Are Protection Payments the Future of Ransomware?

Written by

Ransomware is a multi-billion-dollar criminal industry that has been subject to significant business model innovation. The big idea of recent years has been ransomware-as-a-service (RaaS), in which cybercriminals act like legitimate vendors by renting out software and services.

Some gangs offer “helpdesks” to collect royalties, negotiate ransom demands, provide the victim with assistance in purchasing crypto and assist with decrypting the data. Others operate an affiliate model in which they deploy the software, collect the ransom from their victims and pay a percentage of the ransom back to the creator.

Yet despite the glossy SaaS exterior of the RaaS sector, the central premise of ransomware remains the same: criminals attack a victim before demanding money to hand back control of data and systems. We saw record-breaking ransom demands in 2021, with REvil demanding $70m to halt its attack on Kaseya. Even though the size of the bounties and the audacity of the demands are growing, the business model is relatively unaltered.

We expect this to change. In 2022, we could likely see the rise of a model that would be described as ransomware-as-a-subscription, in which companies pay a form of protection money in return for a guarantee that they will not be targeted or ransomware variants will not launch in their environments. This will radically shift the nature of ransomware and give criminals a regular income stream. Unfortunately, it could also leave organizations at risk of breaking the law. The US Government is currently working on laws that could ban ransomware payments or force companies to disclose them.

The advice around ransomware was always simple: don’t pay the criminals. The same guidance applies to ransomware-as-a-subscription. If organizations start to pay protection money to criminals, they’ll become emboldened to target more victims. That is why swift, firm action is needed to neutralize the threat of ransomware before it mutates into an even more aggressive and lucrative variant.

Check Your Privilege

To reduce the threats from extortion gangs, organizations must become resilient to ransomware. A useful starting point on this mission requires a shift in attitude which appreciates that every user is privileged. If an employee can read emails, open documents, browse the internet, click on links or plug in a USB device, they can cause a ransomware attack.

If that user has unmanaged local administrator rights on their workstation, they can install and execute any application, no matter where they obtained it. This means that when an attacker takes over that users’ workstation, they can do the same, quickly installing infectious or malicious tools to gain access to the organization’s data and network.

There is a problem when attackers can take down a big organization by targeting just one employee. Open-source intelligence is easy to find on social media. Credentials can be bought on the Dark Web. Using this information, it is easy to craft a phishing email that will trick at least one person into opening the defenses and letting ransomware penetrate the network. Many organizations will capitulate and agree to pay ransoms and potentially sign up to subscription-based protection rackets when this happens.

Reduce The Blast Radius

Unfortunately, traditional cybersecurity solutions have failed to stop ransomware gangs. Conventional signature-based antivirus programs are often unable to prevent and detect these attacks due to ransomware’s unique and quickly mutating variants. Traditional defenses like encrypting data do not deter criminals either.

To cut the risk of ransomware, organizations must ensure that a breach of one single system does not allow unfettered privileged access to an entire IT environment. Network segmentation, threat detection solutions and privileged access management (PAM) are three ways of preventing pivot building and lateral moves across the network.

At a minimum, all organizations should adopt the best practices and security approaches put forward by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). This advice includes baseline recommendations like backing up critical data, patching systems, ensuring password hygiene and taking steps to prevent email macros from automatically executing. Other suggestions include adopting a least-privilege model and organizing cybersecurity education.

These ideas are a great start, but organizations need to go further to become resilient to ransomware gangs and try to prevent the rise of a subscription-based ransomware model.

Ransomware Resilience

Security is constantly evolving, so carrying out an occasional exercise to comply with regulations is insufficient. Instead, security should be approached as an ongoing, evolving program, with constant testing of security controls and incident response capabilities. Instead of just starting cybersecurity lessons, organizations should appoint a security ambassador in every team to help communicate security policies, detect threats and respond to incidents.

This 24/7 approach should be extended to all security aspects so that privileged accounts are audited regularly for signs of abuse. Automation can be a force multiplier in this endeavor, allowing tests to be carried out quickly and regularly without human involvement. The ultimate aim of regular testing and audits is to keep ransomware gangs out or at least detect them early before they deploy any malicious ransomware and make sure they cannot stay in the network. If adversaries can enjoy an extended dwell time, they have the luxury of being able to spend hours or even days extending their attack. If they manage to access a highly privileged account, it is game over. Yet, if anomalous behavior can be identified at the earliest stages of the attack and dwell time is kept at a minimum, it can be halted and damage limited.

As we see the rise of new business models for ransomware gangs, organizations must build resilience. If victims make themselves resistant to attack, criminals cannot profit. Ransomware gangs are persistent, innovative and playing a long-term game. Defenders must think and act in the same way. 

What’s hot on Infosecurity Magazine?