A Prequel to Ransomware

The term ransomware often conjures up images of a locked computer screen with a demand note asking for several Bitcoins if the individual or organization ever wants to see their data again in unencrypted form.

And while that certainly is the case, that’s where the story ends. It’s like being the captain of the Titanic once it’s already hit the iceberg. There’s no way you’re going to cross the Atlantic, so you’re better off trying to save as many lives as you can.

However, ransomware operators have evolved into far more than simply encrypting files in an attempt to extort organizations. Ransomware gangs are spending increasingly lengthy times within victims’ environments doing research and analysis to understand what files are worth stealing or encrypting.

Ransomware as a service (RaaS) has increased in popularity too, allowing any criminal access to the latest tools and services to hit out at unsuspecting organizations. Often this includes exfiltrating data from victim organizations prior to encrypting with ransomware. This exfiltration of data is in many ways a far bigger issue than the ransomware itself, due to regulatory obligations to report such incidents under GDPR and so forth.

Putting aside ransomware, once a criminal has an organization’s data, it can extort money through many ways. The stolen data can be auctioned off, or be used to threaten employees, partners or even customers. They may threaten to leak the data if payment isn’t made, or air dirty laundry, as we saw when criminals doubled ransom demands when they attacked entertainment Attorney Allen Grubman whose firm represents the likes of Lady Gaga, Madonna, Mariah Carey, U2, among others.

So, it becomes clear that while ransomware steals the headlines, it should be the lesser of organizations’ worries. The real questions should be, how do criminals get into the systems in the first place, and how can malicious activity be detected before it becomes a disaster?

It’s not possible to list all the ways criminals break into organizations, but looking at threat intel reports, data breach reports, and other publications, one can draw some pretty solid conclusions as to the most common ways organizations are breached.

Phishing emails / social engineering is by far the most common way criminals break into organizations. It’s not just for ransomware either. Last year, I looked through 100 threat intelligence reports published and phishing was the number one attack method used by a variety of organized crime gangs and state actors.

Exploiting unpatched public-facing systems is also a common attack avenue. Depending on the impacted systems, it can be easy pickings for criminals. Just last year we saw the NCSC, DHS and CISA release a joint statement which highlighted how criminals were actively exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools, for instance. When these agencies go so far as to release public warnings on these exploits, organizations better be sure they’re listening and taking action.

The third way is via exploiting weak credentials or lack of multi-factor authentication (MFA). According to Akamai, in 2020 credential stuffing attempts hit 193 billion. So, having strong credentials, maintaining privileged access management and implementing MFA is also critical for organizations.

While covering these three primary attack vectors is pretty much essential for most organizations, the other side of the discussion is how to know when criminals are already inside of your organization.

To this, there is no simple answer as it depends (as any consultant will tell you) on your organization’s environment. However, a layered approach is sensible and having the appropriate detection controls in place such as IDS, HIDS, NIDS, endpoint detection, the ability to detect large number of files suddenly changing, DLP, network traffic analysis, and even honeypots to lure attackers away from business-critical information.

Ultimately, it comes down to knowing your environment and looking out for things that appear out of the ordinary.

Finally, and perhaps the most important step to undertake before ransomware strikes, is to have an agreed upon communications policy. This means speaking to senior management ahead of time and having a plan in place in case the worst happens. Discuss whether you’d ever want to pay a ransom, or under what conditions it becomes acceptable to pay the ransom. How will your organization handle sensitive communications to customer, partners, regulators, and even law enforcement?

After all, the ability of your organization to prevent or respond to a ransomware incident is directly proportional to the work that took place prior to it occurring, so never underestimate or undervalue the importance of these conversations.

What’s Hot on Infosecurity Magazine?