In 2019, over half of businesses were the victims of ransomware attacks with an average cost of $761,106. In 2020, attacks grew even worse with an estimated total price tag of $20 billion. Successful ransomware attacks are growing increasingly common despite the dozens of solutions that claim to provide 100% protection against ransomware. So, what’s going wrong?
Ransomware “Solutions” Aren’t Working
Most companies are aware of the threat of ransomware and have taken steps to protect against it. However, the number of successful attacks demonstrates that these approaches aren’t working. Most common anti-ransomware solutions fail because they don’t address the real problem.
Many organizations’ cybersecurity awareness training discusses the threat of ransomware and how to protect against it. They talk about the risks of phishing emails and why it’s important not to click on a link or open a suspicious attachment. They also push the benefits of antivirus. However, ransomware attacks are still occurring, and in fact, growing even more common. The reason is that most anti-ransomware training and strategies are not aligned with today’s real threat.
In 2020, the main ways in which organizations were infected by ransomware was not via email or other automated processes. Instead, it was by human actors manually targeting and penetrating organizations using various software and tolls such as the Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs) with credentials that were purchased on the darkweb. In cases where the credentials didn’t work the operators would leverage brute force attacks. These aren’t “fire and forget” phishing emails designed to drop ransomware on a target system. They’re human-driven campaigns where an attacker gains access to an organization’s network, explores it, exfiltrates sensitive data, and runs ransomware exactly where and when they want to.
Ransomware is malware, so an anti-malware solution, aka endpoint protection solutions, seem like the perfect protection against ransomware. In theory, installing and frequently running an up-to-date endpoint protection solution should fix the problem, but does it?
While endpoint solutions can defeat most known variants of malware, they can be evaded with relative ease. To effectively detect malware these solutions must have intelligence about the malware in advance of a real-world encounter. When a new, never-before-seen variant of malware surfaces (zero-day malware) , the effectiveness of these solutions is marginal at best. Complicating things further is that the attackers often test their malware against endpoint security solutions in advance of deployment to ensure that it remains fully undetectable.
What’s more problematic is that it takes organizations an average of 280 days to detect a data breach and it takes attackers less than 30 minutes to establish what amounts to an irrevocable foothold. This means that the attackers can explore victim networks for an extended period of time, steal credentials, deploy additional malware, and more. Given this fact, breached organizations can not realistically guarantee the security or safety of their networks without a complete overhaul.
Backups can be an invaluable tool for recovering from a ransomware attack. The traditional ransomware model is based on denying access to data. Assuming that your backup is very recent and wasn’t encrypted as well, then it can be cheaper and easier to restore from it than to pay the ransom.
The problem is that ransomware gangs know this too and have adapted their tactics. In recent years, ransomware gangs have begun performing “double extortion” attacks, which involve data theft on top of the data encryption. If the victim refuses to pay the ransom, then their data is posted publicly or sold to the highest bidder.
These types of attacks mean that relying on backups is not an effective strategy. Regulators don’t care that you’ve restored your data if the exposed data is protected by law. On the bright side, if you don’t have backups, double extortion attacks mean that you can restore your data by downloading a copy, just like everybody else!
Paying the Ransom
Some companies take the approach of paying the ransom demand. In theory, this puts an end to the problem by allowing them to restore their data and making the cybercriminals go away. In reality, this approach does not always work. In some cases, ransomware gangs fail to hand over the decryption key when the ransom is paid. In others, the promised decryptor doesn’t work as well as advertised. This was the case in the recent Colonial Pipeline breach, where the company shelled out $4.4 million for a decryptor that was so slow that the company went back to restoring from backups.
Making the Colonial Pipeline breach even more interesting is that, for the first time ever, the FBI was able to recover most of the funds. To pay the ransom, Colonial needed to exchange ~$4.4 million into 63.7 Bitcoin (BTC) and then transfer the BTC to one of the DarkSide wallets. In a short time, the FBI was able to compromise the private key belonging to that specific wallet and recover all 63.7 BTC. This may sound like a victory but between the time the ransom was paid and recovered the value of BTC declined sharply. As a result, the value of the recovered 63.7 BTC ~$2.3 million resulting in a loss of $2.1 million dollars. Moreover, it’s very likely that any data that was stolen will be published.
Paying a ransom also doesn’t mean that the cybercriminals will go away. In fact, it labels a company as a mark that’s willing to pay up. We’ve witnessed this firsthand. Just recently, a new customer engaged Netragard because they had been the victim of ransom attacks three times by the same group over the span of 4 years. Our consulting team helped them to drastically improve their overall security posture and to try and prevent a fourth incident.
These breaches never go without at least some public notice, even if a victim pays up. Attackers often advertise their victims on the darkweb which entices other attackers to either buy access to their networks or to attack them as “soft” targets. Two screenshots of such sites are provided below just as an example.
The Modern Ransomware Campaign
Cybercrime has become a business, and that business is maturing. A major part of this increased maturity is the emergence of role specialization on a macro scale. Not all cybercriminals are wunderkids who can do everything. Instead, cybercrime groups are specializing and forming their own “as a Service” economy.
The modern ransomware threat landscape is a perfect example of this. Today’s ransomware campaigns are broken up into two main stages: gaining access and achieving objectives.
Increasingly, groups like the DarkSide behind the recent Colonial Pipeline hack are offering “Ransomware as a Service”. They create the ransomware and other teams (specialized in gaining access to corporate networks) deliver it. Alternatively, a cybercrime group will gain a foothold in an enterprise network and sell it to someone else to use. This is likely what happened in the Equifax hack and is a common part of ransomware operations today.
This evolution of the ransomware campaign creates significant challenges for enterprise cybersecurity. A defense strategy built around antivirus and “don’t click on the link” training won’t deter a professional, well-researched attack campaign. Having a strong lock on the front door doesn’t help much if they come in through the back window.
Managing the Threat of Ransomware
If traditional approaches to ransomware prevention are not effective, then what is?
Modern ransomware attacks are human driven. Sophisticated cybercriminals can gain entry to a network through a variety of different ways, including many that a vulnerability scanner, industry standard penetration test, or anti-phishing solutions, etc. will never catch.
Preventing these types of breaches requires forward-thinking intelligence about how today’s threat is most likely to align with an organization’s existing points of risk and exposure. The most effective way to gather this intelligence is to experience a real-world attack at the hands of a qualified team that you trust and control. This is where Realistic Threat Penetration Testing comes into play. Realistic Threat Penetration Tests are not provided by most penetration testing firms and are notably different than Red Team engagements. Some of the key characteristics include, but are not limited to:
- The ability to match or exceed the level of threat being produced by today’s bad actors.
- Utilizing human experience & expertise with little to no dependency on tools like automated vulnerability scanners or commercial off-the-shelf testing tools. Ideally the team should be comprised of professionals with demonstrable expertise in performing vulnerability research and zero-day exploit development.
- The use of custom-built pseudo-malware to simulate ransomware or other malware. Pseudo-malware should deliver the same or better capabilities than what the real-world threat actors are using and must be fully undetectable (covert). The primary difference between malware and pseudo-malware is that pseudo-malware is built with safety in mind which includes automated clean removal capabilities at a pre-defined expiration date.
- Leverage experts who understand the inner workings of various security technologies as to help ensure successful subversion and/or evasion. For example, EDR’s, Application Whitelisting, Antivirus, etc.
- The ability to develop new exploits on-the-fly with minimal risk and minimal detection.
- The ability to erect a doppelganger infrastructure including SSL certificates and services as to help facilitate advanced phishing.
- And more…
The product of a Realistic Threat Penetration Test is a technically detailed report that contains the intelligence required to defend against bad actors. This intelligence generally includes information about what vulnerabilities exist, areas where lateral and/or horizontal movement are possible, misconfigurations, gaps in detection capabilities, suggestions for hardening and defending, and more. Of course, the report is the starting point for building a plan and a roadmap to remediate the weaknesses and make the job harder, if not impossible for the bad actors!