The level of espionage, stealth and tech jargon associated with cybercrime can easily lead one to believe that “it only happens in the movies”. That couldn’t be further from the truth. In 2021 the global spotlight is firmly on cyber-criminals or more specifically, “ransomware gangs’.
Ransomware is a continually evolving form of malware designed to encrypt files on a device, leaving any files and the systems that rely on them inaccessible. Malicious actors then demand ransom in exchange for decryption. Ransomware gangs target businesses or individuals by holding their information hostage and threaten to leak data or authentication information if the ransom is not paid. In essence, it is a form of cyber blackmail that involves kidnapping data and demanding a ransom for its return’.
The most popular approach involves using malware to get around lax security posture, or tricking users into downloading malware by pretending to be a source they trust. This tactic in particular is known as Phishing. Another less mentioned tactic is that of a Watering hole attack. In this strategy an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.
Over the years, criminals have figured that victims are more likely to pay ransoms if they know of the cybergang beforehand. To ensure that their ability to restore encrypted files would never be questioned, the gangs made a name for themselves online by going as far as issuing press releases which gained them mainstream notoriety. Today we have ransomware gangs all over the world that work as a group of collaborative teams. These teams may not even know each other’s identities throughout the planning, execution and payment stages of a ransomware attack.
For example, Ransomware-as-a-service, or RaaS, is a subscription that even allows affiliates to use ransomware tools that are already developed to carry out ransomware attacks. It also allows them to extend their reach and the decentralized nature of the attacks makes it difficult for the authorities to successfully mitigate.
According to a survey conducted by one of DataGroupIT’s partners, Kaspersky, more than half of ransomware victims in 2021 paid up to regain access to their information. However, only a quarter of these firms regained full access. Furthermore, cybercrime might still seem like a predominantly Western issue however this is not the reality of the situation. Ransomware attacks in South Africa, Kenya and Nigeria prove that this is a full blown global issue that must be tackled with urgency.
Why are ransomware attacks suddenly so popular?
The amount companies have paid to hackers has grown by 300% according to Harvard Business Review. The sudden increase in remote work and more lax security protections at home gave ransomware gangs the perfect opportunity to breach sensitive data. In addition, ransomware attacks have become easier to execute, and payment methods are now much more friendly to cybercriminals thanks to the anonymized nature of cryptocurrency transfers. Businesses are also becoming increasingly dependent on digital infrastructure and more often than not feel compelled to pay ransoms in order to minimise potential loss and reputational damage. This however goes against what is widely promoted as the first step to fighting the ransomware attack wave, “don’t pay the ransom”.
Not paying ransoms is seen as an effective and systematic way of preventing money from circulating in the ransomware ecosystem, therefore reducing the incentive for ransomware gangs to attack. If strictly adhered to, this potentially stands to bear fruit in the long term. However, the primary concern remains not falling victim to a ransomware attack in the first place!
It’s important to note that as sophisticated as ransomware can be, hackers still take advantage of security weak spots to steal sensitive data or lock files. This means that an organisation’s security posture remains the point of departure. One of the biggest revelations from the wave of ransomware attacks is that some organisations that would be assumed to have robust security measures and practices in place were found to be shockingly lacking. A mainstream example of this was the ransomware attack on the largest fuel pipeline in the United States that was due to a “single compromised password”.
Lessons from the WannaCry attack
The greatest threat of ransomware is in its definition, “continually evolving”. If you ever have an informed conversation about ransomware attacks and the term “WannaCry” is not mentioned, you may be living in 2016. In May 2017, the WannaCry ransomware attack was a worldwide cyberattack which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. WannaCry was not your typical case of ransomware. WannaCry is self-propagating, like a worm, which allows it to spread through networks. Additionally, instead of just using social engineering such as Phishing, it also exploits software vulnerabilities.
Much of WannaCry’s spread was from organizations that had not applied patches provided by Microsoft to close an exploit in the Windows operating system, or were using older Windows systems that were past their end-of-life. These patches were imperative to an organization’s cybersecurity but many were not applied for various reasons, an oversight that had costly implications.
Maintaining your security posture
Another emerging area of attack for ransomware gangs is mobile devices. Mobile devices have become an important part of our lives and naturally we store a large amount of both organisational and personal information on our devices. Hackers have been taking advantage of these mobile device and their features, such as relaxed permissions, to spread malware. And so, the majority of mobile ransomware variants now have the ability to cover every browser window or app with a ransom note, rendering the mobile device unusable.
The Mobile security of work devices should be taken as seriously as the security of a server or any other organisational asset, as mobile devices can be used to penetrate your perimeter wall. As mentioned, maintaining a strict security posture is the best starting point, but what allows us to bring it all together if a ransomware attack does occur, is the fact that all ransomware has the same end goal. The majority of ransomware attacks have the following lifecycle:
- Distribution – e.g. phishing, watering hole attacks etc. This is a campaign to find a loophole into your network through a lax security policy amongst users for instance.
- Infection – The ransomware begins to establish persistence on your system.
- Scanning – the ransomware begins to scan your system for sensitive data.
- Encryption – the ransomware deletes or creates a large number of files.
- Payment – the ransomware launches a web browser page with information informing you that you have lost access to your data and demanding a ransom payment.
The stages mentioned above all vary in the time that each one takes. This offers a window, albeit a short one, for steps to be taken to either stop or mitigate the potential damage from the ransomware. The right systems are required to prevent, detect and counteract the effects of ransomware.
Ultimately, your enterprise requires an end to end attitude towards security that aligns with Data Security, Network Security, Application Security, User Security, Cloud Security, and Mobile Security should you wish to maintain a robust security posture. This is one of the best ways you can safeguard your most valuable data against the threat of ransomware.
DataGroupIT provides Africa’s leading organisations with cybersecurity and infrastructure solutions required to secure, operate and manage enterprise environments. Our offering includes hardware and software solutions, combining on-premise, Cloud and Hybrid architecture.
Contact us today to find out more.