It's time to update what we think we understand about ransomware, including new defensive measures and how fast the attack response should be.

Richard de la Torre at Infosecurity Europe
Richard de la Torre at Infosecurity EuropeSource: Dan Raywood via Dark Reading

INFOSEC23 – London – With a threat as persistently pervasive as ransomware, myths and misconceptions are bound to emerge in tandem. Richard de la Torre, technical marketing manager at Bitdefender, used his time at the podium during this week's Infosecurity Europe conference to enumerate — and dispel — some of the more common ones.

While some of the items on de la Torre's list are likely very familiar to most security practitioners, he cites a ransomware misperception that there's no capability to fight this all too common hostage taking of business data. Not true — proactive organizations are increasingly using decryptors and also making more strategic use of threat intelligence to prevent or disrupt attacks, he adds. 

And despite all the worry and attention devoted to ransomware-as-a-service and more leading edge ransomware incidents, de la Torre claims ransomware attack vectors remain relatively basic. "The threat process has not changed and access starts through phishing attacks," he says.

Ransomware Is Big Business

All that being said, most organizations still haven't grasped that ransomware has mushroomed into big business, turbocharged by its RaaS business model with an operator who's sometimes state-sponsored. The operator variously buys, develops, and resells the ransomware code and hires affiliates, usually hackers, who infiltrate networks. They then plant malware, establish a command and control (C&C) server, detonate the ransomware, and collect ransom.

"These are multi-billion dollar organizations, who hire access brokers and data miners and HR teams and recruit on the dark and deep Web," he says.

Another misconception is that organizations must have a speedy response to a ransomware infection, and that time is of the essence to prevent encryption and loss of business data. While that may have been true a few years ago, times have changed, de la Torre notes. Most attackers now focus more on data exfiltration, and the "actual ransomware is used as a distraction while [attackers] exfiltrate data." 

More commonly, attackers will move laterally inside a network, for days or even months, doing reconnaissance to see if an organization has cyber insurance, identify key customers, and pinpoint where the richest datasets are.

De la Torre also says it's a misconception that attackers only go after large targets. Most ransomware attacks typically target small organizations, as larger organizations have SOC teams and more resources dedicated to cybersecurity. But the smaller targets aren't the prize, just a steppingstone. More often, ransomware attackers "target smaller organizations who have affiliations with larger organizations via a supply chain as a backdoor," he explains.

In terms of defense, he recommended having good defense in depth, with email security to stop phishing emails and good detection and response to "detect when there has been a change to Azure, for example," de la Torre says. "You want something tamper proof and that you are able to recover from."

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights