In Sun Tzu’s famed book, The Art of War, he writes “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” The concept being, not only is it important to know one’s own strengths and weaknesses, but also how your enemy thinks, so that one can prepare in advance for incoming attacks. The same is very much true in cybersecurity.
In the world of cybersecurity, ransomware is both a buzzword, and every security practitioner’s worst nightmare. Ransomware is a form of malware designed to encrypt files on a device or target system, rendering any files, and any thereby reliant system unusable. Once bad actors have installed the ransomware, as the name suggests, they demand ransom in order to decrypt the files and provide them back (if you’re lucky). Organizations that have been infected by ransomware often think or find that the easiest way to retain business operations is to pay the ransom, and this represents the best case of a single payment, and the incident is over. Despite the rosy outlook, this is rarely the case. While ransomware has been around for many years, experts point to the WannaCry incident of 2017 as an inflection point for awareness and the gravity that organizations subsequently felt about ransomware.
The perpetrators of the WannaCry attack leveraged a weakness in the Windows operating system, and were able to infect a huge number of systems and devices worldwide. Reports vary, but a general estimate is that upwards of 200,000 computers were affected1. After infecting the computers, the attackers demanded $300 in bitcoin (later increased to $600) to decrypt the files, or else the files that the attackers had access to would be lost forever. A side note: in TV shows and movies we often hear protagonists proclaim something along the lines of “we do not negotiate or keel to terrorist demands,” but in the real world, people, and businesses have real world consequences. This could mean a hospital that relies on systems to schedule surgeries, or maintain someone’s life support, or an energy company that relies on interconnected systems to supply people with essentials. They sometimes do not have the luxury of playing the Denzel Washington hostage-release-negotiating character in these very real scenarios.
However shocking it is that even the most malicious attackers would take advantage of organizations that literally keep people alive, it is an unfortunate fact that ransomware is here to stay, and in fact continues to become more common every year. In CrowdStrike’s annual Global Security Attitude Survey and Global Threat Report they found that there was an 82% increase in ransomware-related data leaks in 2021 from 2020, that the average demand from attackers is $6 million, and that the average payment increased by 63% year over year, to be nearly $1.8 million. It’s also important to note, that even among organizations that paid the initial ransom, 96% also paid additional extortion fees2.
It is well understood that attackers will always take the path of least resistance, and despite the emergence of new technology, the same tried and true attack pathways will always be attractive for financially, or otherwise motivated attackers. Ransomware can be transmitted easily and quickly and may only need one person to make a mistake to have serious ramifications. One of the most common routes is through phishing emails where the receiver is tricked into downloading something or clicks a link that downloads ransomware onto the computer. From there, the attacker can gain access to credentials or access to other systems, and they rinse and repeat. Ransomware attacks are often measured in the number of devices and systems that they infect, and due to the interconnectedness of today’s organizations, if a ransomware attack gets a foothold it quickly can get out of control into the hundreds, thousands, or hundreds of thousands.
What’s obvious is that ransomware attacks can often be high-stakes, and they underscore several things that every organization needs to consider in order to establish a baseline to keep attackers at bay:
- Have a cybersecurity response plan. By documenting an incident response plan and running simulations, security and business leaders will be able to act confidently if faced with a ransom situation. Having scripted decision points about when to pay ransoms, when not to, who to contact, and how to communicate the attack to internal and external stakeholders are always helpful in the time of crisis and timely decisions are critical.
- Install security patches. Time and time again have proven that attackers seek out unpatched infrastructure and systems to get started. While patching may seem like a never-ending exercise, it often is cited as a common denominator gone wrong when ransomware attacks are discovered, and it should be an organizational goal to have a plan to apply patches regularly and swiftly.
- Backup files and data. Having a backup plan for data and files, preferably offline is a great mitigation against attackers. If data is maintained offline, attackers’ attempts at finding and deleting ‘hot backups’ will be moot, and there becomes no need to pay ransom for data that is already accessible in this type of scenario.
- Prioritize digital identities. First, implementing continuous education for employees, third-party contractors, MSPs, and anyone else that requires internal access is helpful in making sure that everyone stays vigilant and alert. Second, instituting least privilege principles to ensure that people only have the necessary access to do their jobs can dramatically limit exposure to ransomware.
While ransomware is scary and constantly lurking around every corner, with vigilance, preparation, and the proper tools in place, risk can be mitigated. Recent research from ESG shows that 90% of organizations agree that implementing Identity Governance & Administration (IGA) is an important aspect in combatting ransomware. Read report
In part two of this series, we’ll outline several IGA controls that are particularly helpful in the continued fight against ransomware.