Another year and another record topping year of even higher ransomware payments; something has to change if we want this to get any better.
Some stats first:
- 51% of all businesses in 2020 were targets of ransomware
- Overall 40% surge in global ransomware hits in 2020
- Average ransomware payments in Q3 of 2020 were over $233,000. A new 2021 report shows that average is up over $300,000; up 171% from 2019
- 1 in 5 small to midsize businesses (SMBs) were targets of ransomware attacks, up 37%…year-over-year…and SMBs who don’t outsource their IT services are even more at risk, reports show.
Let’s take a second and forget about all the hype around APTs, Nation-State actors, and botnet air fryers (that’s an IoT post for another day). My philosophy—and the philosophy of others I’d like to believe—has always been if you are not good at detection and response to commodity malware, you are surely never going to potentially detect and stop that more advanced APT attack or actors lurking around in your environments. Commodity malware, and more specifically ransomware, are similar in their protection and defense methods. However, it’s ransomware itself that represents a much higher risk to the organization. With a 171% growth in ransomware payouts in as little as 24 months, there is a lot of money to be made here (for the more “morally flexible” audience), and the chances of being apprehended are slim. The chances of prosecution even slimmer, though I digress. I’m not advocating we quit our day jobs and start purchasing bulletproof hosting to launch our first attack, but you have to understand the economics and realize it’s profitable and pretty low-risk nonetheless (low risk-high reward).
How it starts and what happens next
A recent survey of organizations said the top three methods below account for 66% of all ransomware infections.
- File downloads/emails with malicious links
- Attacks on remote servers
- Emails with malicious attachments
Seems to me like technologies and vendors and even traditional IT have been operating in these spaces for years; yet here are the top vectors of attack. Users clicking on links rates number one, poorly configured or unpatched servers are number two, and again users opening items attached to emails is number three. My point is attackers take the path of least resistance, and these attack vectors continue to be persistent areas of risk, despite the number of solutions (awareness programs, email filters and gateway appliances, automated patching etc.) that claim to address these issues. Even though the industry is saturated with these solutions, organizations continue to struggle to implement and manage these solutions, as well as maintain high levels of security awareness among their employees. This is also a great area to demonstrate just how sophisticated and yet unsophisticated these attacks truly are. If the three attack vectors above don’t work, these actors will just keep going down the line of other methods such as attacking poorly configured cloud instances or even infiltration of a supplier of your organization to gain access; they will find a way to get access eventually. If you want to know just how effective, resilient, and evolved these actors are, I got the opportunity in 2019 to attend a security conference in France and see a presentation by security researcher Brandon Levene. His paper and datasets on “Crimeware-In-The-Modern-Era” breaks down just how motivated and evolved these threats are, the threat actors’ ability to pivot to implementations of newer threats, and the sheer scale of what we are up against as defenders. I’ll leave a link to his paper and data below; it’s worth the read.
Finally, once they obtained initial access to your environment, ransomware actors will live in that environment anywhere from three days to two weeks usually (maybe longer). They will then use legitimate tools that are in most cases already operating inside your environment (thus making them more difficult to detect), all the while enumerating and escalating their privileges across your systems. Those newly minted privileges will then be used to start turning off and disabling security services and staging/prepping the environment. When the time actually comes to deploy their ransomware, a mass effect is achieved in removing legitimate access to your data and then encryption of that data. Step 2 profit, repeat.
Ok? How can we start to protect and defend?
Assume you’re going to be targeted. This is the first hurdle we need to come to terms with. These actors do not discriminate, and all organizations are targets regardless of size, industry, or geographic location.
Beyond that, defense wins championships right? Understand what you are protecting! A good data classification strategy and a focused approach to protecting data not only on-premise but also in public and private clouds goes a long way in the posture of your success post ransomware infection.
Backups, yes I’m talking about backups. Do them, validate them, and test them. Store them offline and even offsite. One caveat to this is that even with a sound backup plan in place, you also must account for the damage that can be done when an attacker exfiltrates your data and is threatening to sell it or publish it. The public disclosure of your most sensitive data is a growing trend through a tactic called “double extortion.” This is where a ransomware actor will charge a fee to decrypt your data and then turn around and set another ransom to keep your data from being disclosed publicly. Actors have gone as far as reaching out to journalists to multiply the damage and bring publicity at the expense of your intellectual property and brand. In some cases, they have even contacted investors directly. Bottom-line, assume there is nothing that is off the table if it results in the actors securing a payment. The best backup program can’t help with this aspect; prepare for this as well.
Conduct proper patch management. The standard of testing patches for 30 days before deployment is long gone. Zero-day and other critical vulnerability patches need to almost be treated as tier one security incidents. No longer are the costs associated with potential downtime from an untested patch cheaper (in most cases) than the cost of initial access being obtained and ransomware deployed through an unpatched system and its resulting downtime and its other downstream business effects. Threat actors are turning around exploits in record time these days. Also, it’s always good practice to review what services your organization has exposed to the public internet on a cyclical basis. Review these exposed services and be sure they exist for a legitimate business purpose or mission, otherwise you’re just making your organization a larger target at the end of the day. (Reduce attack surface)
Get tooling in place to aid detections. I’ve been in the security industry for 15 years now, and there is no shortage of point solution vendors that are dying to sell you the next blinky lightbox solution that’s obviously powered by some advanced lifeform of cyber A.I. Start small, develop a threat model, start that CMDB or asset inventory you have been putting off (another post on this shortly), start logging your applications and systems. Hire or outsource talent that can aid you in getting the basic logging in place. If something does go wrong, proper logging will facilitate more effective detection and recovery. I’m not anti-vendor by any means, but pick a few solutions and stick with them and focus on their implementation. You can go purchase that new shiny EDR/XDR tool or SIEM, but it’s only a framework. If you don’t know how to properly deploy or configure your tooling, hire or outsource talent to assist you with this effort. Also, if you want to run your own SIEM with a security team of three you’re are going to have a tough time staying above water honestly. Not saying that it cannot be done, just know that the data SIEM systems export are alerts and they each require careful investigation. This investigation process can drown a small security team; a managed security service provider (MSSP) can help here.
Finally, once you get your security stack point solutions in place, give them time to mature. I’ve had the pleasure of working with a lot of organizations, and I can’t tell you how many times I’ve seen tooling/systems ripped out and replaced before they were even fully implemented and not given a chance to mature. If none of this sounds like your cup of tea or you understand it may too expensive, hire a managed security services provider (MSSP) to watch your six. MSSPs often give you access to cybersecurity talent and tools in this industry that would otherwise be unobtainable to your organization. I once asked a CISO of a large hospital in the Seattle area why he hired the MSSP I was working for at the time and his response was, “I have Nike and Amazon right down the street dollar for dollar, talent for talent. I’m just not going to be able to compete with that.” This response really made me reevaluate the possible lack of access to cybersecurity talent to the small and mid-market clients and frankly the real value proposition of hiring an MSSP.
As defenders, we must define new standards.
What has to change to degrade the effects, impact, and spread of ransomware? I would propose a few ideas.
- Industry regulatory agencies focused on data breaches should also be more involved in ransomware events. We must start ensuring and enforcing that organizations are securing their data and their customer’s data with some measure of adequacy. Fine them if necessary.
- Especially here in the States, we must start investing more in the public’s education on how to detect and mitigate ransomware attacks and how to prepare your organization for one.
- With the latest gas pipeline attack here in the States, we must declare ransomware as a national security threat. Security professionals have long been on TV pleading about just how fragile our critical infrastructure is to cyber-attacks. The US government already has a lot of agencies that operate in this space such as CISA, the FBI, and Departments of the Treasury, State, and Justice just to name a few. A common ransomware dedicated commission should be formed with these agencies that focus solely on ransomware alone. Critical infrastructure aside, ransomware also poses a severe risk to public health. On more than a few instances ransomware has directly been attributed to delays in patient treatments and loss of life.
- Not all cyber insurance companies are equal. Some cyber insurance firms see a lack of defined security baselines as selling points believe it or not. These cyber insurance policies need to adapt clients to better baselines so that better cyber hygiene can be achieved and so that threat actors don’t just see organizations with cyber insurance policies as lucrative targets with almost guaranteed payouts.
- Dogecoin to the moon! Seriously, the highly decentralized nature of cryptocurrencies and differing legal and regulatory bodies make it easy for criminals to move their operations to markets that benefit them and aid their operations. We need to empower, government, regulators, and law enforcement to better engage blockchain analysis assistance to investigate the criminal parties and track, report and share information regarding ransomware payments more thoroughly. The tracking of cryptocurrency payments is difficult today due to disunity in standards and enforcement of regulations for many cryptocurrency exchanges.
- Legislation should be lobbied to make ransomware and other related activities subject to RICO. Many of these threat actors for all intents and purposes operate as organized crime syndicates. It also goes without saying that we should push for tougher sentences and seizure of assets from the convicted parties as well as more global government law enforcement cooperation to aid investigations, quicker extraditions, and more expedient prosecutions. As long as the profits and economics continue to outweigh the risks, the attacks will continue.
My name is Todd Willoughby and I have 15 years working in the cybersecurity industry. I spent the early parts of my career as a defense contractor working for the US military and other government agencies. I spent the last 6 years building out a Big 4 consulting firm’s managed security service and acting as their Global Threat Operations Manager leading a worldwide team of over 100 security analysts, security engineers, SOC Managers, and threat hunters conducting 24×7 cyber defense operations for some of the largest organizations in the world.
Who the heck is RSM Defense and what makes us different than other MSSPs you may ask? I’m just one small piece of a much larger and experienced team of other unsatisfied previous MSSP security professionals with decades of experience that think we can truly deliver a better MSSP experience and outcomes for mid-market clients. RSM gave us a home and the resources to build this better experience through better detections, faster automation and response, and actionable outcome-driven results to our clients. Hence RSM Defense and our internal security monitoring team Unit26 were born.
Our Unit26 team comes with decades of global cyber defense operations experience to your doorsteps and RSM Defense enters the arena with what we believe is an innovative cloud-native security solution that aims to stop cyber threats in whatever realm or vertical your business operates, including cloud-native environments, client-hosted, and remote deployments. Even if you have an existing security stack that is growing, RSM Defense and Unit26 can help manage, triage and respond to your cyber threats.
If your organization needs help with anything I mentioned above, let’s get in touch and talk about how we can introduce you to our approach to obtaining a more secured presence.
Link to Brandon Levene’s “Crimeware-In-The-Modern-Era” Paper