Executives are worried. They see organizations crippled by ransomware, often for days or weeks, and rumors of multimillion-dollar fines being paid.
By Ian Mann, CEO and Founder, ECSC Group plc
In this article, we explore the evolving strategy of ransomware attackers, and more critically, what is causing this increase in damaging attacks, and how you can prevent them.
Evolving Ransomware attacks – The Four Generations
What has changed over the years is the strategy of the groups conducting ransomware. These can be broken down into four distinct generations of attack.
Generation 1 – Keep asking for more
The first generation of ransomware involved encryption of your files or systems and demanding payment. Unless you paid, there was often a demand for a further payment(s). This wasn’t a very smart attack strategy, as the ‘professional guidance’ quickly became not to pay.
Generation 2 – The honorable attacker
The attackers soon realized that not being paid is bad for business, and so started to ‘honor’ the release of decryption keys on the first payment. As payments were often modest in comparison to the damage caused, many organizations started to pay – even somewhere paying ransoms is not legal (they found alternative routes for the payment). This proved successful for the attackers, as paying became a viable option where recovery proved difficult or impossible.
Generation 3 – The ability to pay
If you wanted proof that most hackers don’t target individual organizations, then the third generation of ransomware proves this. Here the attackers don’t ask for a specific payment. Rather, they ask you to contact them and give you a quote. This gives the attacker a chance to identify you, and assess the level of payment appropriate to your pain.
Generation 4 – Recovery disruption
The latest attack strategies are really adding additional elements to the Generation 3 strategy. Here the attacker carries out additional activities prior to deploying and activating the ransomware, namely;
- Disable, disrupt, or encrypt the backups.
- Steal sensitive data that has potential value.
- Disable logging on target systems and the entry route.
These additional levels of sophistication are intended to hamper attempts to recover systems, or data, when payment isn’t made, whilst also providing an alternative source for extorting a ransom – your data. If you recover your systems without paying, expect the same demand for money or your most sensitive data will be released on the Internet (they’ll give you a sample of your data to prove they have it.)
So, the attackers are getting smarter, making more money, and finding more organizations to attack. What can you do to defend yourself?
Your belief may be that the hackers will always get in if they try hard enough. This is understandable, as the movies tend to portray hacking activities as easily achieved by those smart enough, and never prevented by sufficient defenses – even the most sensitive government establishments. In addition, executives and many cybersecurity specialists are often guided by the media following an attack, where the tendency is to focus on the suspected hacking groups deploying ransomware, which countries they might be operating from, and implying that they cannot be stopped without international co-operation. The victims of ransomware are often happy for this to be the focus of conversation, as it distracts from the real question of what did the ‘victim’ do, or not do, that allowed the hackers to get in? Something the victim doesn’t want to make public as it points the finger of blame back at them.
It is usually much later when regulators publish reports that accompany fines, or perhaps disclosed in court cases, that you can actually identify the organizational failings that lead to ransomware. Or, listen to the specialist organizations that are responding to a wide range of cybersecurity breaches each day.
Having been directly involved in cybersecurity incident response for over two decades, I am surprised how much actually hasn’t changed when you find the root cause of a cybersecurity breach. Actual breaches are not caused by the latest esoteric hacking technique being discussed in security forums, or promoted by vendors to push their latest protection or detection technologies. Breaches are happening because of well-known, well-proven attack techniques against vulnerabilities and attack vectors that have been ‘fixed’ for years.
Don’t Let Them In
As you learn more about the actual root causes of cybersecurity breaches (that more often than not lead to ransomware) you will develop a more empowering belief: you can prevent ALL cybersecurity breaches.
So, let’s look at the main root causes of today’s cyber breaches:
Multi-Factor Authentication (lack of)
Any Internet-facing login, whether from a ‘traditional’ IT environment, or into your new cloud environment, is an easy target. Usually, targeted by either phishing against the users or exploiting weak (or already compromised) user passwords.
No excuses. Fix this now. It is more important than anything else you are doing with your cybersecurity. Fix this and read the rest of this article later.
Unprotected Web Servers
Due to their easy visibility to attackers, these are always going to be targeted. The easiest solution (a good Web Application Firewall) is now commonplace. Unfortunately, most are not configured correctly or tuned to give proper protection.
Patching Internet-facing Devices
These firewalls, VPN end-points, Remote Access Gateways should have priority in your patching efforts, as their vulnerabilities are easily detected by hackers and can be the first point of entry.
Whilst not a direct root cause of the attack, this is worth mentioning as it becomes critical if you do suffer ransomware. Having off-line copies of backup data that cannot be destroyed by the attacker could save the day in a crisis. Your ability to recover your systems will be directly linked to your ability to protect backup data and restore critical systems (perhaps something you should test!)
The common thread here is that these failings are:
- Well-known vulnerabilities with relatively simple preventive measures.
- Not related to fancy new cyber technologies.
The More Difficult Challenge
Whilst your new empowering belief that you can prevent all breaches will serve you well, there are some recent large-scale hacks that present you with a more difficult challenge. These include the recent breaches caused by technology providers being compromised, such as SolarWinds, Microsoft, and Kaseya, that in turn affect thousands of organizations.
I’m not going to guess at the individual failings within these organizations that may have led to the original breach. These will likely surface with time. More useful for you is to focus on how to protect yourself against these types of attacks.
At first sight, these categories of attacks look difficult to defend against, as your technology provider is hacked and your solution is in turn compromised, giving attackers a route into your systems.
However, there are some elements of these attacks that give you a chance to survive them without suffering a breach.
Firstly, these types of attacks affect thousands of organizations. This means, unless you are a particularly attractive target for the hacking group involved, it is quite unlikely that they will have the resources to compromise your systems quickly. They are likely to focus their limited resources on higher-profile/profitable targets. Remember, the really successful hackers remain undetected by keeping their activities quiet and their numbers small.
Secondly, these new threats get lots of publicity, so you and your specialist advisors have access to timely information so you can remove the threat and repair your defenses before you are likely to become compromised. You can also enhance your detection systems with the individual characteristics of the attack as these become known.
A Positive Note To Finish
So, in conclusion, although ransomware appears to be on the rise, and the impacts are worryingly high, you can prevent yourself from becoming a victim. The evidence shows that breaches are preventable, often by attending to the basics of sound cybersecurity protection.
About the Author
Ian Mann is the CEO and founder of the cyber security consultancy firm ECSC Group plc. He has over 20 years of experience in the cybersecurity sector, having previously worked as an adviser for GCHQ, and established a Cisco Networking Academy for Dixons City Technology College prior to founding ECSC in 2000.
Mann’s professional certifications include CISSP, PCI QSA, and ISO Lead Auditor, and he holds a B.Eng. in Electrical and Electronic Engineering from the University of Nottingham, and an MBA from the Open University. He is the author of the acclaimed social engineering text Hacking the Human, and Hacking the Human II: Adventures of a Social Engineer.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.