Ransomware Misconceptions Abound, to the Benefit of Attackers

INFOSEC23 – London – With a threat as persistently pervasive as ransomware, myths and misconceptions are bound to emerge in tandem. Richard de la Torre, technical marketing manager at Bitdefender, used his time at the podium during this week's Infosecurity Europe conference to enumerate — and dispel — some of the more common ones.

While some of the items on de la Torre's list are likely very familiar to most security practitioners, he cites a ransomware misperception that there's no capability to fight this all too common hostage taking of business data. Not true — proactive organizations are increasingly using decryptors and also making more strategic use of threat intelligence to prevent or disrupt attacks, he adds. 

And despite all the worry and attention devoted to ransomware-as-a-service and more leading edge ransomware incidents, de la Torre claims ransomware attack vectors remain relatively basic. "The threat process has not changed and access starts through phishing attacks," he says.

Ransomware Is Big Business

All that being said, most organizations still haven't grasped that ransomware has mushroomed into big business, turbocharged by its RaaS business model with an operator who's sometimes state-sponsored. The operator variously buys, develops, and resells the ransomware code and hires affiliates, usually hackers, who infiltrate networks. They then plant malware, establish a command and control (C&C) server, detonate the ransomware, and collect ransom.

"These are multi-billion dollar organizations, who hire access brokers and data miners and HR teams and recruit on the dark and deep Web," he says.

Another misconception is that organizations must have a speedy response to a ransomware infection, and that time is of the essence to prevent encryption and loss of business data. While that may have been true a few years ago, times have changed, de la Torre notes. Most attackers now focus more on data exfiltration, and the "actual ransomware is used as a distraction while [attackers] exfiltrate data." 

More commonly, attackers will move laterally inside a network, for days or even months, doing reconnaissance to see if an organization has cyber insurance, identify key customers, and pinpoint where the richest datasets are.

De la Torre also says it's a misconception that attackers only go after large targets. Most ransomware attacks typically target small organizations, as larger organizations have SOC teams and more resources dedicated to cybersecurity. But the smaller targets aren't the prize, just a steppingstone. More often, ransomware attackers "target smaller organizations who have affiliations with larger organizations via a supply chain as a backdoor," he explains.

In terms of defense, he recommended having good defense in depth, with email security to stop phishing emails and good detection and response to "detect when there has been a change to Azure, for example," de la Torre says. "You want something tamper proof and that you are able to recover from."