Derek Manky
By Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs
Ransomware attack trends continues to evolve, and the current iterations seen during the COVID-19 pandemic are no exception. During this time, malicious actors have attacked healthcare organisations, medical trials, schools, and shipping agencies. Considering the impact these modern attacks can have on organisations everywhere, no matter the industry, security professionals must always be ready to secure their systems, networks, and software in new ways. And according to a recent FortiGuard Labs global threat landscape report, ransomware remains a prolific threat which increased in 2020 and became even more disruptive.
Ransomware trends are continuing to change
Ransomware as an attack methodology has the potential to cause severe damage. As attacks grow in sophistication, the impact goes beyond just financial losses and the lack of productivity often associated with systems going down. Instead, threat researchers are increasingly seeing encrypted versions of data being posted online – not just held for ransom – along with the threat that if the ransom is not paid, all of the data will be released to the public or sold to a buyer. As a result, organisations have begun to appear on the Dark Net with a business model centered on negotiating ransoms. And while systems like this may sound like an easy fix, they can actually have long-term negative effects, including the normalisation of criminal behavior.
Further, as IT and OT systems converge, ransomware attacks have begun to target new data and technology types. Field devices and sensors have become new targets, resulting in malicious actors shifting their focus from corporate networks to the OT edge. In turn, power grids, transportation management infrastructures, medical systems, and other critical resources are being threatened more than ever before. And this shift impacts more than sensitive information. At the OT edge, these Industrial Internet of Things (IIoT) devices are also responsible for people’s physical safety, demonstrating the severity of attacks on these networks.
A tough decision to make
When impacted by a ransomware attack, some organisations may find it easier to pay than have their IT team spend days trying to recover data, all while business operations remain at a standstill. But this is not always the case. To remind organisations of this fact, the U.S. Treasury recently warned that facilitating the payment of ransoms on behalf of cyber victims could result in legal consequences, as it sets a bad precedent for other cyber criminals. It should also be noted that paying a ransom does not guarantee that the threat will go away instantly. In some cases, the information that organisations worked so hard to protect had already been exposed and can cause additional long-term problems.
Mature cyber hygiene is key
Attackers know that end-users are high-target, high-value assets. Ransomware leverages social engineering attacks, preying on fears as a way to execute malicious code on devices. With this in mind, cyber hygiene must start as a board-level conversation.
A top-down approach to creating a strong ransomware mitigation strategy includes:
- Continuously providing employees updates on new social engineering attack methodologies so they know what to look out for.
- Establishing a zero-trust access (ZTA) strategy that includes segmentation and micro-segmentation.
- Regularly backing up data, storing it offline and off-network to ensure rapid recovery
- Encrypting all data inside the network to prevent exposure.
- Regularly practicing response strategies to ensure all responsible parties know what to do in case of an attack, thereby reducing downtime.
- Getting serious about cybersecurity training and awareness for employees as well as family and students. The home is the new branch today and a vector into the core network.
Prioritizing collaboration to stay ahead of threats
Another key factor to developing a strong security posture is working with all internal and external stakeholders, including law enforcement. More data ensures more effective responses. Because of this, cybersecurity professions must openly partner with global or regional law enforcement, like US-CERT. Sharing intelligence with law enforcement and other global security organisations is the only way to effectively take down cybercrime groups, as defeating a single ransomware incident at one organisation fails to reduce the overall impact within an industry or peer group.
Cyber criminals have been known to target multiple companies, verticals, systems, networks, and software. In order to make attacks more difficult and resource-intensive for cyber criminals, public and private entities must collaborate by sharing threat information and attack data. Private-public partnerships also help victims recover their encrypted data, ultimately reducing the risks and costs associated with the attack.
When private and public entities work together, they also expand visibility. For example, a bank may suffer a ransomware attack but fail to share information responsibly with law enforcement. Law enforcement working with a credit card company also impacted by the same cybercrime group needs that information to understand the criminal organisation’s full scope. Cybercrime lacks borders. Actionable threat intelligence with global visibility helps both the private and public sectors shift from taking a reactive approach to being proactive.
Create defensive playbooks
Similarly, by developing and sharing playbooks, which offer a detailed view of cyber criminals’ “fingerprints,” organisations can enhance their response activities. Detailing how known cyber criminal groups work only enables defenders to become stronger and more strategic. Blue Team (defensive) playbooks provide defenders with winning strategies against present and future cyberattacks. And when paired with Artificial Intelligence (AI), security teams can leverage the playbooks to build an advanced, proactive protection framework, enabling them to respond to new threats in real-time. AI also gives them the tools necessary to evolve their methodologies at the same rate as cyber criminals so that they can create more refined and granular responses earlier in the attack cycle.
Knowledge equals power and protection against ransomware attack trends
Cyber criminals will continue to cause chaos with ransomware attacks. Modern ransomware places data and lives at risk, meaning organisations must take a more proactive approach to secure their environments. From a technical standpoint, cyber hygiene, zero-trust policies, network segmentation, and encryption offer protections. Further, these strategies work best when organisations leverage asset visibility tools to identify their critical assets – once they know where the data resides, they can create a proactive protection strategy. Finally, the human element remains as important as technology. Building relationships with law enforcement to share information and threat intelligence is the final piece of the ransomware puzzle. The only way to defeat cyber criminals is to work together against them.