21 Nov Ransomware: an evolving threat
Organisations must be diligent in their use of new and proven security measures to defend against a continually evolving threat says Ned Baltagi, Managing Director, Middle East and Africa, at SANS Institute.
Today, ransomware stands as a significant money-maker for nefarious individuals, and is no longer just an attack that seeks to encrypt important files. Instead, it has evolved to include data theft and post-exploitation, using data garnered from attacks and leaks. On top of that, the emergence of ‘Ransomware as a service’ (RaaS) has meant that a much wider group of minimally skilled attackers can now launch sophisticated attacks.
RaaS providers have fully-fledged strategies and business models, and leverage formal operating methods to carry out attacks. They market themselves on the dark web and secure clients interested in single or multiple attacks, even going so far as to maintain retainer relationships with them. As part of their fees, RaaS providers can offer advice and round-the-clock assistance, in addition to assisting in negotiations with a victim.
Going forwards, security experts believe that ransomware will increasingly begin targeting IoT devices as entry points, and target third-party applications (supply chain software, remote monitoring and management software, etc). It is also believed that ransomware will focus on operational technology (OT) that is frequently found in critical infrastructure systems, which means the potential for damage outside of the targeted organisation is high.
Evolving threat landscape
In light of these evolving threats, organisations have been forced to mature and are gradually improving at defending against ransomware. The goal of many companies now is to reach a point where threat actors cannot successfully hold them to ransom by holding their data hostage. While this is a step in the right direction, the approach does not protect companies against data theft and post-exploitation.
With data theft, attackers penetrate an organisation’s systems, steal important data and encrypt it, hoping for payment. This is a challenging situation because while it is possible to pay ransomware actors to unlock files – with proof that unlocking will work before paying a dollar – when data is stolen threat actors merely ‘promise’ to delete stolen files. Can they be trusted to do this once they’ve been paid?
When suitable tactics or measures are discovered for the data theft challenge, security analysts should make the effort to propagate them to other markets at pace, not delay implementation. Cyber insurance, for example, a useful tool that helps firms stay afloat during a ransomware attack was initially launched in the US. However, it took several years before it appeared and matured in other markets such as Europe and the Middle East.
Moreover, currently, attackers often penetrate an organisation’s systems via its staff by phishing/tricking them, but also because of vulnerabilities that are not patched on the external edge. Unfortunately, the reality is that many organisations struggle with patch fatigue and are uncertain about what to patch, sometimes unable to identify important issues.
One important tool in this respect is the emergence of the Offensive Security Operations Centre. This facility conducts penetration testing activities every day, across every asset, and asks an important question: does this missing patch, or newly found vulnerability, or emerging cyber threat intelligence, pose a direct and immediate threat to the organisation?
In addition, organisations can rely on tried-and-tested measures to defend against ransomware, the majority of which do not require the commitment of significant human or financial resources. 18 sensible Critical Security Controls (CSCs) to defend against ransomware attacks have been identified by The Centre for Internet Security. The CSCs also explain how firms can mitigate damage should it occur. As there is significant overlap for the 18 controls, they can be grouped under five approaches:
- Maintain up-to-date electronic asset inventory. It is critical to take stock of all devices (fixed and mobile) that can connect to technology platforms physically or remotely. By doing this an organisation will be able to discover any unauthorised or unmonitored devices and can secure or remove them as needed. On the software side, operating systems and applications must be secured with the latest security patches. It is then important to review employee credentials and permissions across local and remote devices, and grant or limit access to files, folders, applications and external websites accordingly.
- Constant vigilance of access points. The digital points connecting a business to the outside world are most at risk of a breach. These should all be identified and secured (including web links and emails) with defensive techniques and the deployment of enhanced malware detection. This should be followed by a meticulous company-wide permission regime, which will prevent employees from straying to websites that could lead to a breach.
- Expect vulnerabilities and prepare for the worst. Organisations should always prepare for the worst-case scenario to ensure that the ensuing damage will not be as severe. A number of industry resources that highlight current threats are available and should be taken advantage of. A common vulnerability that has afflicted businesses across sectors is reused passwords. Due to this, many businesses – especially financial providers – now require multi-factor authentication (MFA) to log in. Even simple MFA, such as sending codes to a registered mobile phone number, can counter the majority (as much as 99%) of all phishing attacks.
- Engage employees on security. Threat actors will actively target an organisation’s employees as a means of gaining access to their systems. Companies should therefore work to understand their staff’s understanding and reaction to ransomware and other threats. Appropriate measures should be rolled out via security awareness programs that aim to alter user behaviour if, for example, they are presented with a fake email or web page. The security awareness programs should also run simulations of threat scenarios to evaluate the company’s overall cybersecurity standing.
- Upgrade security team skills and tools. Several reports online discuss a ‘cybersecurity staffing shortfall’; however, many security organisations have instead found that the skills gap is a bigger challenge. This is a relatively straightforward fix – an organisation must simply invest into upskilling its security analysts, so they can better take on the threats of today and tomorrow. Cybersecurity analysts should be upskilled on issues such as cloud security, machine learning, purple teaming and other relevant topics.
The ongoing evolution of ransomware means that companies are more at risk than ever before. Therefore, organisations must remain vigilant and take steps to ensure that their systems and data will never be compromised and be a source of profit for bad actors.