6m read time
In the long history of malevolent software stretching back to the 1980s, no single threat has caused as much panic for businesses as ransomware.
Cyberattacks can be classified in several ways. The simplest to understand are denial of service attacks such as DDoS, that make systems unavailable in some way. Next are attacks that steal, alter, or make unavailable data, for example data breaches or credential theft. The final category are attacks that try to steal money directly, for example business email compromise (BEC) or banking Trojans.
What makes ransomware frightening is that, almost uniquely, it does all three at the same time, a potency that explains why it appeals to so many bad actors. The end result is not trivial: the most severe ransomware attacks pose an existential threat not only to victims and their supply chains but, as the 2021 attack on Colonial Pipeline demonstrated, entire national economies.
Part of the genius of ransomware is the incredible speed with which it unfolds. Big attacks can take months to activate, but from the victim’s point of view everything happens in an instant. Within minutes of getting the first support call, IT teams can discover that hundreds of machines have been infected, servers taken down, and even backups and file shares encrypted.
If email systems can be affected, this makes it difficult for employees to communicate securely. By this point, chaos usually reigns as IT staff disconnect systems to try to stop the ransomware from spreading further.
Attackers will quickly make an extortion demand, usually tens of thousands of dollars with the threat that this will increase if not paid quickly. As an extra inducement, it is now standard for attackers to threaten to release company data, so-called double extortion.
The dilemma is whether to pay the ransom or not. Many organisations decide in advance, with payers usually reaching for their cyber-insurance policies to cover costs. Over time, the flaws in this surrender plan have started to become apparent, starting with the rising cost of taking out a policy. Even if the premium can be justified, the decision to pay up risks making that business a target for future attacks (good payers = a good future prospect).
But the biggest argument against paying up is simply that it doesn’t work. A 2021 ransomware analysis by security company Sophos found that 37% of 5,400 IT decision makers said their company had suffered a ransomware attack in the previous 12 months, an encouraging drop from 51% a year earlier.
Fewer attacks, then, but bigger and more costly ones. Although the most common ransom paid was $10,000, 10 organisations paid out $1 million each, all before accounting for average remediation costs of $1.85 million per incident. It’s clear from this is that it’s not the cost of the ransom that hurts but the clean-up afterwards.
But it gets more depressing. Of those who said they’d been attacked, 32% paid a ransom and yet only got back only 65% of their data. The best method for recovering encrypted data was using backup, with 57% mentioning this old-world method.
These are numbers any CIO should consider using when arguing for spending on a resilience and incident response plan, but they come with an important issue that’s often studiously ignored by organisations after a ransomware attack – these are also data breaches.
Ransomware is still seen as being about denial of service through encryption. But if attackers can reach an organisation’s data, they can do anything they like with it, including stealing or altering it. They are aware that data has a monetary lifespan far beyond that of a single bout of digital extortion.
Even if an organisation can restore its files quickly and cheaply, it can never retrieve its files from the public domain. Once out there, they are out there forever and can’t be un-stolen.
The disingenuous argument that ransomware is not a data breach because organisations see no evidence of exfiltration no longer cuts it with regulators who have realised that what matters is that attackers had access to data and not whether organisations know what happened to it after that point. Should someone whose data was part of a breach suffer a negative effect from that in the future - identity theft for example – that could come back to bite the organisation responsible.
The first rule of ransomware defence is to assume an attack is almost inevitable and plan for that. This means having a printed ransomware response plan that sets out what will happen in an emergency, in what order, and who will do what. It will also explain how everyone will communicate with one another in case the email server is affected.
The plan should also itemise the tools that will be used to interact with systems, the rules for doing that, as well as explaining the most important resources. The next step is to test that plan, which checks that all individuals know their jobs. Flaws can be ironed out at this stage.
One technique for speeding response is to use automation wherever possible although this will depend on the capability of the tools being used. Because isolation is also crucial, this should be factored in when considering how to segment networks.
Ransomware groups will target any data or resources they can reach, including not only files but network-attached storage (NAS), typically by exploiting specific vulnerabilities in this equipment. A few also exploit vulnerabilities to target applications such as web servers, locking up the index.php or index.html files.
In short, if any widely used system suffers a serious flaw, it is now wise to assume that ransomware attackers will be the first to attempt an exploit. In some cases, this makes applying patches an emergency state rather than a scheduled one. That might require a response plan of its own, including for legacy equipment, another big target.
Backup is the primary mechanism for recovering from ransomware attacks but there are plenty of complexities to consider when it comes to implementation. For the longest time, this has involved designing back-up so it is both layered as well as isolated from the network. This must include a backup created and stored offline so the attackers can’t get to it.
However, it’s rarely that simple. Organisations can’t backup everything often enough and even if they could, accessing and restoring it could still take precious time. Restoration also needs to happen only once the infection has been fully dealt with or the process will have to be repeated.
Well-designed backup will prioritise some systems over others. Each system will often require its own backup routines and tools. These routines need to be tested before an attack as part of incident response planning.
Backup tools often date from a time before ransomware was an issue which means they lack enough protection options. One solution to this is immutable backup, which means creating an archived backup which can’t be altered, deleted, or encrypted. Immutability is applied for a pre-set period such as a month, with these backups stored in the cloud.
An immutable backup involves using a separate tool and most likely a service provider. This backup link must be accessible should ransomware strike and the tools used to manage it protected.
As companies better protecting themselves against ransomware, these campaigns will probably go in one of two directions. The first is to revert to threatening to damage computers, for example by infecting low-level firmware in a way that bricks drives or even whole machines.
A second possibility is that attackers will give up encrypting data altogether and simply extort organisations using the threat of data release. By that stage, ransomware will have morphed into another data breach threat. If this sounds mildly reassuring it isn’t – unlike most data breaches which affects single, accidentally exposed databases, ransomware can access much larger amounts of data.
What is clear, however, is that extortion is too tempting a business for attackers to give up on it easily. Ransomware will keep evolving. This sounds pessimistic but what will make the difference is that defenders take the threat seriously and evolve with it. Ransomware is not a foregone conclusion. Many organisations defend themselves from these attacks – the challenge is to be one of them.
Learn more about Dell Technologies and VMware solutions here.