Ransomware has been with us now for over 30 years. Let that sink in. Ransomware predates the modern internet as we know it and the first example was distributed on floppy disks[1] in 1989. While the floppy disk has been relegated to the recycle bin of history, ransomware is still with us and still poses a serious threat to businesses, governments, and individuals across much of the world. Worse, modern ransomware attacks have evolved from simply encrypting files and demanding payment for a decryption key to complex attacks that add data extraction and extortion to the attacker’s playbook.
By Saryu Nayyar, CEO, Gurucul
It Used to be Easier
From the attacker’s perspective, ransomware is popular because it’s comparatively easy to go from initial infection to cash payout. With stolen credit card information, for example, the attacker needs some way to get the payout from the card. Whether that’s by selling the cards to someone else on the dark web or using the card themselves to make purchases or get cash advances, there are extra steps involved that make the attack less attractive and less lucrative. Likewise, stolen personal information can allow a range of attacks and can be a valuable commodity on underground markets, there are additional steps between compromise and payout.
By using the initial attack to plant their malware and hold the victim’s encrypted files for ransom, the attacker eliminates a layer of complexity and the profit taken by middlemen – unless the attacker is using some kind of Crime as a Service, the ransom payout goes directly to them. No extra steps, and no paper trail as could happen with stolen credit cards. But the model wasn’t perfect.
We Learned to Defend
While ransomware originally just entailed encrypting the victim’s files and demanding payment for the decryption key, attackers still found there were weaknesses in that business model. In some cases, flaws in the malware. Weak encryption, or a sloppy implementation of the algorithm, made it reasonably easy to generate keys and break the encryption. There were publicly available tools that could recover files encrypted by several different malware strains, which limited their effectiveness – to the great relief of their victims.
Disaster Recovery and Business Continuity plans also evolved to compensate for malware attacks, including, specifically ransomware. There is an entire industry built upon providing rapid backup and restoration capabilities in the case of file loss. The current generation of cloud backups is dramatically faster and more efficient than the tape backups of old, and made recovery from ransomware a fairly simple and relatively painless process.
Backups let an organization respond to a ransomware attack with “sorry, but no,” while they simply restored the damaged files from a secure backup. This backup and restore capability was already baked into many disaster recovery plans, and this alone should have been enough to turn ransomware attacks from a massive and expensive outage to barely an inconvenience.
They Didn’t Go Away
As more and more organizations embraced operational plans that account for those attacks, we would have expected to see ransomware attacks fade. And that’s not even taking into account cybersecurity technologies that could prevent, or at least slow, these attacks before they damaged more than a handful of files. But that’s not what’s happened.
Faced with improved defenses, cybercriminals evolved their attacks. Now, before their malware starts to encrypt files and throw up the disconcerting “your files have been encrypted!” banner, they copy large volumes of their victim’s data outside the organization and threaten to expose it if the victim doesn’t pay the ransom.
Now, even if the target can rely on a robust backup plan to rapidly recover from a ransomware attack, they are still subject to blackmail lest their company secrets are revealed.
Evolve and Adapt
It’s this evolution to hybrid attacks that includes holding data for ransom both through encryption and the threat of revelation, that has kept ransomware a near top-of-mind threat in the cybersecurity space. Our existing ability to rapidly recover destroyed files doesn’t prevent the damage that comes from having the said files released to the public. This change in attacker strategy forces us to shift our defense plan from one of recovering rapidly after the attack to one that must resist the attack in the first place.
Assume They Are Already In
In truth, resisting attacks in the first place is where cybersecurity should start. It is always better to keep the bad guys out so they’re not in the environment doing damage in the first place. Unfortunately, the reality is we know the bad guys will find their way in. Yes, improved perimeter defenses can go a long way to keeping them out, as can risk-based user authentication systems and multi-factor authentication solutions. But we must operate from an “Assume Breached” perspective. After all, the best perimeter defenses in the world are of little use when an attacker bribes an insider to plant malware[2] or otherwise compromise the business.
The “assume breach” posture means we need to have internal defenses that can identify an attack before it does serious damage. Whether that’s through micro-segmentation that helps thwart lateral movement, endpoint defenses that contain malware infections, deception systems that lead attackers into revealing themselves, or security analytics that can identify an attack by the attacker’s behaviors and tie them together through context, organizations need a comprehensive security stack that can thwart even a sophisticated attacker.
Back to The Question
To answer the ultimate question of why ransomware is still a problem, it’s because cybercriminals have evolved their business model to go beyond simple ransomware. We evolved our defenses to thwart their attacks and they have evolved their attacks to get around our defenses in an unending cycle.
However, with a combination of solid disaster recovery and business continuity plans, and a comprehensive security stack that’s built around defenses in-depth and assuming attackers can find a way in, organizations can blunt the impact of ransomware attacks – if not eliminate the threat entirely.
RELATED STORY
Ransomware in 2020. How likely is it to advance?
Learn Penetration Testing and become a Certified Ethical Hacker. Help your company fight ransomware. More details here.
About the Author
Saryu Nayyar is an internationally recognized cybersecurity expert, author, speaker, and member of the Forbes Technology Council. She has more than 15 years of experience in the information security, identity & access management, IT risk & compliance, and security risk management sectors. She has held leadership roles in security products and services strategy at Ernst & Young, Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun), and Disney. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection, and dynamic risk scoring inventions.
DISCLAIMER
Views expressed in this article are personal. The facts, opinions, and language in the article do not necessarily reflect the views of CISO MAG.
References
[1] The “AIDS Trojan” of 1989 – https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)
[2} https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/
CISO MAG’s February issue on Ransomware is out. Get your preview here. To get your copy Subscribe now!
