As a growing concern, ransomware continues to evolve in complexity, finding new ways to damage individuals, reputations and the bottom line. It remains a top priority for IT and security leaders, with all organisations and sectors vulnerable to a wide range of ransomware cyber attacks.
In this, the first of two blogs, Adam Thompson, our GRC Consultancy Lead at Advania, explains what a ransomware attack is today and what sort of threats you need to protect your organisation from as this persistent form of cybercrime evolves.
What is a ransomware attack?
Ransomware is a type of malware (malicious software) that encrypts an organisation’s data and/or devices, demanding a payment in order to restore access to those assets – typically by encrypting the files. The threat actor will then demand a ransom in exchange for a decryption key, theoretically unlocking access to information and systems once the extortion payment has been received.
If the payment is not made, the attacker may conduct ‘double extortion’. They could do this by refusing to decrypt the information/systems, and even threatening to publicly publish information on the open web, sell compromised data, or further expand their foothold in the victim’s IT infrastructure.
Ransomware is used to harm organisations in various ways, including:
• causing a device to become locked or unusable;
• stealing, deleting, or encrypting data;
• taking control of devices to attack other organisations;
• obtaining credentials that allow access to organisations’ systems or services;
• ‘mining’ cryptocurrency;
• using services that may cost its targets money.
Victims of ransomware attacks will typically be instructed to make contact with the attacker anonymously; for example, by sending information to an anonymous email address or website to make a payment. These payments are usually demanded in a cryptocurrency such as Bitcoin, since it’s difficult to trace this kind of transaction.
In recent times, we’ve seen a huge increase in ransomware being used as a lucrative illegal business model. There are two major factors that have driven this.
1. Reducing access to systems and data has a debilitating impact on an organisation. This increases the chances of an attacker receiving a payment.
2. Attackers have traditionally faced a relative lack of consequences from international law enforcement. Identifying attackers by tracing cryptocurrency transactions takes serious effort and sophistication, and is usually more frequently enacted by private sector cyber security institutions.
The evolving ransomware cyber attack landscape
Techniques used in ransomware attacks in 2022 have evolved quite a lot from some of the more high-profile attacks, such as WannaCry and NotPetya, that organisations experienced in 2017. They are now becoming more human-operated – where threats are driven by individuals that make decisions at every stage of the attack based on what they find in their target’s network. However, the impact of ransomware on businesses and organisations remains the same – affecting their critical operations and potentially reputation.
One key difference in how ransomware attackers operate today is the focus of the attack. Information and cyber security systems are typically developed based on the CIA triad: confidentiality, integrity and availability. In the past, it would often be the ‘availability’ aspect that was chosen by attackers like the Conti cybercrime group to lock access to data. Conti’s inner workings were exposed in a worldwide leak in March this year. Discoveries like this have helped in analysing threats, with Conti’s entire operations deconstructed by investigative cyber security experts.
However, as organisations have invested in their defences to make backups and system redundancy more sophisticated, attackers haven’t had the same opportunities to stage these types of attack. As a result, the trend has moved to attackers compromising ‘confidentiality’ instead. It’s becoming more common to see attackers threaten to post stolen information online as part of their threat.
With this type of attack, organisations can’t simply ignore the ransom demand and restore their systems from backups. Increased time and resource needs to be spent on investigating the root cause and ‘blast radius’ of the attack, to be able to verify what sensitive data could be exposed to the world. Where personal data is compromised, this also creates significant risks for individuals to whom the data relates, as well as the additional impact of reputational damage to the organisation.
Recent years have also seen the range and robustness of regulatory compliance increase for organisations managing sensitive data (financial, personal or intellectual property). Organisations that suffer breaches of personal data face the possibility of being hit with sizeable financial penalties by data protection authorities such as the Information Commissioner’s Office in the UK.
Globally, there have been huge efforts to crack down on sophisticated threat actors, from organised cybercrime groups and state-sponsored attackers to lower-level attackers who use existing computer scripts or programs to compromise systems. Despite all of this, the impact of ransomware on businesses and organisations remains a pervasive threat in 2022.
If you become a victim of a ransomware cyber attack, should you pay the ransom?
So, what if the worst happens, and your organisation falls victim to a ransomware cyber attack? It may seem worth the financial loss to pay whatever it costs to get your data back. Should you?
International law enforcement agencies – along with cyber security specialists such as our teams at Advania – do not encourage, endorse or condone the payment of ransom demands. Doing so only encourages attackers to continue with their threats against other organisations, further legitimising the cybercrime gig economy.
There are many reasons why you shouldn’t cave into the attacker’s demands. If you pay an attacker’s ransom, then:
• there is no guarantee that you will get access to your data;
• your computer will still be infected;
• you’re paying money to criminal groups;
• you’re more likely to be targeted in the future.
If you don’t pay it, attackers will continue to threaten. You should counter this by making sure you have the measures in place to minimise the impact of a data loss – such as maintaining recent offline backups of your most important files and data.
Ransomware remains a serious cyber security threat with evolving tactics that target organisations need to protect themselves against.