The ongoing threat of ransomware in business

Having the correct cyber defences is imperative for businesses, now more than ever as cyber criminals become more sophisticated and their attacks more complex. Organisations fall victim to ransomware attacks every 11 seconds and these types of attacks have significant ramifications, according to Cybersecurity Ventures.

Ransomware is one of the many negative outcomes that occur from poor app security, so, to protect businesses from such attacks, cyber security professionals should implement strong app security programmes and instil best practices company-wide. 

This type of cyber attack is malware designed to deny a user or organisation access to files on their computer. To gain access to these files, criminals often request a ransom payment for the decryption key. Frustratingly, criminals often tend to place organisations in such a position that paying the ransom is the easiest and cheapest way to regain access to their files. 

“We’ve seen a cybercrime shift from covert shadow groups into these cybercrime cartels, now providing ransomware-as-a-service and executing multistage campaigns. Yet, the industry’s focus is now turning to an alarming trend requiring urgent attention,” said Tom Kellermann, Head of Cybersecurity Strategy at VMware.

Chris Wysopal is co-founder and CTO at Veracode, who provide a SaaS application security that integrates application analysis into development pipelines. He explains that "Ransomware is a monetisation technique and a result of poor application security, along with data breach". 

While the first wave of ransomware used extortion to monetise disk operating system (DoS) of your data and compute, Wysopal adds that, "the second wave used extortion to monetise compromising the confidentiality of your data by threatening to release it. This “nuclear” third wave adds in all kinds of other monetisation techniques. Since weak application security could be the attack vector for any of these monetisation techniques, the importance of putting in place strong application security programs and best practices to minimise the risk cannot be underestimated," said Wysopal.

Wannacry ransomware attack

Five years ago, the notorious WannaCry ransomware attack became one of the first examples of a worldwide cyber attack, ultimately establishing ransomware as a major cyber threat vector. Leaving a distinct mark in the technology world, the attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of US dollars.

Commenting on this attack, Kevin Curran, IEEE Senior Member and Professor of Cybersecurity at Ulster University, says: “Consider the more recent attack back in May 2021 on the Colonial pipeline in the USA, which runs from Houston, Texas to New Jersey and controls 50% of the fuel supply in North America. It revealed the damage ransomware can pose to vital national infrastructure and public services, which seem to be the main target at present as it causes the most disruption. We may only be at the start of a modern nightmare!”

Also reflecting on the cyber security space since this attack, Michael Smith, CTO, Neustar Security Services, notes: “Newer strains have emerged and, whilst organisations may have learned from their initial failures, ransomware continues to be one of the dominant forms across the threat landscape. The criminals running these campaigns are in it for the money and were initially drawn to ransomware because the payoff was so quick.”

Undoubtedly, though, the landscape has shifted significantly since WannaCry – as Curran explains: “Threat actors have gone to a great effort to remain under the radar of leading antivirus (AV) solutions. Once a network has been compromised, they further penetrate the connected internal network using exploits and automatic USB infection to encrypt files, in addition to sending them outwards. A key threat of this malware is its ability to evade detection – and it goes to great lengths to do so effectively.” 

He adds: “Some have adopted a 'radio silence' technique, through a sophisticated monitoring of system processes, where malware knows when to stay silent or lie dormant; 'stealth mode' techniques have been adopted by malware to evade detection. Techniques include frequently checking AV results to change versions and builds on all infected servers when any trace of detection appears, in addition to monitoring memory consumption to prevent common server administration utilities from detecting the ransomware processes.”

Learning and adapting following the WannaCry attack

Now, organisations must continue to protect themselves from such attacks, particularly as cyber criminals increasingly look to target large numbers of employees through a series of attacks using tailored techniques or dynamic websites to outsmart IT teams and bypass security systems.

This, notes Curran, “has an alarmingly high success rate and can be very hard to detect, especially given the rise in hybrid working – which has introduced more devices than ever to companies’ networks”. Most organisations will have built policies and procedures that protect individuals and the organisation’s infrastructure, but it is unlikely that they have this level of contingency plan in place – meaning the all new, work-from-home culture is still being tried and tested.”

Smith also warns about the impact ransomware could have, with threats of a Distributed Denial of Service (DDoS) attack used as a triple extortion or to contact the organisation's customers as a quadruple extortion.

He explains: “With previous ransomware, the impact was downtime or unavailable data. With double, triple and even quadruple-extortion, organisations are being pushed from corrective controls centred on asset and data availability, such as backup and recovery, to detective and preventive controls focused on integrity and confidentiality. We are essentially being forced to adapt again and again to attacker behaviour – the threat landscape requires constant evolution.”

To move forward and ensure organisations are well protected, IT departments must be able to maintain proficient security protocols or policies for years to come. To ensure this is done well, IT security staff should be increased with sufficient training.

“It does not help that the salaries on offer are relatively low when compared to the wider industry. Cybersecurity is not an area that can afford to be cut back on in this increasingly digital world, especially when it comes to something as important as medical records or legal history with our personal information,” says Cullen.

Concluding, Smith notes: “Ransomware attacks have grown in such significance that the question is no longer if an organisation will be targeted, but when. Leaders must recognise by now the importance of educating all employees on basic security – not just leaving it to dedicated-security staff – especially given how many major breaches stem from ignorance not malice. For their own protection, companies must assume that, with insider threats, as with any security risk, compromise is a matter of when and not if. 

“Moving forward, leaders should start by implementing a multi-layered security approach. This includes having a thorough, planned approach to software patch updates and fixes, carrying out frequent vulnerability and penetration testing, as well as ensuring regular updates to data backup systems are made. Once these basics are in place, enterprises should also implement reliable distributed denial of service (DDoS) network protection, along with phishing prevention.”

Vmware’s Kellerman concludes by adding “In our research, 81% of businesses now have an active threat hunting programme to prepare for breaches not yet uncovered. Despite this, there’s more to be done. Organisations must prioritise investment in securing cloud workloads at every point in the security lifecycle to shield against future ransomware attacks.”