Samantha Humphries at Exabeam explains why evolving ransomware presents an existential threat to organisations of all shapes and sizes in the ‘now normal’ business landscape
The last 12 months have proved rather challenging for businesses, to put it mildly. The rapid spread of COVID-19 – and ensuing lockdowns – has forced a major shift in the way they have to think and operate, all with little prior warning. This significant level of upheaval, combined with changing consumer behaviour, has left many in precarious financial positions coming into the New Year.
The last thing any of these businesses need is to fall victim to a ransomware attack, which could prove a fatal blow. Sadly, cyber threat actors aren’t renowned for their compassion and many see current world events as a major money making opportunity. Furthermore, rather than doing Zoom quizzes and binge watching box sets, criminal organisations have spent lockdown developing powerful new ransomware attacks that present a much more potent threat to victims. Rather than simply encrypting data at the victim’s end and demanding a ransom, there are numerous reports of new attacks that also exfiltrate and copy the victim’s data. Such an attack leaves them exposed to much more prolonged extortion campaigns, often with no guarantee that their data will be safe even if the ransom is paid.
A recent high profile example is the fate of Travelex, who in early 2020 was the world’s largest foreign exchange company. Now, just a year later, it has gone into administration. Of course, the pandemic has played a significant role in this, but another contributing factor is the ransomware attack it was hit with in January 2020. Attackers reportedly took advantage of an unknown system vulnerability to extract sensitive business and customer data, before demanding $6 million for its release. When Travelex refused, the criminals released a cache of this data online, including customer payment details and company financials.
Locked out of its own systems, a month of major business disruption ensued, right at the same time the company was trying to grapple with the impact of the pandemic. The combined damage was massive and despite Travelex eventually paying a reported $2.3 million to its attackers, it was too late. The company fell into administration in August 2020, with over 1,300 people losing their jobs.
The fate of Travelex now stands as a cautionary tale for every business that’s reliant on digital systems and infrastructure. Ransomware presents a very real, existential threat that can quickly derail businesses who think they’re at the top of their game.
The stakes are being raised
Worryingly, the emergence of more potent new ransomware isn’t the only threat either. Criminals are also shifting their focus when it comes to victims. Whereas previously they tended to adopt a broad brush approach, hitting as many targets as possible, now they appear to be choosing victims more carefully, with an emphasis on those perceived to have the most to lose (and are therefore more likely to pay quickly). Sadly, this includes medical organisations and hospitals, which are already stretched to the limit.
Furthermore, whilst decisions to pay ransom demands are often driven by the need to get services back up and running quickly, ransomware gangs have been observed to return to victims that have paid, only to ask for more. It should come as no surprise that cyber criminals can be deceptive, and paying the attackers doesn’t guarantee that they will hand over the encryption keys. In some cases, cyber criminals have published stolen data, even when the ransom has been paid in full, or left a trojan on the system – highlighting the importance of countering these threats.
Effective identification has never been more important
For security teams defending against ransomware attacks, the ability to quickly detect and investigate indicators of compromise, such as malicious file signatures or suspicious IP addresses is critical. However, the constant emergence of new ransomware strains and techniques makes this an endless uphill battle.
Instead, security teams need tools that can identify key techniques used by attackers, as they are using them, thereby offering a complete picture of an attack as it is unfolding in real-time. By automatically assembling events mapped to MITRE tactics such as privilege escalation, lateral movement and more, a ransomware attack or associated pre-attack reconnaissance activity can potentially be blocked before anything is stolen or encrypted. Additionally, as ransomware attacks are unfortunately being used as a distraction technique for other nefarious attacker activities happening in parallel, security teams need technology in place that acts as “eyes everywhere”, not just on the most obvious problem.
The increasing evolution of ransomware also means automation has become more important than ever. While separate tools such as endpoint security, IDS and firewalls are helpful in preventing initial infection, if/when defences get breached, security teams can be left scrambling to manage a plethora of different security products under extreme pressure. Automating key defensive actions such as blocking an IP address or isolating a host can mean the difference between success and failure in a breach scenario where every second counts.
Visibility is key
The rapid pace of change throughout the IT landscape can unfortunately lead to gaps in visibility between IT and SOC teams that threat actors will try to use to their advantage. For example, a simple security misconfiguration that exists in an IT environment can leave the entire organisation vulnerable to attack, without the SOC team’s knowledge.
The good news is that growing adoption of security analytics technology and solutions is helping significantly improve the ability of security teams to use active discovery in their IT environment. Doing so increases visibility into assets that are behaving suspiciously, or are potentially vulnerable to attack. This improved visibility enables teams to bridge internal gaps and work together to identify the kind of vulnerabilities that attackers aim to exploit.
There’s never a good time to become the victim of cyber crime, but for businesses already reeling from the impact of the coronavirus pandemic, being hit with ransomware could very well prove fatal. Fortunately, the combination of effective planning and powerful security tools such as automation and analytics can help security teams swing the odds firmly in their favour.
Samantha Humphries is a Senior Security Strategist at Exabeam. Samantha has been happily entrenched in the cybersecurity industry for over 20 years. During this time she has helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks, defined strategy for pioneering security products and technologies, and is a regular speaker at security conferences around the world.
Main image courtesy of iStockPhoto.com