Ransomware attacks have continued to evolve into one of the most significant risks for every organisation. In fact, 37% of organisations said they had been the victim of a ransomware attack in 2021.
So, how did we get here and how is ransomware continuing to evolve today? We answer these questions and explain how you can make your business more resilient to ransomware attacks.
An overnight cybercrime opportunity
In March 2020 as the first COVID-19 lockdown loomed, 80,000 suspicious domains were registered in just one month. The cybercrime community had spotted its opportunity.
Almost overnight, organisations had to shift from working in the office to remotely at home. When networks were adapted in a hurry, speed often came before security, and vulnerabilities soon followed.
Threat actors were waiting to take advantage and the business world saw a huge rise in ransomware attacks.
Most cybercriminals have one motive—to make money. They avoid national infrastructure and high-profile activity. Instead, they find easier ways to achieve their goal while avoiding nation-states’ attention. This includes mid-level organisations with exploitable weaknesses, which means low effort for significant financial gain.
Reacting to the growth in cyber-activity, the USA quickly made ransom payments illegal. This, it believed, prevented organisations from fueling the crime. Meanwhile, the UK also urged businesses not to pay. But ransomware models quickly evolved, always looking to achieve maximum revenue from their efforts.
From ransom to double extortion
Initially, attackers asked businesses for a ransom payment to give their data back. They encrypted the data, only releasing it when a ransom was paid.
Having a backup was one workaround. But when organisations stopped paying, attackers often ramped up the risk with 'pay us or we’ll leak your data' threats.
Given the shift to publicly releasing data, threat actors focused on extracting sensitive information such as employee details or internal commercial discussions, information you would not want to be exposed. The risk of not paying simply became greater.
There have also been reports of triple extortion with attackers threatening to directly contact customers and shareholders.
The creation of ransomware-as-a-service (RaaS)
With opportunities everywhere, ransomware has quickly become a ‘business' in its own right. Access brokers formed to spot weaknesses they could sell to attacking groups. Zero-Day vulnerabilities (disclosed bugs yet to be patched in software or hardware) are often the ideal starting point.
Reacting at speed, an access broker identifies the breach and establishes access to an organisation’s network. They then sell this to a service operator. Taking weeks, sometimes months to investigate and shape their attack, the service operator will extract the data they want and assess the organisation’s financial status to establish a ransom figure.
That is the situation for skilled attackers. But the dark web now fuels many unskilled cyber criminals—all to raise cash.
Anyone can purchase a RaaS kit on the dark web. This user-friendly bundle includes everything you need to carry out a profitable ransom attack, even customer service support. As a result, you do not have to be technically competent to be a threat actor because there is always someone available to complete the attack for you.
Affiliate networks have also been developed. Membership provides you with attack opportunities, taking a percentage of your profit in return.
Wider reach for Managed Service Providers (MSPs)
Many cyber-attackers continue to evolve and get more creative by moving to target Managed Service Providers (MSPs) such as subscription software services and remote technical support.
Once inside an MSP, they have access to the full customer base. It is a one-to-many approach, and they can assess and prioritise customers to determine their most lucrative opportunities.
This attack route was probably inspired by the Kaseya incident VSA supply chain attacks which compromised around 50 MSPs and 2,000 of their customers. We can expect to see many more examples of this unfold over the next 12 months.
What happens next with ransomware?
Nobody can be certain how ransomware attacks will evolve going forward, but we can be certain they will. Never again will ransomware claim sporadic news headlines—attacks are happening daily.
Due to our interconnected culture, the risk of cybercrime is now endemic and the motive to make money this way remains desirable to many.
Whilst high-profile groups have been broken up, others continue to quickly form. Groups simply adapt over time in response to market circumstances. We must learn to live with the risk.
So, what could happen next? One approach might be for attackers to focus more on exploiting user errors as technology steps up to help businesses become more cyber resilient. Should nation-states change their response to mid-level organisational cybercrime, ransomware activity could spread elsewhere.
Whatever happens, sophisticated attack groups will always find a way in. Therefore, building resilience and the ability to respond quickly are now paramount for every single business in order to protect from ransomware attacks.
Quality engineering for ransomware resilience
First, what do we mean by resilience? Whilst you ideally want to prevent all cyber-attacks, you are never 100 per cent safe. By having the ability to cope with an attack and resume operations quickly, you will run a far more resilient business.
This is not just an IT problem, either. This is a business-wide issue that risks your profitability, reputation, and future existence.
How to prevent ransomware
The following steps are crucial to building a more resilient business.
Secure passwords
Most cyber-attacks use passwords in some way. The drive for multi-factor authentication (MFA) helps to sure up this access point, but there is more to secure.
Enforce robust password practices across your organisation. That includes not using personal passwords for business purposes. In fact, never reuse any password.
Educate your staff about password format and storage, and never share passwords.
Software configuration
The ease with which ransomware gangs move laterally across IT networks is often facilitated by misconfigurations in group policy. Your resilience to ransomware can therefore be greatly improved by some simple tweaks to your group policy.
In addition, many security products (such as anti-virus software) and internet-facing apps are not configured correctly. Whilst this does not impact your daily operations, it does leave many doors open for cyber-attackers to enter your network.
Take time to perfect your configuration and minimise this access risk.
Rapid patching
It is vital to update your network software with fixes as they are released. Some organisations prefer to test patches before fully installing them, but every delay increases your risk. Enable your IT team to complete the update as quickly as possible.
Have strict protocols about installing new software too. Restrict permissions and functionality to what you need right now because you can always expand the installation later.
Asset management
You can only protect the IT assets that you know about. You should therefore ensure that you have a comprehensive asset register and understand what services are running on each network host, which assets/services are exposed to the internet and what risks are relevant to those exposures.
Segment your network
With strict identity and access management, you must carefully control account permissions. This limits the spread of an attack throughout your network.
Keep operational and enterprise networks separate. Avoid a user having access to everything and ensure you use different passwords for different parts of your business. Also, frequently review your permissions and access levels. It is too easy to miss something when an employee leaves or changes role.
Remote Desktop Protocol (RDP) is a particular concern. Reduce your attack surfaces by controlling which servers have RDP enabled. Do all your servers need it? Perhaps you directly access some, whilst others do not rely on a continual internet connection.
Whenever possible, use low-privilege accounts for remote access sessions, and disable access when it is not required. This restricts what a hacker could infiltrate if they got into your system this way.
Backup and archive
Having a clean backup to help you recover is important. But sophisticated attackers know this and will often encrypt your connected backup first.
For this reason, you must also have an archive that is not connected to your network. Such precautions will not protect you in the event of double extortion, but they will help to get your business trading again.
Ransomware resilience assessment
To support our clients in the ever-changing landscape as ransomware risks continue to grow, and evolve LRQA offers a ransomware resilience assessment service. By taking you through seven key steps, we help you understand how to build your resilience and prepare for an attack, should it occur.
Our cybersecurity specialists conduct in-depth assessments of your business. They are leaders in the field and have dealt with complex cyber investigations and numerous ransomware attacks.
Using the latest technology and deep insight, our highly trained people can strengthen your organisation, so it can defend against a cyber-attack. Your financial resources, future reputation, and operations depend on maintaining defensive resilience to damaging cyber activity.
If you have fallen victim to a ransomware attack LRQA can support your organisation with recovery activities or mitigation against further occurrences with our cyber incident response service.