Anti-Ransomware Day falls on the anniversary of the notorious 2017 WannaCry attack. The largest ransomware epidemic in history, the attack infected over 300,000 computers across 150 countries, costing the global economy around $4 billion.
Yet, after six years, an ongoing spate of ransomware continues to wreak havoc on businesses both big and small.
“Thankfully, since the end of 2017 (which was also the year of NotPetya) we have not endured an attack on a similar scale,” explains Christopher Rogers, Technology Evangelist at Zerto. “However, ransomware is far from a waning threat; in fact, it’s only just entering its ‘golden age’.”
Indeed, recent research has demonstrated that last year 61% of disaster recovery responses were triggered due to ransomware and it took businesses an average of 21 days to recover.
Ransomware, a case of not if but when
“In 2023, the threat of ransomware is not an ‘if’, it’s a ‘when’,” Rogers adds. “By taking advantage of the right technology and embracing resilience, organisations can ensure that when an attack occurs the damage and downtime are a fraction of what they could be.”
“Anti-Ransomware Day is a stark reminder of the damage that cybercriminals can inflict on an organisation,” agrees Node4’s Practice Director, Andy Bates. “The average downtime following a ransomware attack is 22 days, during which the organisation incurs huge reputational and financial damage. Whilst ransomware is certainly not a new threat to organisations, such attacks have grown in frequency and severity in recent years.
March 2023 – the largest number of attacks since records began
“In fact, March 2023 was the most prolific month for ransomware attacks ever recorded by cybersecurity analysts since records began in 1989, with 459 attacks taking place in 31 days. It is no longer enough to simply react to an attack once it has happened. A proactive approach to cybersecurity is essential to prevent attacks from occurring in the first place.”
A change in tactics
Ransomware in 2023 is an interesting, fast-evolving, and now almost refined world, explains Andy Swift, Cyber Security Assurance Technical Director of Six Degrees. “The days of smash-and-grab mass encryption events, which proved to be quite disruptive back in the day, are long gone. Instead, the techniques we are seeing attackers employ today are far more advanced; almost patient in nature.
“To put it bluntly, the world has got better at defending and recovering – the impact of mass encryption is just not what it once was. To combat this, attackers have had to evolve and change what they are actually ransoming. The old “We have locked all your systems. Pay us to unlock them.” just doesn’t work on a large scale anymore. Today it’s all about the quality of the data. In 2022 we even saw groups not using payloads at all, rather relying solely on data extortion.”
Remote working has added another layer of complexity. Connectivity requirements for frontline and field professionals have boomed in recent years, with workers across public transportation, trucks, near-shore vessels and retail environments all demanding access to increasingly advanced applications. However, this can leave staff relying on their personal devices and unsecured public wifi networks.
“An estimated 43% of people having had their online security compromised while using public Wi-Fi, the opportunities for threat actors to place ransomware or malware through these unsecured networks will put companies’ (and their customers’) data at risk,” explains Hubert Da Costa, CRO at Celerway.
He shares strategic actions to give vulnerable networks watertight protection: “Remote working scenarios must have a network that is designed with a Zero Trust approach as a foundation to their network security or risk a potentially crippling hit to their finances or reputation.”
Causes and effect – Attackers don’t break in, they login
While understanding the primary cause of ransomware is a vital first step, there can be big misconceptions – even for seasoned security professionals. Jasson Casey, Chief Technology Officer of Beyond Identity explains: “Attackers don’t break in, they log in.”
Passwords have long been a primary target for threat actors and represent the weakest link in an organisation’s security chain, with Casey contesting that the techniques threat actors use have evolved since WannaCry.
Indeed, the Verizon 2022 Report illustrates that a significant majority of ransomware breaches are a result of stolen credentials, with an almost 30% increase in use since 2017, cementing it as one of the most tried-and-true access methods in the past four years.
“Despite this, organisations continue to use prehistoric security infrastructure, practically laying a welcome mat out for attackers,” Casey adds. “Antiquated authentication methods – be it passwords or traditional MFA – continue to put organisations at risk. No matter how many letters or variations a password has, and whatever one-time passwords or push notifications it is “supported” with, they will never be secure.”
Laurie Mercer, Director of Security Engineering at HackerOne adds that unpatched vulnerabilities are one of the single most common access methods. “This is unsurprising when you consider that cybercriminals have CVE databases at their fingertips. Beyond known CVEs, organisations’ unknown assets have the potential to pose an even greater risk.”
In fact, research shows that one-third of organisations say they observe less than 75% of their attack surface.
“Where the unknown is so vast, it is no shock that ransomware is on the rise,” Mercier adds. “Organisations should continuously evaluate and improve their security practices, keeping up with the latest threat intelligence, and investing in regular security assessments by skilled security professionals, testers and hackers.
“Businesses that allow ethical hackers to access their systems will ensure unknown entryways are effectively blocked. Ethical hackers are the best solution to match the ingenuity and inventiveness of cybercriminals, who have a multitude of resources and manpower to find vulnerabilities in your unknown assets.
Unlocking opportunity with EDR exploitation
Randeep Gill, Principal Cybersecurity Strategy at Exabeam, furthers that endpoint detection and response (EDR) solutions also have a high susceptibility to exploitation. “If an adversary were to take advantage of an EDR tool, they would have access to a variety of an organisation’s telemetry, including user and identity authentication, access to files, system variables and key business applications. All of which increases the scope through which ransomware can be deployed.
“On Anti-Ransomware Day, I wanted to remind enterprises to go beyond just EDR solutions to improve security posture and mitigate the risk of a ransomware attack. Security teams need complete and holistic visibility across any environment — which includes, but is not limited to, endpoint logs. In order to paint a full picture, CISOs and their security teams must be able to monitor user and device behaviour across the whole network to distinguish between normal and anomalous behaviour.”
To mark Anti-Ransomware Day, be sure to review your company’s cybersecurity plan and make meaningful changes; it’s only a matter of time before disaster strikes!
