Getting inside the mind of a ransomware hacker in 2022

By Christopher Rogers
As threat actors continue to adapt and evolve, one of the greatest assets an IT team can have is to understand the mind of a ransomware hacker

2022 continues the aggressive and costly trend of the “golden era of ransomware”. In 2021, 61% of businesses experienced ransomware attacks and, with the increasing popularity of Ransomware-as-a-Service platforms, attacks are only going to increase. Ransomware was ranked the top cybersecurity threat - it’s not a matter of ‘if’ an organisation will be hit but ‘when’ and how often -  security remains the hottest topic for digital leaders.

Ransomware is an increasingly costly threat for UK businesses, with most companies hit by ransomware (82%) paying the ransom. IT teams can’t just sit and take cover – they need proactive strategies to ensure their cybersecurity protocols are prioritising recovery. This way, when the inevitable occurs, the impact is minimised and it’s business as usual with minimal disruption to services and data loss, and the most recent ‘clean’ replica of data possible.

Understanding the threatscape

According to the European Union Agency for Cybersecurity (ENISA), the trend is “spurred by an ever-growing online presence, the transitioning of traditional infrastructures to online solutions, advanced interconnectivity and the exploitation of new features of emerging technologies”. The plethora of IoT devices and disparate systems in the new work-from-anywhere workstyles creates opportunities for attackers, who can easily adapt their malware to target users through particular apps and devices. 

No business, regardless of size or industry,  are safe- security pros across all sectors will need to know the full implications of a modern-day ransomware attack on their organisation. This means knowing the potential and scope of a threat and having the most effective recovery plan in place ready for action to minimise the cost of downtime, data and revenue losses, and the risk of lasting reputation damage.

Threat actors in 2022 are continually evolving their tactics to stay one step ahead. Fully understanding the main stages of a ransomware attack is the backbone for a robust recovery operation:

Stage 1: Attack initiation

The most popular method for ransomware attacks to be initiated is through phishing emails and malicious websites. They also exploit vulnerabilities in RDP connections or attack the weak links in software directly. These intelligent, stealthy attacks often go undetected, until the user unwittingly clicks a link which activates the assault.

Once penetrating the system, ransomware can lie dormant and go undetected for weeks or even months. It can spread like a disease throughout all the software and systems of the business, accessing as much data as possible. This can make it tough for IT managers to calculate when the last ‘good’ backup was completed.

From the moment an attack is launched, mitigation and recovery efforts must kick in to prevent mission-critical systems grinding to a halt. Some ransomware variants can even target backup systems themselves, paralysing the organisation’s ability to restore data after the attack. 

Stage 2: Attack manifestation

Once under attack, the entire tech ecosystem is at risk, both systems and critical data. Encryption methods vary, from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. The organisation faces a tough decision - to pay the ransom and risk their organisation or not pay and attempt recovery without extended disruption and associated losses of data and revenue.

Few organisations can survive the prohibitive costs and time involved to get their systems back online due to lacking an effective data recovery strategy. In 2021, the total cost of recovery from a ransomware attack spiralled to $1.85 million - 10 times the average ransomware payment – and caused typical post-attack downtime of 21 days.

Of organisations that caved and paid the ransom, only 8% retrieved all their data. The alternative of clawing back data from a backup server or replica was a time-consuming and complex process, involving painstaking checks to remove malicious files and code to prevent reinfection.

Build resilience with continuous data protection

Ransomware attackers are not expecting the organisations they target to have modern backup and recovery solutions in place. If organisations continue to rely on legacy backups, then disruption, data and financial losses beckon. But having a plan to outsmart the attackers with a disaster recovery solution which enables full-recoverability within minutes, plays them at their own game.

In adopting continuous data protection (CDP), IT teams are armed with an always-on replication and journaling technology, which allows rapid recovery of entire sites and applications at scale by effortlessly creating multiple copies both locally and remotely. 

It’s essential to test data in an isolated environment, like a sandbox environment, where they can ensure there is no malware prior to recovery. Businesses must also take advantage of options like immutable copies of data that cannot be encrypted or corrupted – which enables recovery in just a few clicks, to a point just seconds before an attack.

As cyber criminals adapt to traditional corporate defences, all organisations need to be truly protected with a robust recovery plan. Organisations believe that paying the ransom doesn’t seem to be an option. But if the corporate data is locked down and easily retrievable with CDP, IT pros will have systems back online in no time.

Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security