The Evolution of Ransomware Attacks
As ransomware behaviors change from mass attacks to highly targeted incidents and from file-based to fileless and in-memory attacks, IT leaders also need to adapt to these changing behaviors.
A recent Sophos survey, The State of Ransomware in 2021, revealed global changes in cybercriminal behavior as these attacks become more targeted.
More than half (54%) hit by ransomware attacks in the last year said cybercriminals succeeded in encrypting their data in the most significant attack.
Chester Wisniewski, principal research scientist at Sophos, said the attackers security leaders most need to worry about all have their hands on keyboards.
“Very [few] attacks originate from automated bots and worms,” he explained. “This is a big shift for many defenders as human adversaries require more resources and different skills.”
The Modern Threat Landscape
Wisniewski said for all but the largest of organizations, the modern threat landscape requires a mixture of in-house and outsourced security services.
“Understanding all of the latest techniques and threats and how they manifest themselves in monitoring tools is something in-house teams cannot stay on top of,” he said.
That means IT security teams should look to trusted third parties to provide the deep expertise and focus instead on policies, patching and designing a more secure infrastructure themselves.
“I think it’s time for IT leaders to not only understand the changing attacker behaviors of highly sophisticated and targeted attacks, but also its relation to their critical data and employee awareness,” said Momodou Jaiteh, application security consultant at nVisium.
Jaiteh noted that ransomware has been evolving the past few years, but significantly so in the past year, partly due to the sophistication and effectiveness of defensive approaches being adopted by some high-value targets.
“As ransomware attacks gets more and more sophisticated, they require advanced skillsets on the defensive side,” he explained. “With IT staff facing capacity issues due to a typical individual juggling multiple tasks, the necessary skills gap widens.”
Under these circumstances, IT security teams need to strategize how to best confront these threats – leveraging automation of routine tasks to free staff with advanced skills to pursue attackers and combat ransomware and other threats.
In addition, Jaiteh said leveraging more specialized external resources to defend against ransomware can help fill that gap.
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, explained that ransomware is no longer just about encrypting files but also stealing a target organization’s data, making ransomware a multifunctional weapon.
“If a company has a solid backup to restore systems, then the criminal gang can threaten to disclose damaging data that could directly impact the stock price, brand, employees and potential customers,” he said. “What we are seeing with ransomware is that cybercriminals continue to abuse privileged access, which enables them to steal sensitive data and deploy malicious ransomware.”
This means organizations should prioritize privileged access as a top security measure to reduce the risks of ransomware and ensure strong access controls and encryption for sensitive data.
Take Ransomware Very Seriously
Carson said companies must take ransomware very seriously, as it will continue to be the largest of cyberthreats, and ransomware continues to be very costly for many organizations.
“The price you pay for not being prepared is on the rise,” he said. “It only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire company.”
Jigar Shah, vice president at Valtix, said he thinks many people and organizations are overly focused on the tactical response after a ransomware event takes place.
“Often, paying the ransom doesn’t even let you recover, as the attacker just disappears and does not help free locked resources,” he said. “At this point, the significant costs organizations are seeing are how to recover and rebuild.”
Shah said forward-thinking organizations are investing in building non-fragile infrastructure using infrastructure-as-code (IaC).
“If you plan ahead and start your public cloud journey the right way, then you can build your infrastructure and apps such that they can be redeployed in minutes if such an incident happens,” he said. “And, you can bake security right into this process.”
Getting Back to Normal After a Ransomware Attack
Jack Kudale, founder and CEO of Cowbell Cyber, admitted that returning to normal operations after a ransomware attack is an intimidating project, and organizations require clarity over which systems and data were impacted before they can start rebuilding operational systems.
“Cyberinsurance brings experts at every step of the process: from a breach coach and forensic experts who will clarify the scope of the incident and negotiate the ransom to resources that accelerate rebuilding systems to full capacity,” he said.
However, Kudale said the role of the insurers must go beyond response and recovery to include education and prevention.
For example, organizations need cybersecurity policies which are bundled with complementary cybersecurity training for all an insured’s employees.
“This will eradicate one of the basic root causes of many ransomware attacks: an employee clicking on a phishing email,” he noted.
