Ransomware became deadly in 2020.
Healthcare facilities were attacked at an alarming rate, including one incident in Germany that lead to a patient death when an attack locked critical systems and a woman needing critical care was turned away. She died after she had to be taken to another city for treatment.
Ransomware is now one of the fastest-growing threats in cybersecurity, with damages predicted to cost $20 billion globally by 2021, up from $354 million in 2015.
But if you work in infosec, you probably knew that. We're not here to tell you ransomware is a problem. But we are here to examine what security teams are doing to defend against it, and what techniques are emerging as best bets to mitigate ransomware.
Frankly, the current landscape isn't great, according to Azeem Aleem of technology services firm NTT Ltd. Ransomware attacks are more aggressive and diversified than ever before - and they use multiple attack vectors. There is an entire industry now dedicated to selling ransomware on the black market (ransomware as a service), which lowers the barrier for criminals to enter, and means more attackers are getting into this very profitable business.
"Defense is struggling," says Aleem. "Some ransomware groups are teaming up with other threat actors, where the initial compromise is performed by commodity malware and then they provide access to a secondary threat actor operating ransomware as a service."
But just as criminal techniques get better, so must defense strategies.
"Ransomware defense needs to continue to evolve, but since we won't ever be able to evolve as fast as the attackers and industry – and the collective commerce world won't ever be as nimble as a well-orchestrated group of determined adversaries, we have to think differently," adds Chris Roberts, hacker in residence with Semperis.
Here's a look at what security teams are turning to now to wrestle the behemoth ransomware threat.
Detection Technology Seeks Different Behavior
Early ransomware defenses were initially around signature-based detections, which worked well for specific ransomware attacks after being identified, according to Mike Schaub, information security manager at CloudCheckr. But with new kinds of ransomware cropping up that behaves differently today, there is now a need for new kinds of detection.
"These include better behavioral or heuristic analysis, or the use of canary or bait files for better detection early on of an attack layered with protections of the files themselves — such as backing up files before a suspicious process encrypts them, whitelisting encrypting processes," he says.
While classic cryptoransomware simply locked up access to systems, it's now trendy for ransomware attackers to also threaten victims with data theft and doxxing.
"Extortion through not only the encryption, but copying of data and threatening to leak it if a ransom isn't paid," says Schaub. "This threat of exfiltration has different behaviors to look for in ransomware defense."
Hunt and Prevent
Semperis' Roberts says another emerging technique stresses proactive and predictive defense work.
"Ransomware defense needs to evolve from reacting to things, to predicting them and then anticipating risk."
This "hunt and prevent" compared to the old "detect and respond" strategy has more security teams placing resources into ransomware research, threat hunting, and adversarial simulation, says David Shear, threat data governance manager with Vigilante.
"The future of ransomware defense will no longer be simply scanning for vulnerable endpoints and adding ransomware detection to your endpoint protection – but a more thorough searching through your networks to detect anomalous activity – and simulating the ransomware adversaries you hope to defend against," he says.
NTT's Aleem says traditional controls around a signature based framework leads to a lack of visibility into today's ransomware threats. Relying on the traditional tools, like endpoint detection and response (EDR) can only detect about 1% of advanced attacks.
"You'll be breached," he says. "What organizations need is to move from a reactive to a proactive and predictive strategy using threat intelligence. To do this, they need full visibility of the threat surface to detect threat patterns in their networks."
Aleem recommends mapping tactics, techniques, and procedures currently used by ransomware groups to understand their strategy, the time it takes them to deploy the ransomware, and how much time an incident response team has to discover, escalate, and remediate.
Striking a Deal
As cyber insurance becomes more popular (and ransomware's proliferation has something to do with that), companies are getting more comfortable paying ransoms, and ransomware operators are becoming more comfortable asking for bigger payouts, and sometimes some negotiation on the price tag.
Kurtis Minder, CEO, GroupSense, a digital risk protection services company that conducts dark web reconnaissance and provides threat-actor negotiation services ransomware victims, cautions that companies need more intelligence about attackers before they can make an informed judgment on whether to pay a ransom in the first place. "And if they decide to pay, they need an experienced ransomware negotiator -- otherwise they risk making the problem worse by angering the threat actor," he says.
"If you were taken hostage in a bank robbery, you wouldn't want the branch manager negotiating your release – you'd want an FBI crisis negotiator. The same is true for ransomware negotiation.”
(Continued on page 2 of 2: Boning up on fundamentals)
Be Prepared: Backup and Network Segmentation|
If you're not already regularly backing up data regularly, than you are missing one of the simplest, most effective ways to avoid being forced to pay a ransom.
Aleem recommends an offline backup solution that is reliable.
"We're usually notified after an attack has happened, so at this stage prevention isn't entirely possible. However, we've seen that ransomware does not encrypt all files at once, so we usually advise organizations to disconnect large file storage and systems while we identify the specific malware to block it using our EDR tools."
"The main thing that I urge every organization to do is to patch vulnerabilities quickly and to build a robust backup strategy for data in order to diminish the harm that ransomware can do," adds Jeff Horne, CSO at security firm Ordr. "Backup with redundancy, and offline backup specifically, and a strategy to restore systems quickly is ultimately the way you can defeat this."
Lateral movement throughout a network is another hallmark move for ransomware. But Sivan Tehila, director of solution architecture at Perimeter 81, says network segmentation can minimize damage.
"Network segmentation is key so that the attacker can't move laterally through the network and encrypt more data," she says.
Ensuring back up and segmentation are part of an essential, overall examination of how prepared a security team is to defend against an attack, says Sandra Joyce of Mandiant Threat Intelligence.
"What we advise organizations to do is really take a look at how prepared they are. This could be making sure that networks are segmented, ensuring you have a real plan that you've table-topped with your executive team. Do you have backups? Do you have a way to fall back to data that you already have that is secured?"
We all know the mantra: It starts with the end user. Phishing is still the easiest way in for ransomware. Training employees on what to recognize still goes a long way, says Rick Vanover of Veeam Software.
"Non-technical topics, such as training on social engineering awareness, email training and the simple steps of following established rules are very valuable," he says.
"The first line of defense is educating employees to ensure they can recognize phishing attempts and respond properly," adds Ordr’s Horne.
A thorough evaluation of access policies, especially those concerning privileged access rights, is another area to look at when it comes to ransomware preparedness, says Adam Laub, general manager of Stealthbits.
"One approach that is proving quite effective involves organizations eliminating the troves of administrative accounts that maintain standing privileged access rights across all systems and applications enterprise-wide," says Laub. "Attackers and malware have come to rely on this condition to move laterally, escalate privileges and eventually gain unfettered access to business-critical systems, accounts and applications."
Andy Michael, founder of VPN Testing, says to go further and revise policies to stop allowing employees on to sites that are known ransomware traps.
"Want to get real serious about defending against ransomware on company computers?" he says. "Then you should block all social media sites on company property. Most ransomware attacks come through social media activity, so limit social media activity on computers used for company work."Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio