Ransomware attacks are becoming more destructive—a review of the ransomware that hit the city of Atlanta is an example of its advancement. What’s more, the continued rise of cryptocurrencies is supporting the proliferation of attacks.
Already ransomware has been massively disruptive. By the end of 2017, the global cost of ransomware attacks on organizations was estimated to reach $5 billion, up 400 percent from 2016, according to a report by Druva, a cloud data protection and management company. The WannaCry ransomware attack impacted more than 300,000 people across 150 countries in less than two days. In the NotPetya attack, perpetrators expanded their footprint by using stolen admin credentials to infect almost all accessible systems in the network, as is discussed in Aon’s Cyber Solutions 2018 Cybersecurity Predictions Report. Ransomware attacks are becoming more sophisticated with each wave causing more disruption than the previous ones.
These global attacks, innovative for 2017, are the foundation upon which criminals will plan the next more deleterious attacks. As such in 2018, we, at Stroz Friedberg, expect ransomware will continue to evolve in scope and severity. We predict attacks will be more precise and strategic, targeting high-value data at organizations, with ransoms requested that are proportional to the value of the encrypted assets. We also believe attackers will go even more broad, weaponizing other types of malware—such as botnets designed to cause distributed denial-of-service (DDoS) attacks or launch display ads on thousands of systems—to unleash huge outbreaks of ransomware. An increase in the use of ransomware to infect IoT devices is also expected. Already we’ve seen the Mirai botnet harness IoT devices to launch DDoS attacks, and we anticipate ransomware will infect smart thermostats and other smart devices in 2018. Meanwhile the continued development of cryptocurrencies facilitates this growth by enabling hard-to-trace “cash-like” ransom and criminal-to-criminal payments.
Companies must act to protect themselves against these attacks. In the coming year, strong defenses and a resilient cybersecurity posture require proactive technical measures and ransomware-relevant business continuity planning. It goes farther than basic notion of simply having backups.
Here are some tips:
1. Go beyond basic back-ups:
Companies will need to utilize systems that can create snapshots in time, or maintain multiple versions of files created over the course of the day, to enable restoration to a specific moment. In the case of an attack, this effort minimizes productivity loss. Also security professionals will need to routinely test their backups to ensure the data is restorable and to ascertain the time it takes to restore. This tells an organization the downtime it’ll need withstand if a ransomware attack is realized.
2. Segment the network:
With the expected increase in ransomware attacks designed to spread laterally through a network, businesses in 2018 will urgently need to segment their networks to prevent an attacker from pivoting from one system to another.
3. Follow the principle of least privilege:
In 2018, more companies will recognize the need to implement the principle of least privilege—limiting file access rights to the bare minimum permissions that users need to perform their work. This effort reduces the number of files that could be encrypted in the event of a ransomware attack.
4. Reduce risk of initial attack vectors:
Ransomware attackers need access to your system to attack. They finagle this access though phishing schemes, unpatched systems, and employee password re-use. Organizations should endeavor to reduce the likelihood of ransomware attacks by maintaining strong vulnerability management programs, reducing their attack surface, and implementing other mitigation controls.
5. Conduct ransomware simulations:
Discovering ransomware is a jarring experience to say the least. It tests an organization’s emotional responses to crisis, escalation procedures, containment expertise, and communication skills, especially because the organization must interact with the attackers. Test your organization’s response to a ransomware attack to learn ways to improve your resilience. If you’re particularly courageous, do it stealthily with a red team.
Ransomware is evolving beyond a blunt type of cyber extortion. With targeted ransomware attacks, mission-critical data will be compromised and ransom demands will grow exponentially. Attacks are expanding beyond local machines to lockup whole swaths of networks. Botnets and IoT networks will be used to further balloon ransomware’s affects. On top of it all, the ransomware attacker’s endgame might not be to earn a ransom after all, but to use the leverage for other illicit purposes—for example, revenge, as could be in the case of a disgruntled employee. In fact, in the NotPetya attack, the M.O. only looked like a case of ransomware, when really it was “destructionware,” malware masquerading as ransomware to destroy data, reportedly, by a foreign nation states. Companies must be prepared for these increasingly sophisticated types of attacks—the steps above will help.