on a case-by-case basis. Organizations that don't have a good backup and recovery program may have no choice but to pay the attackers, or lose all of their data permanently. Another consideration is the type of data that is stored on the system, and what effect the public release of that data would have on the organization and it's customers. Unfortunately, paying the ransom doesn't necessarily guarantee that your data will be unlocked. According to the Sophos State of Ransomware 2021 report, only 8% of victims who payed a ransom actually got all of their files back, with an average of about 65% of files being recovered for most victims. In addition, even if your files are recovered, there's no guarantee that the virus was completely removed from your system, or that the attackers won't sell your data on the dark web anyway. You are dealing with criminals, after all. What's more, paying a ransom may label your organization as a "soft target" which will encourage future attacks, either by the same group, or by others. When it comes to ransomware, prevention is the best cure.
In order to avoid becoming a victim of ransomware, organizations need to focus on two primary areas: hardening your systems and recovery planning. Hardening your systems against ransomware is no different than protecting it from other types of malware and intrusions. By following industry best practices, you can greatly reduce your risk of becoming a victim. Recovery planning requires having a plan in place that can get your organization back up and running quickly in the event of a successful attack. With those things in mind, here are a few suggestions to help keep your organization safe:
One of the most important steps in securing your system is making sure that every user in your organization understands how seriously you take security, and that it is part of their job responsibilities to understand common risks and how to avoid them. Users should be trained on topics such as how to avoid phishing attempts and how to identify and report suspicious activity, both on their workstations and in their physical environment. Good security education is even more important for your technical staff. Developers, DBAs and System Admins should all receive regular security training. But it's also important to ensure that trainings are tailored for specific user groups. Forcing your developers to complete an online phishing course every year doesn't help anyone. It costs the organization money and time, and your developers will become jaded to security in general. Instead, provide your more technical users with advanced training on topics like database security or secure coding practices. If every user in your organization can tell how seriously upper management takes security, they will take it seriously as well. For additional tips on fostering a culture of security in your organization, see my previous article on the subject
Requiring your users to login to your systems with multi-factor authentication goes a long way in preventing credential attacks. Even if a user's password has been compromised, requiring the use of an MFA app will prevent access by anyone who doesn't have the device needed to authenticate. Assuming your user didn't have their device stolen by the same person that accessed their credentials (not out of the question, but unlikely), you can be fairly certain that any login came from an authorized user.
Your password policy should ensure that any brute force password attacks on your systems will not be successful. You can reference the NIST Digital Identity Guidelines to ensure you're following best practices in defining your password policies. If possible, avoid user generated passwords all together by utilizing a password manager, with strong, randomly generated passwords, and a unique password for each application a user will log into.
The principle of least privilege ensures that users only have access to the resources they need to do their job, and nothing more. Cases where a user needs temporary access should require approval, and access should be removed as soon as the task is complete. The same is true for your internal applications. Each application should only be able to communicate with the systems it requires. All other traffic should be restricted, and any unnecessary protocols should be disabled.
This is one of the biggest things you can do to prevent attacks, and unfortunately, it's one of the most often neglected. Attacks using a brand new exploit are fairly rare. The vast majority exploit known vulnerabilities in software packages or operating systems. In many successful attacks, a patch had already been released, but the victim hadn't updated their system yet. Ensure that all of your user's workstations receive automatic updates, and implement a process for updating any other machines regularly. Make certain that you are keeping up with the latest additions to the NIST National Vulnerability Database and applying patches to any vulnerable software immediately. If your organization develops software, make sure all third-party dependencies are kept up to date. I've seen too many organizations push off CVE warnings from their static scanners because it conflicts with another dependency and would require significant refactoring. These organizations are willingly opening themselves up to become ransomware victims, and the fact that they haven't yet, is pure luck. In my opinion, keeping your dependencies up-to-date should take precedence over all new feature work.
Make sure that you're regularly backing up all of your data, and that it's stored in a safe location, not connected to your network. Your backups should be tested regularly to ensure that they haven't been corrupted, and you should practice deploying your backups on a regular basis.
Encrypting your own data won't prevent a ransomware attack, but it may help alleviate extortion threats in the event of a successful attack. By ensuring that your data is encrypted, you can be fairly confident that the attackers don't have any sensitive data that they can release or sell. This approach may come with some tradeoffs, however. Encrypting data at rest means it will need to be decrypted before it can be used by your organization. In some cases this may not be an issue, but when performance and speed are a high priority, it may not make sense, depending on the data being stored. If the data is highly sensitive, such as financial or healthcare information, the performance hit may be worth it.
Unfortunately, there's no silver bullet to guarantee you'll never be the victim of a ransomware attack, but implementing these suggestions will go a long way in shoring up your defenses.