In the past few years, one cybersecurity evolution has stood out to me as a particularly concerning development. That is the growing ferocity and effectiveness of ransomware, which I’ve referred to as ‘Ransomware 2.0’. Ransomware is malicious software that forces individuals to pay to regain access to their computers or computer data. It works by encrypting data or making it inaccessible so the user is locked out of their computer. In the past, ransomware would simply encrypt data and demand extortion from a locked machine, and many of them were relatively easy to bypass. However, the tactics and techniques of ransomware have branched out to become much more devastating and difficult to defend against.
Though the underlying concept of ransomware is interesting, its history initially follows a straightforward evolution involving not much more than basic forms of encryption. Ransomware attacks usually work like this: malicious software has been set up to encrypt a victim’s files on a computer until the victim pays a ransom (often in cryptocurrency, such as Bitcoin) to release the key that decrypted that data. Some of the earliest high-profile versions of such ransomware included the CryptoLocker and CryptoWall families. While these attacks could be disruptive, the actual damage they caused was typically restricted to the loss of data and the cost of decryption.
With the rise of anti-virus, firewall, and honeypot technologies, attackers had to level up, too. New iterations employed more complex ransomware encryption algorithms and distribution vectors, like phishing email attachments, for example, or ‘exploit kits,’ which generate short-lived websites for attackers to quickly release their software upon victims. After that, a new ransomware type, known as ‘RDP ransomware,’ surfaced, taking advantage of weaknesses in remote desktop access solutions. All of these evolutions made ransomware more resilient and harder to resist.
Ransomware 2.0 has fundamentally shifted the threat equation With many modern ransomware attacks today, it is no longer appropriate to refer to ransomware as simply ‘ransomware’. Such attacks frequently include both encryption and exfiltration: a cybercriminal gains access to your systems, steals your company’s data, and threatens to post it publicly unless you pay a large ransom. In this practice, known as double extortion, potential victims fear not only data breaches but also the potential loss of business and institutional reputation.
The process continues with the rise of a new form – triple extortion – where threat actors do not merely target the primary victim but also that organization’s customers, partners, and other stakeholders, threatening to expose sensitive data to third parties in order to increase the pressure on the primary target to pay the ransom. The multi-dimensionality of the extortion manifests in escalated potential impacts and even more complex response challenges.
Ransomware 2.0 has also spawned a worrying wave of attacks on critical infrastructure. Whenever services have become essential, attackers have cottoned on to the threat of hurting people who rely on the systems’ usual functioning. In such cases, the desire to restore systems to normality may make purpose-sake victims more likely to pay high ransoms. Attacks on critical infrastructure – from the ransomware that shut down the Colonial Pipeline to its equivalent against the Irish Health Service Executive make it clear how powerful ransomware can be against critical infrastructure.
Ransomware 2.0 attacks usually start with a foothold using phishing emails, unpatched or exploited web applications, or internet-exposed services, and then use lateral movement and privilege escalation to hunt for valuable data sets and systems to encrypt and exfiltrate.
Unlike most criminal hacks, the attackers’ final payload is not the ransomware itself. After breaking into the network, they’ll hang around for weeks or months undetected, stealing data. They want to copy as much financial information, intellectual property, social security numbers, and other corporate or personal material as possible, which is then dumped into hidden servers that belong to the attackers so that, once the deal is struck, they’ll be ready to extort the victim.
Once the files have been extracted, the ransomware is deployed, and so-called ‘encryption agents’ start scanning for files, processing them, and halting the operation of systems. The victim then receives a ransom note that states the amount of the ransom, explains the means of payment and the terms it entails, and often includes hard evidence of exfiltration, such as screenshots or sample files to indicate what the attackers can do if one chooses to refuse payment.
If the victim does not meet their initial ransom demand, attackers might amplify their threats, saying they will release or sell the stolen data, sometimes contacting customers, partners or regulators themselves to put pressure on the victim to pay. Negotiations can drag on for days or, in some instances, months. Some victims hire professional negotiators or cybersecurity firms to handle negotiations for them.
The financial stakes of Ransomware 2.0 are also enormous. Ransom demands can run into the millions, and the remediation, legal, and regulatory fines often end up higher than the ransom. Loss of business and reputational damage add further expense.
Life can come to a standstill as a consequence of a ransomware attack. Mission-critical services might become unavailable, crippling the business and usual operation, and recovery could take days, weeks, or even months.
It’s not difficult to imagine the reputational damage an organization would face after a ransomware attack has been widely publicized, leading to the revelation of sensitive data from years of operations. Loss of customer trust, a diminished reputation with partners and other key stakeholders, a review of their business practices by various regulators, and negative media coverage can all add perpetual fuel to a fire.
For Ransomware 2.0, organizations will need to ‘think security first’ through regular vulnerability assessments and patching, robust access controls, employee training, and awareness programs to lower the risk of phishing and other social-engineering-based attacks.
A well-designed incident response plan can minimize the impact of ransomware. The plan requires defining roles and responsibilities, such as who will detect and contain a ransomware incident in the first instance, how to respond when an attack is detected when it should be reported to senior management, the police, or other parties, the commitment and allocation of resources, and more. The best preparation is to regularly ‘drill’ and rehearse your response playbook through simulations.
The third key aspect is something that any organization can and should have in place to help reduce the harm caused by ransomware: comprehensive, frequently tested backups of critical data stored in escrow and offline so that they can’t be corrupted during a compromise. A robust backup and recovery plan can allow an organization to restore much more quickly and minimize downtime.
In addition to maintaining current technology, cybersecurity teams can contribute to the fight against emergent ransomware attacks by sharing their intelligence with others. Contributing to and leveraging information-sharing networks to help defend others, and vice versa, can foster collective defense strategies against malicious online activities and improve overall resilience. Organizations can also share intelligence and best practices with industry peers, government agencies, and cyber specialist teams.
Ransomware 2.0: A new bar for the cyber threat environment Ransomware 2.0 is a brilliant new threat mutation: extortion of an organization is now compounded with the encryption of its key assets. While there are multifaceted ways in which organizations of all sizes and in all sectors can safely defend themselves, nothing replaces the proactive aspects of cybersecurity, the vigilant planning of incident response, and the robustness of backup and recovery. Ransomware 2.0 is the first stop of an unknown destination. Organizations need to draw on the increasing understanding of cybernasties and the panoply of defense available in the environment to weather an inevitably crucial improvement in its process. Armed with this knowledge, it will not be the implications that change for organizations but rather the bright and fruitful prospects before them.
Although the stakes are as high as ever, collective organizational effort, combined with the right practices, ensures organizations can gain the upper hand against ransomware attackers.
ThreatMon is an advanced cyber threat intelligence solution that actively and automatically monitors ransomware attacks. It actively and automatically monitors ransomware attacks. It does this by scanning networks to observe and select the most promising threats and send alerts immediately to users. This helps businesses to put in place a proactive mechanism for defending against ransomware, which in turn will help to lower the negative impact of attacks like this. Threatmon’s monitoring capability, which is fully automated, is also a guarantee that potential threats are detected and, therefore, no data that can cause a disruption are lost. With Threatmon integrations, get Ransomware IOCs in real time that can be used to improve your system. Register for free.
