Managing Ransomware Risk
In This Article
Every organization, every day, faces the threat of a devastating ransomware attack. Ransomware is a type of malware that typically encrypts files and denies access to data and systems, demanding a ransomware payment to regain access.
Recent changes in criminal tactics for ransomware extortion are a game changer, especially for large scale enterprise organizations.
Perception of reality
Everyone has heard of ransomware threats, even non-technical people, but is this due to a perception of change or reality? The answer is both due to changes in cybersecurity regulations and maturation (automation in particular) of a criminal marketplace.
Cybersecurity Ventures reports that by 2021 ransomware will successfully compromise a new organization every 11 seconds! While statistics are debated, nobody can deny the high volume of disclosures and knowledge – especially within the cybersecurity industry – indicate a troubling trend: ransomware is on the rise.
Have threats always been there and are just now being reported, increasing perception without increasing the likelihood of attacks? Various regulations now exist all around the world, increasing the number of breach identifications and disclosures. Before such requirements, some organizations were all too happy to keep a breach quiet to avoid reputation and/or financial loss.
As organizations disclose breaches, global awareness of such threats has dramatically shifted from earlier years. Simultaneously, the criminal marketplace matured, resulting in a substantial new number of attacks through multiple vectors.
Malware-based prevalence statistics and attacks reveal a dramatic increase in attacks over the past decade. In the first decade of this century, malicious actors began to automate, focusing upon "bots" and "worms" to perform automated actions such as spreading throughout network shares, performing automated exploitation of other networks and receiving and acting upon "bot" (robot) controls to do whatever is commanded by a remote botmaster.
By the time the second decade of this century rolled around, multi-minor variant, single-one-time-use indicators of compromise and other strategies were very mature, resulting in an exponential increase in the number of threats experienced globally, daily. Whenever a change in tactics takes place within the criminal underground, runaway success follows until the cybersecurity community responds.
New ransomware tactics
In the past year, a few critical changes in tactics by a very mature ransomware criminal marketplace have taken place:
- Targeting of enterprises for larger payouts.
- Targeting of smaller organizations and individuals for large scale small payouts.
- Diversification of attack vectors and strategies to maximize profits.
- Disclosure of company name and/or stolen data if ransomware demands are not met.
These changes in tactics have dramatically impacted both small business and large enterprise organizations.
Multiple "affordable" ransomware families have a nefarious business model of compromising as many smaller targets as possible in hopes of a quick small payout. Families of attack that use this tactic include but are not limited to Dharma, Snatch and Netwalker, blanketing small businesses for ransomware demands as low as $1,500. Smaller organizations, who often struggle with SecOps maturity and resources, are more likely to pay a smaller amount to "recover" data, especially when disruption is significant and/or backups are not in place.
Larger organizations that are often more mature with more resources commonly have far higher incident response and breach management costs, driving up the value of a ransomware demand. Ryuk and REvile (aka Sodinokibi) are two mature ransomware families that together comprise over 50 percent of all ransomware threats. Recently they have been targeting large organizations for huge ransomware payouts. According to a CoveWare blog, ransomware demands have increased by more than 100 percent, heavily influenced by the new tactic to target larger organizations for larger payouts.
A report by eSentire found that United Kingdom organizations that are reportedly well defended against common ransomware attack vectors (such as email and phishing) experienced an increase in other attack vectors, including but not limited to the remote desktop protocol (RDP), remote management and monitoring (RMM) and exploitation of vulnerabilities in software (e.g., RIG exploit kit). Additionally, ransomware has also more recently attacked supply chain downloads and distributions (e.g., Gandcrab).
These newer tactics support a diversified pattern of attacking organizations through multiple vectors to maximize compromise and cash-out for remote actors. Anecdotal data states that near 100 percent of ransomware demands that are paid result in a successful recovery tool, consistent with this extortion business model.
The average in Q4 2019 is reported near $84K compared to $42K a year earlier. Enterprise payouts are in the hundreds of thousands to millions per breach, according to various media reports in the past year. Now that ransomware actors are starting to steal sensitive data like emails and files, disclosing compromised companies and "dumping" files on the Internet, companies must navigate how to reduce risk best should a ransomware incident take place. Specifically, this may impact the legal definition of breach and expensive protocols that must be followed if sensitive data is exfiltrated from an organization.
Proactive protection is primary
Proactively protecting against a ransomware threat is the best plan. Without any defensive measures in place, coupled with immaturity of security operations, many organizations discover that they do not have cyber resiliency or the ability to recover without paying a ransom. Naturally, a multi-layered defense-in-depth program is required to best protect against ransomware.
Key stakeholders and leaders of an organization are advised to do the following to reduce the risk of a ransomware risk, in addition to best practices for SecOps:
- Use a third party to facilitate ransomware readiness tabletop exercises for technical research and response and management of third parties, insurance breach management implications, legal and payout procedures.
- Develop and implement a ransomware playbook. This document governs orchestration between various business units, policies and procedures related to ransomware incidents.
- Assign ownership to the appropriate team(s) to understand what ransomware threats have impacted your organization in the past year, and that of your competitors. Gather information on tools, tactics and procedures (TTPs) related to these specific threats to drive prioritization of security maturity to ensure ransomware threats are specifically mitigated as much as possible, proactively.
Having the right people in the room, with a specific focus being ransomware readiness, is key within your leadership team. This is especially true with global organizations that often have multiple disparate business units and are complex with scale challenges. Cyber leaders drive alignment and buy-in when leveraging a metrics-based approach. Specifically, tracking threats that are blocked, how quickly threats are mitigated and cost savings associated with risk reduction improvements to a program.
Ransomware threats have a habit of revealing that an organization is not resilient, backups don't work as expected and vulnerabilities exist where you thought they were patched. With such a high risk, highly likely threat to occur, all cyber leaders need to scrutinize and prioritize ransomware readiness in the immediate future to reduce risk.