Enterprises must fight the vicious trifecta of ransomware to avoid calamity – Here’s how to do it

The Bottom Line: “Run somewhere” and wait for the disaster to strike is no longer an option — you must act now

According to the 2021 IBM X-Force Threat Intelligence Index, ransomware comprised 23% of all cyberattacks on businesses, making it the number one threat.

It’s not a surprise that governments around the world now consider ransomware a risk to national security. The defeatist argument of many enterprises to pay ransoms and bow to the whims of cyber crooks instead of doubling down on preventive measures is no longer an acceptable response.

CISOs and IT and business leaders must focus resources on strengthening defensive and resilience measures to avoid a disastrous breach. A successful defense requires balancing technology alongside people and processes. It is time to act—and act fast.

Democratization, crypto, and safe haven—the vicious trifecta accelerating the intensity of ransomware attacks

We are not talking about the virtuous HFS Triple-A Trifecta (automation, analytics, and artificial intelligence). We are dealing with a way more sinister model, as described in Exhibit 1.

Exhibit 1:The vicious circle of democratization, cryptocurrency, and safe haven drive the intensification of ransomware attacks

Source: HFS Research, 2021

Crime-as-a-Service (CaaS) is the best example of the alarming democratization of ransomware. Non-tech-savvy legionnaires can now subscribe to Ransomware-as-a-Service (RaaS) or Phishing-as-a-Service (PHaaS) offerings via the dark web, including 24/7 support and bundled offers, and start launching off-peak ransomware attacks. Developers usually pay the deployers of the ransomware a monthly salary or a percentage of the proceeds.

More than 90% of ransoms are paid in cryptocurrency. The anonymous nature of cryptocurrency makes it an obvious way for attackers to obtain and hide funds, and more and more threat actors are increasingly requesting payments in anonymity-enhanced cryptocurrencies (AECs). Cryptocurrency is turbocharging ransomware because payment is rapid and efficient.

Many countries provide safe havens to attackers for many strange reasons, but the most surprising one is actually to avoid being attacked by them. Ransomware perpetrators can run and expand their criminal organizations legitimately, without government interference, as long as they attack others.

Ransomware attacks are not only driven by money—they could represent the future of IoT-based cyberwarfare

Ransomware attacks do more than extort money from victims; they could also be effective cyberweapons for disrupting infrastructure and potentially harming people.

This kind of attacker has one obvious target: the “edge” gateways that connect IoT (internet of things) and IIoT (industrial internet of things) devices to the cyber-world. In June of this year, the Cybersecurity and Infrastructure Security Agency flagged the rising threat of ransomware to operational technology due to the increasing convergence between IT and OT networks and systems. According to a recent report from Zscaler, a cloud-based information security company, IoT attacks soared by 700% during the pandemic.

Bad actors, for example, could potentially take over connected medical devices. According to the Brookings Institute, the US averages 10 to 15 networked medical devices per hospital bed (bedside, wearable, or implanted devices). A ransomware attack could take over the command server for these devices and shut all of them down if a victim fails to deliver a criminal’s request.

We have not seen a high-profile case of patients being killed or seriously harmed, but it is probably just a matter of time.

Enterprises must tackle dual and simultaneous challenges: stop business disruption and prevent data exfiltration

Enterprises are responding more effectively to ransomware attacks. In 2021, software and hardware company Sophos conducted the 2021 State of Ransomware survey and found the percentage of attacks where criminals successfully encrypt a victim’s data are down from 73% in 2020 to 54% in 2021.

The deployment of dedicated technology seems to pay off, but continued effort is needed as attackers are now launching multiple and simultaneous attacks, with data encryption being one of many techniques. Attackers are packaging different techniques into their ransomware “products” to increase the possibility of payment.

Triple extortion ransomware, including data encryption, data exfiltration, and DDoS attacks, is becoming the new norm. This type of ransomware can be catastrophic; attackers can threaten to disrupt business operations and simultaneously disclose data publicly, leaving enterprises with no or minimal negotiation power.

Augment cybersecurity and IT teams with AI-powered capabilities—It’s the only way to stay ahead of attackers

Akamai, a long-established cybersecurity provider, recently reported its first “one billion malicious login attempts” in a day, clearly showing that the intensity of cyberattacks is exponentially growing. This worrying increase highlights the urgent need for enterprises to develop a more proactive and intelligent defense strategy to tackle ransomware attacks.

In addition to the significant increase in volume, the potential for damage is constantly growing for two key reasons: attackers are becoming more sophisticated and attacks more targeted.

“Pray-and-spray” ransomware attacks will not slow down, but they are making room for more targeted attempts. Meticulously orchestrated cyber-reconnaissance allows attackers to better understand the defense mechanisms of enterprises and consequently better plan attacks. They then leverage an arsenal of AI-powered offensive techniques to be more effective in their campaigns.

Enterprises cannot cope with such sophisticated attacks if they don’t also modernize their processes and adopt AI-powered offensive techniques. Lagging indicators of compromises must be supplemented by leading indicators to detect early warning signals of ransomware threats at the source. Autonomous response mechanisms can significantly help in increasing reaction speed and continuously modeling new threat hunting patterns.

Strengthen defensive and resilience measures, or face dire consequences

The US Department of the Treasury’s Office of Foreign Assets Control issued a memo in September 2021 to highlight the sanctions associated with ransomware payments. The recently introduced Ransom Disclosure Act would require ransomware victims to disclose information about any ransom payments no later than 48 hours after the date of payment. The US government is clearly discouraging all private organizations from paying any ransom payments and wants to track down all ransom payments to gain intelligence on cybercriminal operations. Many more countries will follow this trend.

Having reliable backup mechanisms to restore data quickly has always been the strategic solution for not having to pay a ransom. Attackers know that very well, and this is not enough anymore. Attackers are developing ingenious approaches that also target backups during their attacks to drastically increase their chances of obtaining payment.

Enterprises must develop a holistic ransomware response strategy, balancing technology alongside people and processes (see Exhibit 2).

Exhibit 2: A mix of preventive and reactive measures across people, processes, and technology must be considered to respond effectively to ransomware attacks

Source: HFS Research, 2021