One thing is clear: no one is safe from ransomware attacks. What is changing, however, are attack modes as threat actors adjust their methods based on evolving mitigation methods being employed.
For several years, ransomware has been viewed as a type of malware that locks or encrypts the system or data and demands a ransom payment to restore access to systems and data. Ransomware takes an organization’s dependence on technology and tries to use it to force them into paying the ransom. With the rise in ransomware attacks, which saw a 229% increase in reported attacks from 2017 to 2018, a number of effective mitigation strategies have emerged, thus making it less profitable for threat actors to use.
As a result, new forms of ransomware have started to emerge. Looking at them from the traditional CIA Triad, these attacks hit:
- Confidentiality of data, which includes loss of personal information like credit card details, usernames and passwords, or loss of corporate intellectual property
- Availability of data, in which hackers demand money to restore access to systems and data targets
- Integrity of data, in which hackers access and change data such as patient health records.
In the more common of these new attacks, instead of targeting availability, victims are threatened with loss of confidentiality, unless the ransom is paid. The most high profile current example is Maze ransomware, which not only encrypts a victim’s data — as happens with all Windows ransomware — but also exfiltrates it before the encryption process begins, so that they can use it to pressure the victim to pay whatever ransom has been demanded. Another example of this that is currently being seen is Clops where the data is posted to the CL0PS site.
What does this mean? That security professionals cannot afford to neglect Integrity Ransomware attacks as they appear to be trending upwards.
In assessing threat risks, security analysts generally try to determine whether they are vulnerable to the threat, a likely target of the threat, and what damage could occur if the threat resulted in a successful attack. All three legs of the CIA Triad should be examined when performing this analysis.
Executives typically focus on preventing loss of confidentiality since these breaches typically result in fines, brand damage, loss of customer confidence due to identity theft, high remediation and credit card replacement costs, and public embarrassment.
Accordingly, some basic precautionary measures to take include:
- Make backups on a regular basis and for more than a single day. Newer ransomware groups have dwell times on your network of day and weeks before they encrypt your data. Keep the backup on a separate device and, if possible, also store it offline.
- Have a business continuity plan and test it. This plan should include who you will call on for assistance in remediation and incident response.
- Proactively decide what data to collect if you choose to remediate instead of pay the ransom. Evaluate the pros and cons of paying the ransom now that it also affects confidentiality with both legal and technical personnel. The implications for the user, organization or security professional are numerous. With this in mind, recognize that attacks are not static – they change in reaction to our mitigation strategies so that they can remain profitable to the attacker. If this means that the attack shifts to affect a different part of the triad or adds additional legs of the triad, it will. Defense, mitigation, and recovery strategies for every type of attack need to consider how that attack could affect each leg of the triad.
As ransomware attacks continue to increase, the best defense is to plan ahead, leveraging strategies to help keep your organization ahead of hackers as they refine their attack modes.
Author: Allyn Lynd | Senior Incident Response Manager, TEAMARES