Interview: Thinking Outside the Box to Combat Ransomware

Aare Reintam, NATO cyber defense exercise manager and current COO at CybExer Technologies
Aare Reintam, NATO cyber defense exercise manager and current COO at CybExer Technologies

Ransomware attacks have exploded since the start of COVID-19, and 2021 has seen a plethora of high-profile incidents, embedding the issue into the consciousness of the wider public. These include the Colonial Pipeline attacks in May, which knocked the largest fuel pipeline in the US offline for five days, leading to images of long queues for gas in parts of the country’s East Coast.

Understanding the evolving tactics being employed by ransomware attackers, and taking action to mitigate this growing danger, is critical to preventing damaging incidents occurring in the future. To discuss this topic in detail, Infosecurity recently caught up with ex-NATO cyber defense exercise manager and current COO at CybExer Technologies, Aare Reintam.

What do you believe have been the driving factors around the sharp rise in ransomware attacks in the first half of 2021?

Several successful extortion cases throughout the last couple of years are responsible for skyrocketing the ransomware industry.

Critical industries have always been a key target for hackers, and the $4.4m loss suffered by Colonial Pipeline in May tells us that this is not likely to change any time soon.

However, attacks in several other industries have served to bolster the profile of ransomware attacks by showing the potential gain for cyber-criminals in new areas — travel giant CWT paid a $4.5m ransom to cyber-criminals in 2020. In the same year, a University of California medical-research institution was also cornered into paying hackers over a million dollars. After a $6m payout to hackers, Travelex was forced into administration, which caused the firm to cut over a thousand jobs.

High-profile cases like these have whetted the appetites of cyber-criminals who know that companies are willing to dish out. Without them, there would be much less time invested into improving the sophistication of ransomware attack infrastructure.

Cyber-gang affiliate groups are also growing as the opportunity for middlemen to handle negotiation in return for part of the loot has grown. All this has contributed to the rise in attacks this year.

What is triple extortion ransomware, and why is this method so dangerous?

Triple extortion refers to ransomware attacks where a victims’ data is encrypted, exfiltrated and ransomed, but where, if the victim fails to negotiate or pay, they suffer a massive Distributed Denial of Service (DDoS) attack.

The reason why this is especially dangerous is that not only is your data leaked, but the additional DDoS attacks can have severe impacts on your operations, costing you money and potentially have long-lasting implications for your business or institution.

What trends are you seeing regarding the types of threat actors conducting ransomware attacks?

The number one trend we’re witnessing in terms of those conducting attacks is the rise of affiliate programs. These programs allow cyber gangs to scale up their operations quickly, and they mean the gangs themselves do not need to have immediate access to the resources and information to launch an attack. 

"The number one trend we're witnessing in terms of those who are conducting attacks is the rise of affiliate programs"

These affiliate programs act as a type of service provider that helps groups such as advanced persistent threats (typically a nation-state or state-sponsored group) conceal their identity. Along with monetary gain extracted through ransomware attacks, affiliate programs also help APTs extract information illegally.

How can organizations better support their workforce in being able to defend against ransomware attacks?

Providing the right training to IT and cybersecurity staff is more essential than ever. The ransomware threat has grown exponentially to the point that every organization should responsibly have a specific and detailed contingency plan in place.

Taking a merely theoretical approach to education is not enough; staff require interactive, hands-on training as much as possible. To respond well in a crisis, we need to utilize training hours to develop quick reaction times, cope well in real-life stress situations and create muscle memory to act without thinking.

Management training should also be prioritized to create a shared understanding between technical teams and management levels to prepare for cyber-attacks. Quick and adequate decisions may save a business.

What new technological solutions are we seeing emerge to protect organizations from ransomware attacks? How do you expect this area to evolve in the coming years?

There is no silver bullet or one dedicated solution. However, it’s best practice to carry out regular backups, raise awareness and update your security and operating systems to help future-proof your organization against attacks (or at the very least mitigate the impact).

New technological solutions such as cyber ranges have emerged as the leading source of sophisticated virtual-environment training methods for governments and large enterprises. They allow responders to practice their real-time response and work in a high-pressure credible environment with their team.

Crises management procedures that are designed to facilitate cooperation with government agencies are also significantly more effective. We really encourage businesses to work with computer emergency response teams (CERTs) and other government agencies in place that deal with cybersecurity incidents - they are more open and willing to think outside the box than one might think.

If you liked this article, be sure to check out this upcoming Online Summit session:

What’s Hot on Infosecurity Magazine?