9 minute read
THE EVOLUTION OF RANSOMWARE
from OUTLOOK 2022
by cxoinsightme
RANSOMWARE TRENDS AND PREDICTIONS FOR 2022.
Ransomware might be nothing new as it dates back to the 1980s. However, the techniques and tactics used by criminal groups behind it have reached a new level of sophistication, causing widespread business disruption. Last year, we saw highprofile ransomware attacks, including Colonial Pipeline, Kia Motors, and JBS, causing billions of dollars in costs.
Advertisement
The recently published Sophos 2022 Threat Report highlights the evolution of ransomware as attacks become more service-based and targeted, and the attackers turn to additional extortion methods, such as stealing data and threatening to publish or sell it or making aggressive calls to employees, to put pressure on victims to pay.
“According to Sophos researchers,
Firas Ghanem
over the coming year a greater proportion of ransomware attacks will be based on ransomware-as-a-service (RaaS) offerings, with specialist ransomware developers focused on creating and then leasing their malicious code and infrastructure to third-party affiliates,” says Harish Chib, vice president, Middle East & Africa, Sophos.
What this means for business IT security teams, among other things, is that ransomware attacks are increasingly within range of cybercriminals regardless of their skill levels, as they can just rent or buy what they need, he adds.
From January to November 2021, nearly every second security incident handled by Kaspersky was connected to ransomware, says Maher Yamout, Senior Security Researcher at Kaspersky. The most common targets were those in the government and industrial sector. Even the healthcare industry was not spared and were fending off ransomware attacks as cybercriminals attacked systems to gather patients’ personal data, contracts, and financial documents. Moreover, since ransomware gangs are always looking for new ways to refine their techniques for more impact and disruption, an underground ecosystem built to support their efforts was discovered.
Nicolai Solling, CTO of Help AG, says
Firas Ghanem, Regional Director - Middle East & Pakistan at ThreatQuotient, says what is needed is a deeper understanding of adversaries and their tactics, techniques and procedures (TTPs), so you can determine what is relevant to your organization and how to mitigate risk. A threat intelligence program is an essential component to any organisation’s quest to overcome threats as they evolve and emerge.
“A threat intelligence program is a cornerstone to security operations as it provides better intelligence across the threat spectrum from known to unknown attacks and the ability to leverage this intelligence for all the systems and analysts who need it. This intelligence must comprise internal data, events, and telemetry, supplemented with external data from a diversity of sources including commercial vendors, open sources, ISACs, CERTs, government cyber organizations and other sharing communities,” he adds.
David Brown, Security Operations Director at Axon Technologies, says an effective ransomware strategy comes down to situational awareness regarding attack surface management as the critical component. The lack of understanding of an organization’s attack surface leads to poor cyber hygiene, resulting in initial access most ransomware attacks use.
David Brown
ransomware attacks have been on the rise and this trend will continue in 2022, largely thanks to their high rates of success, which can be attributed to their relative simplicity and their significant, immediate impact on an affected business, as well as the fact that many organisations still end up paying the ransom, thus encouraging the threat actors to continue utilising this attack method.
Steps to mitigate ransomware
In the wake of widespread ransomware attacks, there are some best practices that CISOs should follow to address such threats.
“It’s important to stop sophisticated and zero-day attacks during the vulnerability exploitation stage,” says Rahil Ghaffar, Regional Director, MEA, Virsec. “These attacks appear very benign at earlier stages of the cyber kill chain and are hard to detect. Relying solely on signature-based detection can lead to missing a lot of zero day detection. Behaviourbased analysis of sophisticated attacks could lead to a lot of false positives and false negatives. While multiple layers of defence is good and essential, it’s important to have the strongest detection and protestction mechanism closest to the application itself -- and during runtime -- with application awareness for deterministic protection.”
Gregg Petersen
“Understanding the attack surface allows for building layered reactive and proactive defenses combined with segmentation and recovery services. Any ransomware resilient security strategy will be incomplete until an organization has a solid attack surface management program in place,” he says.
According to Werno Gevers, cybersecurity expert at Mimecast, there is no single solution for ransomware. The problem is complex, and attacks can start in many different ways. The most effective ransomware protection is a multilayered approach to security and a cyber resilience strategy that includes security awareness training for users, educating them about the types of phishing email they may encounter, leading to a ransomware attack. Minimising human error is perhaps the most effective form of ransomware prevention.
Is cyber insurance vital in the fight against ransomware?
Even if an organisation implements the appropriate security measures, they can never guarantee that a ransomware attack will not happen. This is where cyber insurance comes into the picture, helping organisations prevent financial and legal losses incurred as a result of a cyberattack, as well as minimize business disruption after an attack.
“Some have raised concerns that cyber insurance inadvertently creates an incentive for more ransomware attacks, due to insurance companies paying ransoms to attackers. As a result, we will see cyber insurance becoming more expensive and exclusive, as attacks grow more rampant and ransom amounts increase,” says Solling.
Gregg Petersen, Regional Director - MEA at Cohesity, says more and more companies are quickly recognising the need for insurance coverage that can be utilised if they are victimised by ransomware attacks. But, it looks like those who purchased that coverage early may be in a very enviable position. Many insurers are now automatically increasing cyber insurance premiums by upwards of 15% depending on their customers’ industry of operation, and others have announced their cyber insurance covering ransomware will no longer be sold.
“One solution is for insurers to mandate next-gen data management technologies that give them a greater level of confidence that the insurance policy isn’t an organisation’s only plan or defence strategy in the event of a cyberattack. It’s a similar approach to an insurer charging a lower premium for car insurance if a vehicle is housed in a garage and has a tracker installed. For example, insurance providers could mandate that –businesses utilise data management solutions that include AI/ML technology, which can help businesses detect behavioural anomalies in near real-time that could indicate an attack is in progress,” he sums up.
THE EXPERTS SPEAK
RANSOMWARE WILL NO DOUBT INCREASE IN VOLUME AND IN VALUE AND BECOME MORE SOPHISTICATED IN 2022. RANSOMWARE-AS-A-SERVICE (RAAS) — A SUBSCRIPTION THAT ALLOWS BAD ACTORS TO USE RANSOMWARE TOOLS ALREADY DEVELOPED — WILL BRING EVEN MORE CRIMINAL “NON TECH-SAVVY” AFFILIATE GROUPS TO THE RANSOMWARE LUCRATIVE BUSINESS EXPANDING IT TO UNPRECEDENTED LEVELS. GOING FORWARD THE RANSOMWARE ATTACKS WILL CONSISTENTLY AIM FOR DOUBLE EXTORTION OPPORTUNITIES WITH (A) DATA ENCRYPTION AND (B) DATA EXFILTRATION. SO EVEN IF CRIMINAL GROUPS CAN’T EXECUTE THEIR “DATA ENCRYPTION” RANSOMWARE SUCCESSFULLY, THEY WILL BE ABLE TO FIND ALTERNATIVE WAYS TO GAIN ACCESS TO THE DATA IN ORDER TO MONETISE THEIR EFFORTS.
Giuseppe Brizio, EMEA CISO, Qualys
THERE IS TOO MUCH FOCUS ON THE RANSOMWARE EXECUTABLE, OR HOW TO RECOVER ONCE AN ORGANISATION’S SERVERS AND DATA ARE ALREADY ENCRYPTED. THAT’S LIKE FIGHTING TERRORISM BY FOCUSING ONLY ON THE EXPLOSIVE DEVICE OR WAITING TO HEAR THE “BOOM” TO KNOW WHERE TO FOCUS RESOURCES. TRADITIONAL CYBERSECURITY TOOLS AND NEXT-GEN ENDPOINT SOLUTIONS ARE INADEQUATE IN PROTECTING AGAINST RANSOMWARE BECAUSE THEY RELY ON RECOGNIZING PREVIOUSLY IDENTIFIED ATTACKS AND INDICATORS OF COMPROMISE. ORGANISATIONS NEED CYBERSECURITY WITH COMPREHENSIVE VISIBILITY ACROSS THE ENVIRONMENT, AND THE ABILITY TO ANALYSE INDICATORS OF BEHAVIOUR IN ADDITION TO INDICATORS OF COMPROMISE.
Sam Curry, chief security officer, Cybereason
CISOS SHOULD USE TAPE BACKUP AS PART OF THEIR RANSOMWARE STRATEGY BECAUSE IT IS ALMOST IMMUNE TO RANSOMWARE. IT IS A TRULY AIR-GAPPED TECHNOLOGY, AND THE ONLY WAY ATTACKERS CAN GET TO IT IS BY COMPROMISING ITS PHYSICAL SECURITY. OF COURSE, NOT ALL DATA NEEDS TO BE BACKED UP BY TAPE; THE ORGANISATION SHOULD ONLY USE TAPE BACKUP FOR THE MOST SENSITIVE DATA. ORGANISATIONS SHOULD BACKUP THEIR MOST SENSITIVE AND CRITICAL DATA IN SEVERAL PLACES, INCLUDING IN THE CLOUD, ON DISKS, AND ON TAPE.
Manikandan Thangaraj, Vice President at ManageEngine
HISTORICALLY MANY ORGANIZATIONS WILL HAVE USED ENTERPRISE TAPE BACKUP SYSTEMS TO ENSURE THAT BACKUPS OF CRITICAL SYSTEMS ARE MAINTAINED OFFLINE AND OFFSITE, AND THIS APPROACH STILL OFFERS GOOD PROTECTION AGAINST THE RANSOMWARE ATTACKS OF TODAY. HOWEVER, WITH THE MAJORITY OF ORGANISATIONS NOW MAKING MORE AND MORE USE OF PUBLIC CLOUD IT IS CRITICAL TO DESIGN A CLOUD BACKUP STRATEGY THAT TAKES ADVANTAGE OF THE FLEXIBILITY THAT CLOUD OFFERS, BUT ALSO MITIGATES AGAINST SOME OF THE RISKS THAT COULD BE INTRODUCED.
Ammar Enaya, regional director – METNA, Vectra AI
ORGANISATIONS SHOULD EXPECT RANSOMWARE TO BECOME PERSONALISED AND INCREASINGLY INVOLVE DIFFERENT TYPES OF ASSETS, LIKE IOT, AS WELL AS COMPANY INSIDERS. TARGETED DISCLOSURE OF EXFILTRATED INFORMATION MAY BE PERPETRATED TO SPECIFIC BUYERS. WE MAY EVEN START TO SEE MORE FLEXIBLE TERMS OF PAYMENT, AS OPPOSED TO LUMP SUM PAYOUTS. WITH INSTALLMENT PLANS, RANSOMWARE OPERATORS WILL DECRYPT VICTIM ASSETS OVER TIME, BASED ON AGREED UPON PAYOUT TERMS. THIS WILL BE ESPECIALLY TRUE DUE TO THE VOLATILITY IN THE CYBER INSURANCE MARKET AND REDUCED SCOPE FOR FINANCIAL COVERAGE.
Morey Haber, chief security officer, BeyondTrust THE EVOLUTION IN RANSOMWARE STRATEGIES IS THAT TODAY, RANSOMWARE IS NO LONGER JUST ABOUT ENCRYPTING FILES BUT ALSO STEALING THE DATA MAKING IT A MULTIFUNCTIONAL WEAPON. IF A COMPANY HAS A SOLID BACKUP TO RESTORE SYSTEMS, THEN THE CRIMINAL GANG CAN THREATEN TO DISCLOSE DAMAGING DATA THAT COULD DIRECTLY IMPACT THE STOCK PRICE, BRAND, EMPLOYEES AND POTENTIAL CUSTOMERS.
Joseph Carson, Chief Security Scientist & Advisory CISO, ThycoticCentrify
TO PREVENT DATA EXFILTRATION AND ENCRYPTION, YOU MUST PROTECT THE TOP ATTACK VECTOR FOR DATA BREACHES – YOUR WEB APPLICATIONS. TO IMPLEMENT AN EFFECTIVE RANSOMWARE PROTECTION STRATEGY THEREFORE, YOU NEED TO SECURE YOUR APPLICATIONS, PROTECT ACCESS TO YOUR APPLICATIONS, AND PREVENT LATERAL MOVEMENT ON THE NETWORK.
Toni El Inati - RVP Sales, META & CEE, Barracuda Networks
IN 2021, WE OBSERVED A RESURGENCE OF ENTERPRISE RANSOMWARE WITH A SHIFT TOWARDS LARGER ORGANISATIONS. BY ATTACKING ENTERPRISES WITH A LARGER REACH, THREAT ACTORS ARE LOOKING TO INCREASE THEIR FINANCIAL GAINS WITHOUT INCREASING EFFORT. THIS APPROACH OF “COMPROMISE-ONE-COMPROMISE-MANY” IS RESULTING IN THE RISE OF RANSOMWARE ATTACKS ON SUPPLY-CHAIN AND THIRD PARTIES.
Saket Modi, Co-founder & CEO, Safe Security