Ransomware has captured the attention of media, security professionals, legislators, and the general population. As an attack technique, ransomware tracks back to Harvard-trained biologist Joseph Popp in 1989. Ransomware has evolved significantly over the years, and it has spun off entire cottage industries on both the attacker and defender side of the issue.
In 2021, there were multiple high-profile ransomware attacks that led to significant socio-economic disruption, notably the JBS USA meat supplier and Colonial Pipeline attacks. These particular attacks didn’t just disrupt one organization’s internal operations. They were part of broader supply chains that impacted other organizations that are part of a critical sector.
There are 16 critical sectors as defined by the Cybersecurity and Infrastructure Security Agency. Attacks across these sectors have the potential to be enormously disruptive, because they involve organizations that are part of a broader, multi-dimensional supply chain, with the possibility of intense ripple effects.
More complex IT supply chains for organizations beyond critical sector reliance also opens up more opportunities for criminal groups. The Kayesa attack highlighted the opportunity for network effects to occur through service provider-to-consumer relationships.
Ransomware is unique as an attack vector because it is likely to not just result in data loss or theft, but actively disrupt operations. This disruption is often core to an organization’s mission, value stream, and profit center; that’s why it’s a lucrative attack vector. A collection of statistics from ThreatPost supports this, highlighting steady growth in the frequency of ransomware attacks.
Risk Is Rising
The typical means of risk assessment—a derivative calculation of impact and likelihood—tells us that the risk is rising. I recently explored the evolving tactics of ransomware groups and how the pace of innovation is leading to advancing sophistication. All of this, coupled with a lower barrier of entry, drive the likelihood of attacks higher. The continued push for digital projects and the reliance on IT for more facets of our lives increase the impact in the event of a successful attack.
A recent report by Crowdstrike also highlights a significant increase in the adoption of ransomware as a tool in e-crime. While criminal organizations continue to embrace ransomware, their techniques are evolving. This includes:
- Process techniques such as outsourcing to distribute risk and increase scale
- Technical techniques enhancing security tool obfuscation
- Industry and scenario targeting
An example of an evolution in industry and scenario targeting is the reaction to the global Covid-19 pandemic. Malware or intrusion campaigns are leveraging Covid-19 themes to target organizations generally or targeting healthcare organizations involved in the global or community response. This particular Covid-19 scenario invites a visceral emotional response from people given how it has impacted the world. Criminals understand this, which is why global current events can and often are used against people.
The Right Tools and Practices
Here are five things that organizations can do to help improve their own risk posture against ransomware:
- Invest in asset management, devices, identities, services, software, etc. This is a basic practice in IT and security but you can’t protect what you can’t see.
- Define and practice an incident response plan that is inclusive of ransomware readiness. Test your communications, test your quarantine and containment, test your detection plans.
- Embrace a posture of least privilege and multi-factor authentication across the organization.
- Ensure that key resources are regularly backed up, with restores being regularly tested to ensure they work as expected when they’re needed.
- Think through and “red team” ransomware scenarios using attack and defense trees to visualize and model the paths an adversary might take. This process can be done starting at the edge (or point of entry) or working backwards from a critical asset.
The challenges presented to organizations on account of ransomware demand response—and action. Organizations cannot manage risk in a vacuum because of our global interconnected state.