With the enormity of challenges facing organizations today, new and sophisticated cyber threats like ransomware can be easy to overlook. Yet at their own peril. Ransomware has proven to be no mere technological nuisance, but often an existential crisis capable of driving even large companies to their knees when critical systems are unlocked only after staggering payments.
Recent years have seen an exponential surge in high-profile ransomware attacks across industries. A kind of digital hostage scenario- with encrypted data for lives. 2021 was abominable. The previous year foreshadowed darker times ahead. Trend Micro identified a 1,383% explosion in ransomware attack detections between January and April 2021 versus just a year prior. Overall, ransomware victims quietly filled cybercriminal Bitcoin wallets to the tune of $350 million in 2020, a three-fold increase from 2019 estimates suggests Chainalysis.
Without hyperbole, ransomware’s sheer growth and cut-throat capitalism spells only more troubling days. The World Economic Forum now wisely ranks ransomware only below climate change and pandemic outbreaks for likely global disruption over the next two years. Rarely has so severe threat emerged from only loose organizations of anonymous hackers motivated by greed.
Why has ransomware taken such a troublesome grip globally so swiftly? The perfect storm of seemingly unstoppable technological forces has converged to hand unprecedented leverage to the adversaries. On the front end, well-funded ransomware innovators engineer turnkey extortion kits in dark web bazaars to deploy victims in the hundreds of thousands without ever lifting a finger personally. Automation rules the future it seems. At the backend, ransomware groups launder their illicit crypto-ransoms via less regulated financial channels and often hostile regimes averse to US interests. Nation state actors masquerade as profit-seekers when politically expedient. Technical excellence engenders more destruction rather than progress for humanity.
What makes ransomware bite so severely are also the sheer paralysis it induces virtually overnight while victims debate internally whether to pay up or have external security consultants labor over decryption as business craters. As days bleed into weeks of outages, and lawsuits get threatened by customers, even option of last resort- data wiping and restoring from backups- itself remains a long and tedious fix during which aggrieved users have already fled to the open arms of nimble competitors all too happy to see market share upticks. The brand carnage can be irreversible. 272% of malware victims report sustained customer loss even after containment as per IBM surveys of security professionals. Other data leakage risks post-ransomware also linger for years via black markets. The gift that keeps taking long after the initial malware has been neutered.
So in the grand game of high stakes cyber security chess, organizations find themselves constantly two steps behind- their castles left naked by lack of technological prowess to match the ingenuity of utterly faceless enemies encoded in 0s and 1s usurping infrastructure built with millions in capital outlays. The hope lies in tilting fortunes over time through equal cunning maneuvering. By undertaking a combination of technology investments and strategic moves, a path exists to counter the scourge for most willing organizations, restore honor, and empower customers.
White knights will emerge from this kingdom of endless night through perseverance and cooperation. But first the long march to build necessary armory…
Government agencies also warn about the potential cascading impacts of ransomware beyond any single organization. With hospitals, emergency services, school districts and core infrastructure now common targets, the implications of ransomware ground zero can rapidly lead to city-wide, regional and even national disruption. This reality further pressures businesses across industries to securely backup critical data offline while hardening IT infrastructure. For most organizations, it is now a matter of ‘when’ ransomware strikes rather than an ‘if’. Prior preparation is essential.
What Is Ransomware?
Ransomware is best understood as malicious software designed to deny access to systems or data through encryption until a ransom demand is paid. Core features tend to include:
- Encryption algorithms robust enough that brute-force decryption is not feasible
- Utilizes asymmetric encryption where the attackers controls all private keys
- Often has worm-like features to self-propagate rapidly across networks
- May disable system recovery options, safe boot, task manager, etc.
- Ransoms demanded through cryptocurrency for pseudo-anonymity
There are also ransomware variants focused on exfiltrating data and threatening its release unless extortion demands are met – sometimes referred to as leakware or doxware.
Modern enterprise ransomware often has multiple components, including droppers, exploits, privilege escalation tools, lateral movement frameworks, reconnaissance modules and command and control communication protocols. Post-exploitation ransomware frameworks thus exhibit capabilities similar to advanced persistent threats traditionally associated with state-sponsored attackers.
Sophisticated ransomware strains also exhibit strategies to evade security mechanisms through disabling antivirus tools and avoiding detection by malware sandboxes. The ability to take organizations offline by encrypting not just individual workloads but also connected backup systems makes restoration extremely difficult. By understanding all aspects of ransomware kill chains, defensive strategies can be tailored accordingly.
Why Ransomware is So Dangerous
Beyond immediate financial impacts, ransomware presents larger dangers which make prevention mission critical:
Disruption of services – As witnessed with the 2021 Colonial Pipeline ransomware attack, cyber incidents can drive core infrastructure offline leading to supply chain disruption, economic impacts, and risks to health and safety on a regional basis. Qnap and Kaseya attacks similarly brought many businesses and government agencies to their knees overnight through simultaneous mass encryption across managed service provider (MSP) channels.
Erosion of trust – Ransomware materially impacts brand reputation and trust by customers and partners, especially in industries dealing with financial, healthcare or personal data. Mounting regulatory fines related to compliance failures compound this further.
National security fears – With ransomware impacting hospitals, transport hubs and critical infrastructure, unchecked proliferation risks public health and safety. Cyber criminality also risks further attribution challenges between profit motivated attackers vs state weapons and escalatory retaliation.
Cascading impacts – What starts as a small infection can easily balloon organization-wide and beyond. Lack of offline backups means restoration may be impossible or require huge manual effort.
How Ransomware Works
There are multiple sophisticated frameworks ransomware threat actors leverage to deploy extortion campaigns against targets:
- Doxware/Leakware focuses on data exfiltration and extortion without any system lockout. After breaching networks, attackers quietly scope out and steal intellectual property, contracts, employee/customer PII, emails, source code, and other sensitive documents. The data itself is left intact without any encryption. At a later stage, attackers announce the data theft and issue extortion demands while threatening to release documents publicly. This causes massive brand damage and trust issues even if standard backups can restore affected systems easily. Doxware allows monetization of stolen corporate data through multiple avenues – selling to competitors, insider trading, auctions on dark web markets, etc.
- Hybrid ransomware combines system encryption alongside data theft for a two pronged extortion. After encrypting files beyond recovery and paralyzing operations, attackers demand a ransom while also threatening leakware document dumps if payment does not materialize. This provides options for monetization while maximizing damage potential.
- Human-operated ransomware exhibits extensive manual intervention in pre-attack reconnaissance inside breached networks using credential theft, vulnerability scanning and tooling for situational awareness. Once sufficient access is achieved, threat actors selectively target and encrypt high value data and systems with huge operational impact. Human-operated ransomware also allows custom extortion demands tuned to victims’ ability to pay based on financials, insurance cover etc.
- Ransomware-as-a-Service (RaaS) lowers barriers to entry through malware kits leased to affiliates. Developers maintain the malware framework while handling cryptography and ransom collection/money laundering. Affiliates focus only on distribution and infection. Profits are split between the RaaS operator and the affiliates per successful infection. This distributed model allows scaling criminal reach exponential.
- Supply chain ransomware leverages partnerships and integrated technologies to compromise third party vendors, suppliers, consultants and managed service providers first. These supply chain vectors provide backdoor network access to downstream customers otherwise difficult to breach directly. Further malware propagation then fans out rapidly enterprise-wide by design.
Where Is Ransomware Coming From
Ransomware developers and their funding sources fall across a wide spectrum globally:
- Independent cybercriminals seek quick paths to profits through targeting vulnerable organizations with easily created malware using ransomware toolkits available on dark web markets.
- Organized cybercrime groups exhibit extensive funding, organization and technical capabilities akin to startup enterprises completely focused on maximizing ransomware criminal operations. Many have multiple specialized technical teams covering malware development, cryptography, vulnerability research, QA testing of malware, compromising websites, running botnets, data exfiltration infrastructure and human-operated penetration testing of breached networks.
- State sponsored groups provide cover to state interests while limiting attribution. Geo-political disruptions caused by ransomware allows states to claim non-involvement despite evidence around origins of hacking tools, infrastructure, funding and locations. States also directly benefit from cyber criminality through taxation as well as intelligence sharing relationships with non-state actors.
- Hacktivists often use ransomware for political and social change agendas beyond just financial gain. By targeting organizations seen as opposing a particular ideology and then publicly leaking sensitive data, media coverage and fear act as multiplier effects. Law enforcement profiling risks are also seen as minimal relative to protest actions in the physical world.
- Insiders and compromised employees provide initial footholds within corporate networks through stolen credentials or introductions of infected removable drives in airgapped environments. Increasingly, insiders participate actively with external threat actors due to inducements or ideological reasons.
- Security researchers and malware developers license ransomware kits as IP to cybercriminals or directly sell proofs-of-concept code anonymously for side income. The diffusion of effective hacking tools directly translates to more realized attacks, breaches and ransomware events across industries.
- Disgruntled employees sometimes directly leverage accesses maintained post-employment by implanting logic bombs, time bombs, threats of data destruction and ransom demands due to perceived slights, lack of appreciation, workplace conflicts or termination handling. Inside knowledge helps precision targeting of impactful systems.
Top Geographies Spreading Ransomware
Russia maintains an outsized footprint in global ransomware ecosystems primarily due to the talent availability combined with limited domestic or international law enforcement cooperation. The Ukraine conflict has also turbocharged disruptive ransomware attacks against US and European interests. China similarly exercises judgments when domestic hacking collectives breach international hacking prohibitions. Other Eastern European cybercrime safe havens round out the top geographies hosting nefarious ransomware developers and control servers.
What are Types of Ransomware?
Understanding the variety of ransomware attack types allows more tailored security mitigations addressing technique-specific risks:
- Crypto ransomware uses public key cryptography to restrict access to systems and data. Well designed crypto ransomware often has worm-like capabilities to traverse networks, robust encryption strength necessitating ransom payment as the only path to decryption, and code obfuscation combined with anti-analysis techniques to avoid detection. Crypto ransomware uninstalling or disabling security software during staging further reduces chances of isolation.
- Locker ransomware prevents normal usage of devices, computers or individual user accounts by locking screens or rendering critical components inaccessible through scrambled file tables, folder names, process shutdowns and registry edits. While less severe than crypto ransomware, restoring desktop functionality can take enormous effort. Data may also still remain vulnerable to follow-on malicious activity post-restore.
- Data leak extortion/exfiltration ransomware emphasizes maximum brand damage through public release of data if ransom goes unpaid. Enterprise contracts, intellectual property, employee/customer PII, credentials and code repositories offer rich monetization potential for extortionists either directly or via competitors/adversaries. Data leak ransomware leaves systems intact to allow ongoing functioning with some containment. However, trust recovery can be vastly more difficult.
- Hybrid ransomware supplements permanent data encryption with additional threats to publicly leak subsets of stolen IP/data across phases of a campaign if ransom demands are not cooperative in early stages. This forces victims into added compliance, introduces liquidity into stolen data and allows ongoing extortion across multiple fronts simultaneously.
- Ransomware delivered via remote services piggyback on legitimate remote connectivity tools like RDP, VPN, VNC, Citrix, etc with weak authentication controls to gain initial access before delivering ransomware payloads across networks. Misconfigured access tools provide easy footholds into otherwise secured environments quickly.
- DDoS Ransomware A form of ransomware that threatens a DDoS (distributed denial of service) attack against the victim’s website or network unless a ransom is paid. It leverages the threat of causing outages instead of encrypting files. Examples include XOR DDoS and DDoSThreat.
- Jigsaw Ransomware Named after the fictional character from the movie “Saw”, this ransomware deletes files every hour until the ransom is paid. It starts deleting files an hour after infection and increases the number with every passing hour.
- WannaCry Ransomware A widespread crypto ransomware attack that affected over 200,000 computers across 150 countries in 2017. It exploited a Windows vulnerability leaked from the NSA to spread rapidly across networks.
- CrySis/Dharma Ransomware Targets company networks specifically and threatens leakware attacks. After encrypting critical files, it requests large ransom payments in Bitcoin while threatening to publish sensitive company data.
- CryptoWall Ransomware One of the first ransomware families to use strong AES encryption. Variants exploited Java and Adobe vulnerabilities to infect victims. CryptoWall held over 600,000 computers hostage from 2014-2016.
- TorrentLocker Ransomware Spreads via spam messages targeting businesses. Known for using AES symmetric cryptography and RSA-2048 asymmetric encryption to restrict file access very securely.
- AIDS Trojan One of the first pieces of ransomware detected in 1989. It hid directories and encrypted file names on hard drives, requesting payments for the decryption key.
- NotPetya Ransomware Posed as ransomware but was designed for data destruction. Spread via compromised accounting software to paralyze Ukrainian organizations. Caused over $10 billion in damages globally.
What is Ransomware Protection?
Modern ransomware exhibits extensive sophistication across initial intrusion, delivery mechanisms, threat actor behaviors, encryption techniques, damage potential and even ransom payment systems.
Countering effectively requires coordinated capabilities covering prevention, detection, response (IR), backups and end user education:
- End-user security training develops employee skills to recognize social engineering techniques, phishing lures, suspicious attachments and unsafe browsing practices used to introduce ransomware. Testing via simulations reinforces secure behaviors.
- Email security leverages threat intelligence to block known ransomware sender IDs, scans attachments, checks embedded links and prohibits dangerous extensions and content. Policy engines can restrict outbound emails spreading infections internally post-breach.
- Endpoint security combines signature scanning against known ransomware strains alongside heuristics identifying suspicious encryption processes, file activities or network connections indicative of ransomware behavior patterns. Application allow listing further locks down endpoints.
- IPS and anti-malware tools flag inbound network content at perimeter entry points attempting to deliver ransomware or transit outbound as part of command and control or data exfiltration. Automated signature updates ensure latest protections against ransomware and malware.
- Privileged access management (PAM) limits credential theft risks through strict access controls via least privilege combined with just-in-time elevation paired with enhanced monitoring of admin behaviors. PAM reduces blast radius that ransomware can achieve post-compromise.
- Backups and secure data replication provide last line protection against business disruption. Maintaining multiply generations of immutable backups unaffected by primary storage encryption ensures recovery capability. Testing restoration processes for speed lowers downtimes. Offline backup best practices prevent follow-on encryption or deletion by ransomware on backup repositories themselves.
- Incident response (IR) with containment develops organizational muscle memory to isolate and eliminate active intrusions for early termination before encryption triggers across entire environments. Table top exercises ensure smooth coordination between IT, legal, communications and executives.
- Cyber insurance defrays costs tied to system recovery, legal notifications after personal data theft, PR messaging, credit monitoring services for breach victims and business losses arising due to outage impacts during restoration.
How to Prevent Ransomware Attacks
With ransomware risks continuing to accelerate, organizations must implement layered controls with coordination spanning security operations, infrastructure teams and end users:
- Keep software and services updated through timely patching, upgrades and maintenance. On-premise and cloud solutions that no longer receive fixes provide easy initial infection points for launching ransomware across the interconnected infrastructure.
- Isolate public-facing systems like remote access tools, VPN concentrators, extranets and internet-facing applications within secure network segments using access controls, privileged identity management, micro-segmentation, VLAN stitching and private/public cloud security groups. Assume compromise of publicly exposed assets.
- Promote cyber security hygiene through mandatory security awareness training, easy bookmarking of internal web applications to prevent typosquatting, hover previews of embedded links to display actual destinations prior to click-through and restrictions preventing email auto-downloads of Office attachments.
- Enhance browser security via customizable default policies, enforced Certificate Authority trust stores, DNS filtering against known malicious domains and write-protected browser profiles preventing unapproved extensions/plugins/Active-X controls as vectors to deliver malware payloads. Every browser presents risk.
- Implement least privilege access controls as standard for limiting credential theft blast radius and lateral movement potential. Strictly regulate admin privileges while deploying Privileged Access Management (PAM). Disable macros and risky Office integrations into enterprise applications by policy default also.
- Deploy endpoint detection and response (EDR) with automated threat intelligence to analyze behavioral patterns indicative of breach activity, suspicious internal communications, abnormal file encryption processes or connections to ransomware infrastructure. Machine learning further sharpens core detection capabilities over time.
- Maintain secure offline backups across on-premise and multi-cloud environments using the 3-2-1 data protection methodology. Backups must be completely isolated, immutable and retained for multiple generations to avoid so called “doomsday” malware deleting live and backup data simultaneously. Regular test restoration from offline repositories ensures recoverability.
- Develop playbooks for incident response, forensic examination, communication protocols and restoration procedures in the aftermath of successful ransomware attacks. Periodic simulation exercises hone team muscle memory in safely taking systems offline, containment to prevent data loss and best evidence gathering.
- Implement supply chain security controls like code audits, infrastructure/application hardening guidance and 2-factor authentication for third parties accessing internal systems such as vendors, consultants, service providers and distribution partners. Downstream risk requires supplier-centric cyber security guardrails.
- Invest in focused cyber insurance covering business disruption, legal obligations, PR messaging and technical restoration activities in ransomware or wider data breach events. However, prevention is preferable to post-incident insurance payouts given productivity/opportunity costs during outages.
With ransomware delivering such massive returns for threat actors, attacks are certain to compound year on year. Every organization is at risk regardless of size, industry or anonymity. While no single silver bullet can prevent all ransomware, taking consistent precautions across patching processes, security tools, access policies, backups and user training substantially reduces exposure.
Ensuring basic cyber hygiene first before tackling sophisticated persistency threats around compromised credentials and delivery mechanisms is key for managing limited resources. Seeking managed security services assistance can provide cost effective threat hunting where in-house skills remain scarce or constrained.
But ultimately, ransomware prevention is a leadership issue before a technical one. Only through executive commitment to data protection, supply chain security reviews and supporting incident response preparedness will organizations reduce disruptions. By embracing cyber security as a core CEO-level priority, setting the cultural tone and backing continuous improvement even during strained budgets, companies set themselves apart in tackling one of this decade’s most serious technology-driven risks.