Cyberattacks increased persistently in 2021, and the pandemic exacerbated this trend and provided fertile ground for nefarious behaviors. Ransomware is increasingly the cyber attack of choice, having a devastating impact on enterprise organizations. Although always on the rise, it has particularly been prevalent during the pandemic. Before we dive in, I think it’s worthwhile to clearly define what a ransomware attack is. At a high level, we can classify ransomware as a malicious software that negatively affects the availability, the confidentiality, or the integrity of the data. Data, vital to business continuity, is a commodity for which businesses will pay a ransom to regain control and access. But it’s clear: there is no guarantee that organizations will really recover data after paying a ransom. Moreover, it is increasingly common to witness a new wave of ransomware, known as double-extortion, in which attackers exfiltrate data by putting their victims under extra pressure to pay the ransom.
If we look carefully to some numbers related to the spread of this type of cybercrime, we are able to understand two aspects: how widespread it is and the reasons why that happens.
If you review the diagram above, it’s clear that a vicious circle has been created during time. Over years, more companies paid the ransom and recovered their data. This evidence encourages cyber criminals to continue attacking organizations in all industries including governments and public organizations. Because of the wealth of opportunity, more resources are available to cyber attackers to build ever-more sophisticated tools to target more organizations.
Another scary trend to notice is the creation of a franchise framework to equip cyber criminals. Like the the Software-as-a-Service (SaaS) model, Ransomware-as-a-Service (RaaS) is a subscription-based model that allows virtually anyone to launch ransomware attacks with little effort and limited expertise. The organizer shares the software, provides guidance and support on how perform the attack, and then receives a percentage of the ransom. RaaS has facilitated a massive increase in ransomware attacks.
Now that we have understood the business advantage behind these types of criminal activities, let’s see how impactful it is on organizations.
Disturbing figures, don’t you agree?
Who are these infamous ransomware gangs? Here some of the most well-known attack groups, but there are others in existence as well as new attackers arising all the time.
Among the most heavily used tools used by these organizations are Emotet and Trickbot, which are trojans that access networks and facilitate their propagation through environments they desire to ransom. Other popular ransomware tools include Phorpiex and SmokeLoader. The list is long, and it constantly changes as new tools are developed.
Experts say that many ransomware cyber criminals are based in eastern Europe and may have ties to intelligence organizations. At the end of last year, a major government organization arrested several REvil ransomware gang members: an epic moment in cyber crime. Unfortunately, cyberattacks are on the rise since the start of the Ukraine invasion.
Curiously, one of these attack organizations, Darkside, presents themselves as the Robin Hood of cyber crime: stealing from rich companies to give money to charity. No charities have accepted any money from these types of crimes.
So that was a lot of scary information, but there is some good news.
First, ransomware doesn’t appear “out of the blue.” There are a myriad of very well-known indicators that appear during the common phases of an attack during which organizations can focus to avoid the attack. The adversary’s objective is to be stealthily persistent within an organization’s environment and move laterally to search for data to steal or silently encrypt. It takes most companies over six months, or roughly 200 days, to detect a data breach.
What is paramount to mitigate the risk of a ransomware attack is to be able to identify the early indicators of compromise and immediately take the appropriate countermeasures. However, there is something preliminary to reflect on: too many companies don’t have security best practices in place. Maybe they fail to properly back up their data or they don’t enforce a least-privilege policy, or their employees don’t have the proper security awareness level.
Another big mistake for an organization is to only rely on products and technology for a false sense of safety. The lack of professionals with the necessary cybersecurity skillsets is one of the reasons this happens. From a business security perspective, lacking cybersecurity expertise in today’s world is incredibly dangerous: a cybersecurity workforce study by (ISC)² estimates that the coverage gap is about 30%.
With this background, it’s clear that any effective first step should start with a security assessment of the security posture within an organization’s environment. Only then does it makes sense to move forward by implementing the most appropriate countermeasures. Last but not least, an organization can get support to adopt the best approach to mitigate the risk of being impacted by ransomware. How? Think about to security as a “movie,” not a “painting.” It’s something live, with multiple parts in movement, that requires observation. Organizations should leverage every visibility and monitoring capability they have to catch any elements that show something anomalous.
It’s important to consider an end-to-end solution that begins with a security assessment and adds focus on the protection of the endpoint, the network, and the data layers.
The steps outlined above are neither straightforward or easy. If implementing a ransomware risk mitigation security seems daunting, VMware Professional Services can help. VMware’s team of consultants are experts in implementing networking security in a variety of environments, using industry best practices and experience from working with global companies.