Ransomware is making its way outside the cybersecurity space. It’s popping up everywhere from the nightly news to the G7 Summit. Indeed ransomware has entered the mainstream as threat actors increasingly focus their attention on critical infrastructure providers that can’t afford any downtime or disruption from a cyber incident – from food and transportation suppliers to energy and healthcare systems.
Most people probably know what ransomware is (if not, go here). But how exactly does it work? What makes it so destructive? And how can organizations stop it? While the U.S. government has recently stated that it will be playing a larger role in thwarting ransomware and other cyberattacks, it has also stressed the importance of collaboration with the private sector to fight this pervasive issue. At the same time, the private sector has been urging stronger action from the government.
Ransomware is now everyone’s problem – from governments to corporations and even individuals. The pandemic has further increased opportunities for cyber attackers as employees access company resources from myriad devices/networks not managed by the corporate IT team. And once they’ve found their way into your business and encrypted your data and files, ransomware operators will demand substantial sums of money to restore them.
Why is ransomware so dangerous, especially now?
Data is the lifeblood of every organization, often halting operations when it’s not available. Ransomware historically targeted individual systems, and requested a few hundred dollars to recover data on that particular machine. Now, through “big game hunting,” threat actors are going after bigger targets and are moving laterally throughout an environment to get to more mission-critical systems. Once they gain access, they deploy ransomware at multiple points in the network so that the victim is more willing to pay a very high ransom (sometimes in the millions).
Other more aggressive tactics are also being used to increase ransomware operators’ chances of making money. For example, they will compromise backup systems so that administrators cannot use them to restore data. Some ransomware operators are also employing “double extortion,” threatening to release sensitive information to the public while also interfering with the victim’s day-to-day operations.
Furthermore, the ransomware-as-a-service model makes the barrier to entry for launching ransomware very low. Through these services, threat actors who don’t have the skills or resources to create their own ransomware can simply purchase kits from other threat actors. This gives anyone looking to carry out a cyberattack an opportunity to easily obtain malicious code that’s known to work for exploiting unpatched vulnerabilities.
Why not just pay the ransom?
Although today’s ransom payments are often in the millions of dollars, paying to restore data is sometimes still less costly than the operational impacts of an entire business slowing down or stopping (especially when it comes to critical infrastructure). So why not just pay the ransom?
Security and government experts discourage companies from paying a ransom, as it just continues to feed the attack cycle. If an attacker receives a ransom payment once from a target, that makes them more motivated to target the organization again, knowing they’re likely to pay up. And of course, just because an organization decides to pay a ransom, it doesn’t always mean that their data will be restored or that their sensitive information will not be released to outsiders.
How exactly do attackers get in?
There are various ways ransomware operators can infiltrate an environment. Oftentimes, phishing and social engineering are used to steal credentials and/or get employees to click on a malicious link or attachment. They can also enter through infected websites visited by users, or by simply exploiting known software vulnerabilities at an organization’s network perimeter. In some cases, attackers may first break into an organization’s business partner, service provider, or other third party to eventually infect their intended target.
Today’s users are accustomed to rapidly scrolling and browsing through emails, social media, and news articles. Cybercriminals are taking advantage of this behavior to initiate attacks before users even realize what they’ve clicked on. However, as mentioned earlier, initial intrusion is just part of the process.
To maximize their earning potential, ransomware operators will typically wait until they’ve gained control of a large portion of a network before deploying ransomware. While any defender’s first goal should be to keep attackers off their network, it’s also important to make sure correct policies are in place to limit what users can do if they were to gain control of a network or user account.
What can we do to stop ransomware?
Since ransomware has become so multi-faceted, so too must our protections. No single technology or best practice alone can prevent it. We must think of ransomware defense as an ongoing, layered process. The best technologies are up-to-date to catch the latest threats, and are well-integrated so that one solution can pick up where the other leaves off.
End user education should also play a key role in combating ransomware, so that employees know what’s at stake when they mindlessly browse and click. However, according to Cisco’s Head of Advisory CISOs, Wendy Nather, there’s a right way and a wrong way to do this.
“Our culture of scanning and scolding in security is not a good trend…. But if people know that you have their back and you’re willing to work side by side with them to fix the problem, you will get so much more cooperation,” she said.
Wendy shared that when phishing exercises are carried out within her business unit, the employees who report it are celebrated (instead of chastising those who fall for it). “It’s a great way to emphasize and motivate the kind of behaviors we want to see,” she added.
Top tips for ransomware defense
If you’re not sure where to begin with ransomware defense, start with basic cyber hygiene. (While some of this may sound simplistic, it’s often overlooked due to resource constraints, a focus on higher-level projects, and so on. Attackers are aware of this and often exploit these common vulnerabilities and weaknesses.)
- Keep systems patched and updated. Automated patching, when feasible, can help ensure that nothing slips through the cracks, and can also lessen the burden on your IT and security teams. Out of the 25 best practices we analyzed in our 2021 Security Outcomes Study, it was found that proactively refreshing technology had the strongest effect on improving overall defenses.
- Always back up data so that it can be recovered in an emergency. Store backups offline so they cannot be found by cyber intruders. Develop a data recovery plan that can help you achieve restoration at scale while ensuring business continuity.
- Maintain an accurate and up-to-date inventory of your assets. Older, forgotten machines often provide a way in for attackers.
- Conduct ongoing risk assessments to uncover any vulnerabilities in your infrastructure.
- Encrypt confidential data, and segment your network so that cybercriminals cannot easily get to critical systems.
- Make sure your employees are familiar with cybersecurity and ransomware. Train them on the importance of strong passwords, how to spot a phishing email, what to do if they receive a suspicious communication, and so on.
- Stay informed about the latest risks and defensive tactics, and have a solid incident response plan in place to handle unexpected threats. Organizations like Cisco Talos offer incident response services to help you prepare for, respond to, and recover from breaches.
- Pay attention to ransomware guidance from government entities such as CISA and NIST.
Technologies that can help
And of course, be sure to implement a comprehensive range of security solutions to cover the many threat vectors attackers use to get in, including:
Next-generation firewall and IPS – Prevent attacks from invading your network with modernized firewall and intrusion prevention technology.
Email security – Block ransomware delivered via spam and phishing, and automatically identify malicious attachments and URLs.
Cloud & web security – Protect users from ransomware and other malware while they’re on the Internet or using cloud applications.
Endpoint protection – Detect and remediate threats that infect the various endpoints across your environment.
Secure access – Ensure that only authorized users and devices are accessing your resources through multi-factor authentication (MFA) and other safeguards.
Network visibility & analytics – Get a handle on what’s going on in your network so that anomalous behaviors can be quickly mitigated. Employ a solution that can analyze both encrypted and unencrypted traffic.
Using these and other technologies, organizations should take a zero trust approach to security. This means that no access attempt by any person, device, or application should be implicitly trusted. Zero trust security will make it harder for cybercriminals to successfully launch ransomware across your network.
Cisco Ransomware Defense
If you need help with your ransomware strategy, Cisco Secure offers all of the above technologies and more. They are integrated through the Cisco SecureX platform for maximum efficacy, and are backed by the industry-leading threat intelligence of Cisco Talos.
To go deeper on this topic, check out Cisco Talos’ rare interview with a ransomware operator to gain unique insight into the human side of threats. For technical details on all the latest attacks, follow the Cisco Talos blog.