Cryptojacking is so 2019. Ransomware is reemerging as the top cybercrime of choice, with attacks expected to increase in 2020.
The pivot back to ransomware can largely be attributed to the attacker’s ability to contextualize the malware and weaponize it in targeted attacks. These enhanced capabilities are exacerbated by the ease of access through ransomware as a service, which enables script kiddies to launch formidable attacks.
As predicted in a blog I published back in 2016, ransomware campaigns are evolving to target specific organizations and leverage context to drive demands. As seen in the highly publicized ransomware attacks against various Texas government agencies, attackers are targeting organizations such as state and local government offices, healthcare facilities, financial services, and others.
Based on contextual knowledge of what data and assets they have encrypted, they use that information to make their demands context-sensitive. Hackers who encrypt basic corporate documents charge a lesser rate, but when they have county tax records or patient health records, the ransom goes up. A more recent attack targeted currency exchange company Travelex. The cyberattackers demanded a $3 million ransom while encrypting customer data and disrupting business operations.
Evolutions of ransomware have seen not just the encryption of information, but also exfiltration, presenting both business disruption and potential disclosure of PCI or PII data, or IP theft. Gaining in popularity, the Maze ransomware is growing its business of leaking parts of exfiltrated data, ultimately leading to full disclosure if a ransom isn’t paid.
Given these challenges, what can be done to protect against these attacks? Looking at the attack kill chain, we can identify potential points for disruption:
- Implement email and web filtering to prevent attacks from getting to users. With most email attachments being scanned or blocked, having a correlation between links embedded in the email and subsequent URL access means attacks that leverage redirects can also be prevented.
- Implement effective user awareness training to maintain vigilance at the point of click. Design a training program that is engaging and interactive to keep security at the forefront of employee thought.
- Assume infiltration is imminent. Properly deployed EPP solutions can be effective in quarantining malicious payloads before they’re able to execute.
- Patch operating systems and software to prevent exploitation for installation or automated spread.
- Ensure proper restriction of user permissions, which could prevent the installation of malware, or at least limit the potential damage.
If all else fails…
- Maintain and regularly test backups and backup procedures. I’ll say it again: Regularly test. Assume paying the ransom isn’t an option, or someone cuts the blue cable and hoses the data. I’ve consulted with a number of companies that “have backups … just not from this month,” or don’t know how to restore their backups.
With the ease and effectiveness of ransomware attacks, don’t expect attackers to abandon what works. Variants of ransomware number in the thousands, with modifications in the exploit, effect or lateral movement capabilities. Advancements in toolkits for ransomware now allow for drag-and-drop customization, with point-and-click delivery on a fully hosted cryptocurrency payment system. While these threats continue to evolve, the best defense is a look back to the foundation of security.
By Randy Watkins | CTO, CRITICALSTART
Featured in Forbes | February 11, 2020