Ransomware infections are among the most feared cyberattacks on the web today. In this article we’ll discuss:
- What they are, and how they occur
- Why they’ll be even more dangerous in 2021
- And how to defend your organization against them.
Ransomware Attacks 101: What they are and how they occur
A ransomware attack is a multi-stage process. First, the attacker penetrates the targeted system and installs malware. Some time later, the payload is detonated; the attacker encrypts the data on the system, and/or locks down the system in other ways. The attacker then contacts the victim and issues a ransom demand. The victim is told that the system lockdown will continue until payment is made.
As the name indicates, the ransom demand is what defines this form of attack. Unlike some other cyberattacks, ransomware does not rely upon a specific threat vector—there are a number of ways in which the initial penetration and infection can be accomplished. More on this later.
Why They’re Becoming Even More Dangerous in 2021
Ransomware has rapidly evolved into one of the worst threats on the web. In 2021, these attacks promise to be even worse in several ways:
- Rising size and frequency
- Financial damage to the victims
- And other damage to the victims, especially legal and regulatory.
Rising size and frequency of attacks
In the early days of ransomware, threat actors were still perfecting their tactics. They tended to focus their attacks against SMBs (Small and Midsize Businesses), and each attack was waged manually.
Today, attackers have fine-tuned and standardized their techniques. They’ve also realized an important fact: compared to SMBs, a large organization represents only a small amount of additional effort, but it offers a potential payout that’s multiple times larger.
Therefore, although SMBs are still being targeted, large-scale attacks have become common. Notable victims in 2020 included Honda (which had to temporarily shut down global operations last June due to an infection of Ekans ransomware), Garmin (which fell victim to a WastedLocker attack in July), and the city government of Albany, New York (which needed several months to fully restore its operations after an infection in March).
Ransomware activity has reached alarming levels. The covid pandemic has meant that some industries are being hit especially hard; for example, attacks on healthcare organizations were up 45 percent in November.
But no industry is immune—the frequency of global attacks is rising sharply. Estimates indicate that by the end of 2021, there will be a ransomware attack every 11 seconds.
Increasing financial damage to the victims
Ransomware has become a large, lucrative industry. Its actors have created sophisticated and well-organized enterprises. For example, the operators of the Ryuk ransomware communicate with victims only through encrypted email, receive Bitcoin payments through a well-known broker, then send the Bitcoins to launderers who convert them into fiat currency. Their enterprise is worth an estimated $150 million.
Attackers are able to extort their victims for large amounts because the potential damage from their activities has skyrocketed. Example incidents in 2020 included:
- The city of Baltimore, which was struck by the RobbinHood ransomware in May. Cost: $18.2 million.
- Norsk Hydro, which was hit by LockerGoga in March. Cost: over $60 million.
- Demant, which experienced a several-week shutdown of global operations in September. Cost: over $80 million.
- The University of Vermont Medical Center, which lost an estimated $55 million from an October ransomware detonation. The attack required a deployment of the Combined Cyber Response Team from the Army National Guard, and as of early January, a full recovery had not yet been achieved.
The cumulative costs of ransomware damage almost doubled last year, rising from an estimated $11.5 billion in 2019 to $20 billion in 2020.
Other damage to the victims
In the past, the primary damage from ransomware attacks consisted of:
- The ransom payments (if any)
- Losses incurred as a result of system lockdowns and operational outages
- Mitigation and recovery costs.
In addition to these, victims now have additional and sobering risks.
One danger is the continuing evolution of ransomware into extortionware. In the early days of ransomware, attackers would encrypt important data in the victims’ networks and perform other activities to interfere with operations unless the ransoms were paid. Today, they also frequently threaten to publish whatever data they found.
If attackers reveal PII (Personally Identifiable Information) for victims’ customers, this can create severe problems for the victims: not only a loss of reputation and goodwill in the marketplace, but also punitive fines from privacy regulators.
Unfortunately, attackers have proven themselves to be treacherous. There have been many incidents where ransoms were paid, but attackers published or leaked the data anyway. A number of different ransomware operators have done this, including Maze, Netwalker, and Mespinoza.
Thus, paying a ransom is no guarantee that attackers will do as they promised. Worse, if a U.S. company pays a ransom, it could potentially violate federal law.
In the United States, the Treasury’s Office of Foreign Assets Control (OFAC) enforces sanctions against its SDN (“Specially Designated Nationals”) list: a list of “targeted foreign countries and regimes, terrorists, international narcotics traffickers, persons engaged in the proliferation of weapons of mass destruction, and others who present threats to the national security, foreign policy, or economy of the U.S.”
In October, the OFAC warned that many perpetrators of ransomware attacks had been added to the SDN list. Financial transactions with these illicit actors are prohibited, because this can “undermine the national security and foreign policy objectives of the United States,” and will “threaten U.S. national security interests.”
The OFAC also noted that ignorance of the prohibitions is not a valid legal defense: “Sanctions violations [are] based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” (emphasis added)
In the early days of ransomware, most of its operators attempted to appear legitimate and honorable. “Pay the ransom, and everything will be fine,” they promised. Today, these promises are hollow. Ransomware victims now face an ugly choice:
- If they refuse to pay, their data will be exfiltrated and published, and their systems will remain locked down until a long and expensive recovery process is completed.
- If they agree to pay, they will be violating US federal regulations, their systems might not be fully restored, and their data might be revealed anyway.
Once a ransomware attack occurs, there is little chance of a good outcome. It’s never been more important to detect and block them in their earliest stages, to prevent them from succeeding.
Defending Against Ransomware Attacks
To defend against ransomware, it’s vital to block the initial penetration of the targeted system.
This can be challenging. As noted above, there are many different vectors through which attackers can do this. Here are some important countermeasures.
Email hygiene: Phishing emails are a common tactic for attackers seeking to breach a system. If a staff member clicks on a malicious link or opens a hostile attachment, this can often be enough to grant a foothold to an attacker. Thorough staff training on proper email hygiene is a must.
Secure external-facing access: Tools and protocols such as RDP (Remote Desktop Protocol) are a very common path for ransomware attacks. Disable them except where they’re absolutely necessary, and make sure the remaining uses are locked down tight, including two-factor authentication whenever possible.
Monitor the network: Watch for privilege escalation, remote management connections, usage of tools like PsExec, and other unusual events that could indicate a breach is being attempted.
Enforce the principle of least privilege: Every user account should only have access to the resources it requires to do its job, and no more. Modern identity authentication and access management services provide the ability to limit access to resources on a granular level. Unfortunately, many organizations don’t take full advantage of these capabilities.
Secure ports 80 and 443: Incoming HTTP traffic can contain a wide variety of attacks, including system breach attempts. A robust web security solution is a must, blocking malicious activity and filtering all incoming requests—not only for sites and web applications, but also as an API security (which many solutions do not protect fully).
Reblaze offers an all-on-one web security platform that includes not only a next-generation WAF (which protects against system breaches), but also other modules such as DDoS protection, sophisticated bot detection, behavioral analysis tools, full API security, and much more. It protects sites, services, applications, and APIs, and supports a variety of architectures: cloud, hybrid, serverless, service meshes, and more. For more information, contact us here.