How to Stay Secure Amid the Rise of Ransomware
Cybersecurity has seen many types of attacks and foes throughout its history: Malware, Distributed Denial of Service (DDoS), Advanced Persistent Threats (APTs), among others.
Although all threats remain present, their use as a form of attack ebbs and flows with the current times. In the 1990s, when the internet was still new and its users naive, phishing attacks were the order of the day, tricking users into revealing sensitive information like passwords or credit card details through fraudulent emails or websites.
Now, however, it seems the cyber landscape is entering a new epoch: the age of ransomware. Although present for a while, the method of gaining data has had a resurgence.
But what can be attributed as the cause to all this cyber chaos? “The evolution of technology, specifically developments in AI, is empowering bad actors to develop more frequent and more sophisticated ransomware attacks,” explains Chris Dimitradis, Chief Global Strategy Officer at ISACA.
Reviewing the spate of ransomware
With financial incentive being the main purpose of ransomware, it’s no wonder that payouts following an attack only contribute to the problem. Healthcare provider Change Healthcare’s hack in early 2024 saw the company pay a reported whopping US$22m to the attackers in order to stop the chaos.
What shortly followed was a spate of 44 cases of cybercriminal groups targeting health care organisations with ransomware attacks, as observed by Cybersecurity firm Recorded Future.
“This surge in ransomware attacks correlates with reports indicating a record-breaking amount of over US$1bn paid to ransomware attackers in 2023,” says Jamie Collier, Lead Threat Intelligence Advisor (Europe) at Mandiant. “This highlights a concerning synergy between the substantial payouts and the frequency of attacks.”
Not only can the haul be big, but AI is lowering the price of admission, as well as increasing the sophistication and, in turn, their potential targets.
“The cost to compromise a business is going down,” says Carl Wearn, Head of Threat Intelligence Analysis and Future Ops at Mimecast. “The adoption of new tech has meant that it’s less expensive for attackers to target businesses, allowing them to broaden their targets. Attackers are using AI and new technology to help execute their crimes, accelerating the sophistication of phishing attacks and ransomware attacks.”
This introduction of AI being used in offence has companies increasingly looking to utilise it in defence, using it to analyse things like phishing attempts to prevent, and malware analysis as part of threat intelligence and incident response.
Yet, that is only one brick in the wall of cyber defence necessary for the new wave.
“We know that cybersecurity is a multifaceted challenge that requires a collective effort to overcome,” says Carl.
Where to be aware
Although the object of ransomware is always the same (to exploit a ransom) the method of getting to the point in which you can hold someone to ransom is different. Therefore, a large part of fighting ransomware revolves around threat intelligence - knowing where it can strike.
“In today's digital landscape, email continues to be the primary point of entry for significant cyber threats - phishing, spoofing, and ransomware,” Carl explains. “However, within a company's operations, collaboration tools have emerged as a significant point of vulnerability and primary entry for ransomware attacks.”
Emails are employed as loading an attachment with ransomware delivering malware onto it remains one of the single easiest ways to get into a system. Equally, the rise of remote working has exponentially increased the use of collaboration tools like Teams and Slack, has opened up another point of entry, and even decreased the ability to confirm the veracity of who sent a message.
Although the way of entry for most ransomware attacks will be through IT-related means, this is rarely the end goal.
“Most ransomware attacks are still IT-related, with Enterprise IT being the primary mechanism to enter a network even when the desired effect is to disrupt the OT environment,” Magpie Graham, Principal Adversary Hunter and Technical Director at Dragos explains. “That said, there is growing evidence that demonstrates the desire for criminal actors to expand into extorting the OT network, and evidence gained during Incident Response engagements that shows criminal actors behaving differently when within the boundaries of an OT network.”
This raises an interesting question on how to balance often spread-thin cyber resources in propping up defences.
Resisting ransomware
Many of the same good practices and cyber hygiene we see implemented on the Enterprise IT side, such as conducting security awareness training for all employees, can be helpful in terms of protecting OT environments too.
Yet, an adequate defence goes beyond the fundamentals of making sure everything is running as optimally as it should. “Businesses need to build and maintain a strong cyber defence capability that utilises proactive threat hunting powered by strong intelligence,” explains Jamie.
Being reactive in an age of ransomware is becoming a luxury that few can afford, so securing everything from staff to IT to threat hunting will become a necessary part of ransomware resistance strategies. This is especially true with the burgeoning of AI.
“The best strategy will understand that being proactive, rather than reactive, is the necessary response in the age of AI,” Carl asserts. “While it's crucial to handle the aftermath of a cyber incident, this shouldn't be the cornerstone of your cybersecurity strategy. Instead, adopting a proactive approach is key.”
Instead, businesses can focus on monitoring OT networks, which Dragos assesses that less than 5% of which are monitored globally, and create a dedicated ICS Incident Response Plan and practising those procedures with tabletop exercises can help minimise the breach or expedite the recovery procedure. This confidence can help mitigate associated costs felt when trying to manage an infection.
“It is often the case, particularly for those targeted organisations that lack network monitoring, that they feel a compromise of the Enterprise IT network poses a significant risk to the OT network,” explains Magpie. “The only viable solution in many cases is to shut down the OT side of the house, which, unlike the IT side, cannot always be restored or restarted with ease (days to months vs hours). Whilst this may mitigate important risks to operations such as water purification or pharmaceutical production, it doubly leads to loss of revenue and in many cases fines imposed by regulatory bodies.”
Ultimately, the surge of ransomware has a remedy, but it is a collective effort that crosses people, processes, and technology.
“We can all learn something from those who have faced ransomware attacks but there tends to be a hesitancy to share lessons to avoid upsetting employees, customers and prospects,” Chris concludes.
With the growth of Ransomware-as-a-service (RaaS) showing increasing collaboration between gangs of attackers, organisations could take a leaf out of their book and combine their knowledge and raise a united front in understanding more about how attacks happen, and in turn, help resist this new wave of ransomware.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand