How ransomware turned into the stuff of nightmares for modern businesses

(Image credit: Shutterstock / binarydesign)

There are few cyberthreats that have evolved in recent years quite the same way as ransomware, which over the last two decades has become a scourge for businesses across the globe.

From simple infect and encrypt attacks, to double- and now triple-extortion attacks, ransomware has become one of the most fearsome security threats of the modern era. And with the rise of ransomware-as-a-service, meanwhile, it has become increasingly accessible to would-be cybercriminals too.

To hear more about the threat posed by ransomware and the steps businesses can take to protect themselves, we spoke to Martin Lee, Technical Lead of Security Research at Cisco Talos.

What attributes make ransomware attacks so potent and difficult to defend against?

Essentially, ransomware is the 21st century version of kidnap. The criminal takes away something of value and demands payment for its return. Over time the ransomware business model has evolved to become a highly efficient money maker for criminals.

A ransomware attack is not something that can be ignored. By encrypting a system and rendering it inaccessible, the criminals try to provoke an immediate response. If a key system is disabled, the bad guys know that the disruption will provide a strong incentive for the victim to pay.

Ransomware attacks are launched via every possible means of ingress. Criminals will search for any weakness in perimeter defences so that they can gain access to systems. The profitability of ransomware drives the tenacity of the criminals, it is the ubiquity of the attacks which makes them so tedious to defend against. To protect against such attacks requires excellent defences and constant vigilance.

What are the main ways ransomware operations have changed, since the days of simple infect and encrypt attacks?

Modern criminal ransomware attacks date back to the mid-2000s. Initially these were ‘mass-market’ style attacks where criminals distribute as much malware as possible, with little regard for the nature or identity of the systems they were targeting. The presumed goal being that although the majority of the malware would be blocked, a small percentage would succeed in infecting and encrypting systems, and a small number of these would result in payment of a ransom.

In 2016 we observed an innovation in the ransomware model. A new ransomware variant, named SamSam, was distributed in a new way. The gang using this malware identified possible targets in advance, exploiting vulnerabilities in externally facing systems to gain a toehold within the organization.  Once they were in, they expanded their access, searched for key systems, and hit those with ransomware.

By researching their target and disrupting business critical systems, the criminals can significantly disrupt the functioning of the entire organization. With this approach the criminals demand a much higher ransom than if they compromise a single laptop for example.

In 2019, we saw an additional innovation. Maze ransomware not only encrypted data, but stole it too, exfiltrating files to the criminals before encryption. The criminals demand payment, not only to restore access to data but also to stop them publicly releasing the data.

This provides dual extortion. If you don’t pay, not only do you lose access to encrypted data, but you also experience the long-lasting reputational damage of a public data breach.

What is the best course of action for a business in the hours and days after a ransomware attack?

In an ideal world, organizations should be able to implement a well-rehearsed incident response plan, with which everyone in the organization is familiar.

Otherwise, the best course of action is to call in an external incident response team who can resolve the situation. The goal should be to contain the breach to prevent it from getting worse; followed by fixing vulnerabilities, securing forensic artefacts and restoring affected systems to operation.


(Image credit: Shutterstock / Sashkin)

What mistakes do victims most frequently make in dealing with ransomware operators?

By paying the ransom you are feeding the beast. Not only does this allow criminal gangs to invest in developing better malware, and support the global money laundering infrastructure, but also marks out those who pay as lucrative targets for future attacks. Once an organization has been identified as a paying victim, this inevitably leads to subsequent ransomware attempts from other criminal organizations.

What do you make of the emergence of ransomware-as-a-service?

The emergence of ransomware-as-a-service demonstrates the level of innovation and professionalism within the criminal fraternity. Instead of criminals looking to operate all stages of infection from development of the ransomware through to delivery, some operations look to outsource the delivery element to partners who specialize in the delivery of the malware and negotiation of the ransom. Ransomware is now a fully-fledged industry that organizations of all shapes and sizes must be prepared to encounter.

In what ways do you expect ransomware attacks to develop further in the years to come?

Ransomware has proven itself to be a reliable money maker for criminals. However, the success of attacks is not a foregone conclusion. As more attacks are blocked, the less profitable the activity becomes.

Perimeter defences can block malicious emails or attempts to download malware. Filtering connections at the IP address or DNS layer can block connections to the command and control systems of malware. Modern end-point protection systems are able to detect and block harmful malware, and efficient back-up solutions can restore affected systems.

With an increased understanding of the effects of ransomware and improved defences I hope that we will see fewer successful attacks and ransomware become an unprofitable operation. However, as organizations get smarter so do the criminals, ransomware will be with us for a long time yet.