While the FBI is reportedly tracking as many as 100 variants of ransomware, most ransomware vectors follow a common thread.
Steve Durbin
CEO, Information Security Forum (ISF)
Ransomware needs no introduction and is perhaps the most damaging and widespread form of cybercrime in years. Several high-profile businesses fell hostage to ransomware in the first half of 2021, with U.S. agencies now prioritizing ransomware incidents as serious acts of terrorism.
In 2020, attack incidents grew by 800 percent, and 73 percent of those attacks were successful. This year, researchers are reporting a two-fold rise in ransomware-led cybercrime.
Attack techniques and common root causes
While the FBI is reportedly tracking as many as 100 variants of ransomware, most ransomware vectors follow a common thread. Here are the top attack vectors:
- Targeted attacks: Attackers deliberately target businesses with a motive to inflict damage, cause reputational harm, exfiltrate sensitive information, extract a ransom payment, or all of the above. For example, a new malware that deliberately destroys data on infected devices, AKA wiper ransomware, is used to carry out espionage and destroy information.
- Supply chain attacks: Modern enterprises have strong defenses and mature processes in place, but intermediaries and third-parties sometimes do not. The growth in supply chain attacks proves attackers are fully aware that supply chains can be leveraged to get a foot in the door of the target organization. The European Union Agency for Cybersecurity predicted supply chain attacks would quadruple in 2021 compared to 2020.
- Unintentional attacks: There’s always a possibility for victims getting infected by clicking on a mass phishing email, visiting an infected web page, downloading a malware-laced file or application, or through collateral damage resulting from a ransomware attack on a partner organization. In the case of a double extortion, when a mental therapy center was attacked by ransomware, the extortionists leveraged the stolen data and heartlessly blackmailed patients.
Ransomware is a symptom of an infection, and infections are the results of common root causes that include:
- Spam/phishing emails: This is by far one of the most prevalent social-engineered threat vectors and root causes of ransomware.
- Poor user practices: Victims lack security awareness, are careless in their online behavior, and do not practice the art of healthy skepticism. This habit eventually leads to a malware infection.
- Weak passwords: Poor password management is also a common root cause of ransomware attacks. Password reuse is a common phenomenon, and credentials are often stolen by hackers and sold on the dark web. The ransomware attack that took down the Colonial pipeline earlier this year was the result of a compromised password.
Preventing ransomware infection
Let’s face it, no one is immune from ransomware. Having said that, organizations that prepare for this eventuality are in a better position to defend, respond, recover, and survive. Here are six best practices that can help prevent a ransomware incident:
- Always backup your data: Although backups are a contingent strategy, it’s always a good idea to have these ready in case an infection breaks out. It’s recommended that backups are tested regularly and remain isolated from the rest of the network to avoid spread of contagion. That said, backups don’t stop blackmailers from extorting a ransom. Most ransomware families exfiltrate data, rendering backups relatively worthless.
- Patch regularly: Attackers thrive on exploiting known vulnerabilities, and therefore businesses must ensure they update their software regularly as these often contain security fixes.
- Keep your inventory in check: Maintain a comprehensive list, detailing all your asset inventory (e.g., software, hardware, cloud). This can help identify vulnerable devices and unpatched software that can lead to ransomware infections.
- Train users on security best practices: Ensure your users undergo regular security awareness training, which can help them develop muscle memory to identify and report suspicious activity. Users are usually the weakest link in cybersecurity, however, regular investment in security training can reduce risky behavior, boost cybersecurity hygiene, and eventually turn users into your strongest defense.
- Invest in technical controls: Next-gen firewalls, endpoint detection and response, multi-factor authentication, data leakage prevention, anti-spam, and password managers are important tools that businesses should leverage to boost their defenses. It’s also a good idea to disable Remote Desktop Protocol or limit it to only select authorized users as these are regularly hijacked in ransomware attacks.
- Leverage cyber insurance: One of the major benefits often overlooked by businesses is that insurance companies typically conduct due diligence of their client’s cybersecurity posture as part of their underwriting process. Such audits root out systemic weaknesses and reduce systemic risk for both parties. In case of a ransomware incident, insurers can provide experienced ransomware negotiators and offer other mitigation services that can help restore the business back to its original state.
If you are hit by ransomware, contact law enforcement agencies immediately. Contact your local FBI field office or the Internet Crime Complaint Center. Paying the ransom will only encourage further attacks, which is why federal regulators are now considering a ban with associated penalties on companies that facilitate ransomware payments, including cryptocurrency exchanges. More advice on ransomware response strategies can be found at the government CISA website.