By Kelly Johnson
Country Manager, ESET Australia
Ransomware is not new but for most of its history it has not been the headline-grabbing threat it has become in the last few years. Today’s ransomware plague is essentially the product of a perfect storm of technology – both that deployed by attackers and that used by victims – combined with a maturing of the tactics criminals use to enact ransomware attacks.
While ESET Research has seen a decline in the detection of ransomware attacks in both late 2020 and the first part of 2021, this decline in detections isn’t the good news it might appear to be. Instead it reflects a growing sophistication in how criminals launch these attacks. The days of embedding malicious code in email or website links and hoping someone clicks have been replaced by a targeted approach, with criminals paying other criminals for hacked access to networks or launching brute force attacks against networks via remote access.
Ransomware has become the last stage of a chain of events leading to a network being compromised and the criminals who launch the final attack may not be the ones responsible for compromising the network in the first place. They also are often not the authors of the ransomware code they deploy. Sophisticated operators have moved to running a ransomware-as-a-service model, giving other criminals access to their code in return for a portion of any ransom they obtain. This lowering of the technical skill needed to ‘enter the market’ combined with large earnings some gangs have made from high-profile attacks has helped power the growth in groups launching attacks focused on high-profile targets.Another factor fuelling the boldness of recent attacks, such as the attack on Colonial Pipeline in the US that shut down its pipeline and created fuel shortages, is a change in blackmail tactics. While attackers are still encrypting systems and demanding payment in return for giving the victim the ability to unlock these systems, they are also frequently stealing data and using a very public threat of its release to pressure the victim to pay up.
In the recent attack in New Zealand on the Waikato District Health Board, the attackers emailed stolen patient data to news outlets as proof that they had the ability to make good on their threats in an attempt to put public pressure on the DHB. One gang that targeted several high-profile victims in the US even made a public announcement that it will not encrypt victims’ data anymore and planned to focus solely on data theft and extortion.
Finally the rise of cryptocurrency has provided perhaps the most vital boost, creating an almost tailormade payment system that is low risk for the offender and comparatively easily laundered. The fact that the FBI recovered the bulk of the money extorted from Colonial Pipeline appears to have had more to do with the criminals lack of sophistication in Bitcoin laundering than it does the ability of law enforcement to block cryptocurrency as a payment system for extortion.
And the money to be made for such low-risk crimes is substantial. Meatpacker JBS paid a ransom in Bitcoin equivalent to $US11 million to end the attack that disrupted both its North American and Australian operations, with its CEO Andre Nogueira saying that “we felt this decision had to be made to prevent any potential risk for our customers”. Despite both governments and security companies worldwide, including ESET, recommending victims not pay ransoms to attackers, JBS clearly felt that the ultimate cost of its operations being shut down for an extended period was worse than paying off the attackers. As long as victims feel they have no choice but to make this decision, ransomware will continue to escalate.
Nor should the increase in such high-profile attacks against major enterprises make smaller businesses think they are safe from attack. A ransomware attacker is first and foremost attacking your reputation. Whether they are encrypting your systems or holding your data to ransom, the pressure they are bringing to bear is based on how much reputational damage they think you are willing to sustain. Smaller companies are just as susceptible to this as large enterprises and it is likely that the scale of attacks on SMBs is largely under-reported, since no one wants to disclose they’ve been a victim of an attack unless they have to.
All of this points to ransomware continuing to be a major threat for the foreseeable future. Which means you need to plan to protect yourself from a successful attack as well as to mitigate any damage and provide for a quick recovery if the worst happens.
Most of the measures businesses should take to strengthen their defence against ransomware are not new. But it’s never a bad time to revisit and audit your defences:
Cybersecurity training for staff
The process of compromising your network’s security can start at multiple places and the most obvious remains human error by your staff. Exploiting poor cybersecurity awareness is one of the most popular methods for attackers attempting to breach your security and ensuring that all staff are properly trained on cybersecurity best practice goes a long way to mitigating this risk.
Use a multi-layered security solution
So you’re not a specialist in security? Good news, there are people who are and they make some fantastic products. Besides your employees, a good multi-layered solution is your first line of defence to protect you not just from ransomware but everything that cyber criminals will throw at you. No solution is perfect, and like everything they need to be properly configured and kept up to date, but without a solution you might as well be offering cyber criminals tea and cake.
Lock down remote access
An RDP endpoint is a device, such as a database server, that is running Remote Desktop Protocol (RDP) software so that the device can be accessed over a network, including the internet. It’s a convenient way for staff, particularly IT staff, to be able to access your systems no matter where they are, but it’s also a security risk if not set up properly.
Gaining unauthorized access via RDP has significant benefits for threat actors; it has the potential to evade endpoint protections and allows the perpetrator to rapidly compromise multiple systems within a single organisation. In 2018, for example, an RDP attack against LabCorp, one of America’s largest clinical laboratories, allowed the attacker to compromise 7000 systems and 350 servers even though the attack was contained by the company within 50 minutes. Investors later sued the company claiming that the company’s board failed to address security problems that led to financial losses.
Businesses have fallen victim to ransomware attacks because they have left RDP endpoints protected only by a username and password. Usernames are easily deduced and passwords can be brute-force broken by code. Ensuring that access is locked out after a limited number of wrong attempts to enter a password is a simple fix that many businesses fail to implement.
You should also be aware of what RDP endpoints you have and who has access to them. A regular audit to ensure that unnecessary remote access points are terminated rather than left in place is also critical. The forgotten remote access point is a disaster waiting to happen.
Secure your endpoints
COVID-19 saw an explosion in the number of endpoint devices accessing many companies’ networks as workers relocated to home and in some cases used their own devices to access the network. Ensuring that endpoint protection software is running on such devices, and is properly configured, is essential to maintaining the integrity of your network.
Keep up to date
It should go without saying that your systems should always have updates and patches applied but sadly this is not the case with many businesses. Lack of in-house IT resources or the inability to apply upgrades to out-of-date legacy systems that remain mission-critical can lead to known vulnerabilities remaining unaddressed for months or even years past the point when a patch was issued for them. Leaving these vulnerabilities in place is no different to gambling. Eventually the house wins and you lose.
Limit what you put online
Digital transformation is driving a dramatic shift in how much data companies routinely trust to be accessible in some form online. You need to assess the trade-off between business benefit and the risk of putting some data into an online environment, so audit your exposure and balance convenience with security.
Back it up
Yes you’re always being told to maintain backups. It’s a refrain as old as IT. But in the age of ransomware it takes on a new urgency. Maintain backups of critical data and check those backups regularly to ensure their integrity. Store the most valuable data off-line.
Have a plan
Business continuity plans, like backups, are one of those things everyone knows they should have, and really, they will get around to doing it one day. Don’t be caught with the need for such a plan without the existence of one.