Ransomware is a form of malicious software that encrypts a victim’s files and requires that the data owner pays a ransom payment, usually via untraceable cryptocurrency, to decrypt them. In recent years, ransomware has evolved from a nuisance to a major security threat, causing significant financial losses and disruption for organizations of all sizes.
In just one attack in March 2021, it was reported that US insurance titan CNA Financial was forced to pay a staggering 40 million USD to a Russian ransomware conglomerate. In July 2020, US travel services company CWT Global was compelled to hand over 4.5 million USD to bad actors RAGNAR_LOCKER. In a very public breach, Colonial Pipeline was forced to pay the DarkSide gang 4.4 million USD to restore their billing systems – which were causing petrol stations to run low on fuel and many customers to hoard diesel and gasoline. The list goes on…
In this post, we will discuss the evolution of these attacks and how modern organizations can act to protect against ransomware. Investing in prevention is always better than paying for the cure.
The evolution of ransomware
Ransomware first emerged in the late 1990s, though it wasn’t until the early 2010s that it began to gain widespread attention. Early versions of ransomware were relatively unsophisticated, often relying on social engineering tactics to trick victims into installing the malware. As ransomware evolved, however, attackers began to adopt more sophisticated techniques, such as exploiting vulnerabilities in software, using malicious email attachments, and leveraging networks of infected computers to distribute the malware.
One of the most famous examples of the evolution of ransomware was the WannaCry attack in May 2017. This attack affected over 200,000 computers in 150+ countries, causing widespread disruption and financial losses. WannaCry spread like wildfire across the internet, exploiting a vulnerability in older versions of the Windows operating system. The attack was particularly devastating due to its use of a worm-like mechanism to spread the malware, infecting one computer, then using that computer to infect others by moving laterally across the same network. The WannaCry attack was a wake-up call for organizations around the world, highlighting the need for greater investment and a more comprehensive approach to cybersecurity.
Another example of the evolution of ransomware is the Ryuk attack, which first emerged in August 2019. Ryuk is a highly sophisticated and targeted ransomware attack that typically preys on large organizations and critical infrastructure. Ryuk is known for its stealthy and persistent behavior, plus its ability to evade detection and disable backups, thus making it difficult for organizations to recover from an attack without paying the ransom.
It is estimated that there were over 236 million ransomware attacks between January and June 2022, accounting for approximately 20% of all cybercrime last year, with Europe alone seeing a 63% ransomware increase [MIT].
Protecting against ransomware
Given ransomware’s evolving nature, it is essential that organizations take a comprehensive approach to protecting against it. Here are some key steps that security teams can take to protect against ransomware:
- Keep software and systems up to date: One of the most effective ways to protect against cryptoviral extortion is to keep software and systems up to date. This includes installing software patches and updates, as well as upgrading to the latest versions of operating systems and applications, reducing the risk of vulnerabilities being exploited by attackers. In addition, organizations should also regularly review their software and systems to ensure that they are not using any unsupported or outdated applications or operating systems, which may be more susceptible to attacks.
- Implement backup and disaster recovery plans: Another important step in protecting against ransomware is to implement backup and disaster recovery plans. This includes regularly backing up important data and systems, as well as having a plan in place to restore systems and data in the event of a ransomware attack. By doing so, organizations can reduce impact and minimize the need to pay a ransom. Common practice is to ensure that backups are stored off-site and are not connected to the network to reduce the risk of backups being encrypted by advanced malware. Teams will often practice the 3-2-1 system: an original file, an on-site copy of that file on a different medium, and an offsite copy of the file.
- Implement lateral movement protection: Lateral movement protection is a security technique that is designed to prevent cyber attackers from moving from one part of a network to another. This is particularly important for protecting against ransomware, as many ransomware attacks involve lateral movement, where the attacker moves from one part of the network to another to gain access to sensitive data and systems. By doing so, organizations can reduce the risk of ransomware attacks and minimize the impact of a successful attack. This can be achieved through granular network segmentation, firewalls, and access control mechanisms, which help to limit the movement of attackers within the network.
- Adopt microsegmentation: Microsegmentation is a security technique that involves dividing a network into smaller, isolated security zones. This helps to limit the scope of potential security incidents, including ransomware attacks. By adopting microsegmentation, organizations can reduce the risk of lateral movement, where the attacker moves from one part of the network to another, and limit the impact of a successful attack. Microsegmentation can be achieved through virtualization, network security appliances, and software-defined networking (SDN) technologies.
- Train employees: A further key step in protecting against ransomware is to train employees. Our colleagues are often the first line of defense against ransomware attacks, and it is important that they are aware of the risks and how to identify and report potential attacks. This includes training on safe email and internet practices, helping them to understand the dangers of phishing attacks, and regular security awareness training to keep employees updated on the latest threats.
Ransomware has evolved into a major security threat, causing significant financial losses and disruption for organizations of all sizes. However, by taking a comprehensive approach to security and following the steps outlined in this blog post, organizations can reduce the risk of ransomware attacks and minimize the impact of a successful attack. This includes keeping software and systems up to date, implementing backup and disaster recovery plans, ensuring lateral movement protection, adopting microsegmentation, and training employees.
By prioritizing cybersecurity and adopting a proactive approach, organizations can stay ahead of ransomware threats and protect their sensitive data and systems.