Shawn Kanady, Director of Digital Forensics & Incident Response at SpiderLabs, Trustwave, draws on his first-hand experience of dealing with the fallout from ransomware attacks and discusses what security leaders can do to stay ahead of the curve.
Ransomware has risen to become one of the most notorious and well-recognised cyber attack methods in recent years, particularly in the wake of the infamous WannaCry outbreak.
Despite the global impact of the incident however, overall ransomware seemed to be on the way out. We saw a sharp drop in incidents after a peak in 2015, and, aside from the spike caused by WannaCry and its cousin NotPetya, that trend continued into 2018, as noted in the 2019 Trustwave Global Security Report.
But now, ransomware seems to have made a powerful comeback, with multiple high-profile attacks striking organisations around the world this year.
Public bodies such as healthcare, education and governmental institutions have emerged as particularly popular marks for this new wave of ransomware, being perceived as both soft targets and more likely to cave into payment demands.
In August, a particularly ambitious attack paralysed 22 local authorities in Texas. Any criminals expecting an easy mark were left disappointed however, as all 22 authorities refused to give into the demands of $2.5m in bitcoin.
So why has ransomware struck back with a vengeance? And why is this attack technique still so effective after all these years?
The evolving threat
While most of the ransomware incidents we observe are more or less the same as they have been for the last few years, an increasing number have incorporated the latest attack tools and techniques to evolve and become more effective.
Attacks targeting third parties, while nothing new, have become more prevalent and effective, with the Texan ransomware incident being just one of many examples of companies being hit through third-party software vendors and other suppliers.
We have also seen a series of cases using a “modular malware” approach. This technique uses a small payload with simple functionality to learn about the system and network it is sitting on before sending information to a command and control system.
From here, the threat actor can deliver another malware module with a high level of precision. This technique is increasingly used for all manner of payloads, such as banking trojans and POS malware, but is a great fit with ransomware as the malware can be dropped directly onto mission critical files and systems to cause optimal disruption.
Attackers have also responded to the fact that many companies will now refuse to pay the ransom demand to unlock their systems. While it will inevitably lead to prolonged disruption, organisations can free themselves from the ransomware lockdown by first locating and removing the malware, and then restoring from backups. We have increasingly seen ransomware designed to stymie recovery by specifically targeting volume shadow copies and backups.
Additionally, as well as being used to bully victims into paying a ransom fee, ransomware is also popularly used in conjunction with other attack techniques to execute larger strikes. A ransomware outbreak is by design extremely overt and noticeable, making it an ideal smokescreen to disguise more subtle action such as implanting further malware and establishing backdoors.
Where are organisations failing to defend against ransomware?
While some of the resurgence in ransomware can be attributed to the way attack techniques have evolved, it must also be said that in many cases organisations are still failing to adequately defend their networks.
Patching – which should really be IT Security 101 – is still a widespread problem. Attackers will always seek the path of least resistance, and unpatched systems represent an extremely easy target for breaching the network.
Organisations need to pay close attention to any relevant patching updates that involve its systems and ensure that updates are made as quickly as possible. Microsoft, for example, puts out a Patch Tuesday announcement once a month, and companies should aim to apply these patches within 30 days, prioritising the most important and at-risk systems. The vulnerability exploited by WannaCry, for example, had been addressed by a patch issued a month earlier.
We often see patch cycles go up to 90 days and beyond – which gives the criminal community plenty of time to develop exploits targeting the latest vulnerabilities. Enterprises with poor patching practices are leaving themselves open to attack.
Alongside good patching practice, firms should ensure they make regular backups of all files and keep a copy offline to protect against malware that specifically seeks to disable backups.
Organisations should also be investigating options for detecting ransomware attacks on their systems. A good EDR (Endpoint Detection and Response) solution will identify rogue processes that indicate the early stages of a malware attack. Going a step further, initiating proactive threat hunting will help to discover any existing malware hidden on the system, and vulnerabilities that could be exploited in future attacks.
Should firms ever pay up?
The obvious answer is no. Giving into demands will reward the attackers and enable them to embark on further campaigns. However, the situation is often not so black and white.
When a hospital has its systems locked down for example, disruptions to vital operations and emergency care will quickly put human lives at risk. While other sectors will rarely see mortal danger from a ransomware infection, they may still feel justified paying if the resulting paralysis is likely to decimate their profits or even bankrupt the company.
Ransom demands aside, each ransomware case can have unique operational impacts on the organisation, so we recommend that firms assess their risk management strategies to ensure they have the right incident response plans in place in advance.
Looking to the future, the latest resurgence in ransomware attacks is likely to continue as criminals utilise new tools and techniques – particularly against vulnerable targets such as hospitals. Meanwhile, as long as so many enterprises continue to make obvious security mistakes, ransomware will continue to be a cost-effective money-spinner for criminals.
Basic best practices, such as patching, two-factor authentication, etc, will significantly reduce the threat of a ransomware outbreak, while more advanced activity such as threat hunting will prevent more sophisticated attacks. Taking these steps will greatly reduce an organisation’s chances of ever having to decide whether or not to pay up.