RANSOMWARE PROTECTION AT ITS FINEST
What is Ransomware?Ransomware is a subset of malware which in most cases uses sophisticated evasion techniques to avoid detection and gain a foothold in the target device or network. It has multiple goals which range from encrypting the victim’s data and demanding a large payment for it’s safe return, to stealing sensitive data and insisting on a ransom in order for the information to be unpublished.
Often downloaded from a malicious link or website, ransomware is designed to spread rapidly and works discreetly in the background and tries to avoid detection for as long as possible. During this time, files are copied and exfiltrated to the threat actor. The data is then encrypted and the threat actors demand a ransom to release the mathematical key that will unencrypt them. They also threaten to publish the copied files if payment is not made. Unfortunately, paying the ransom does not guarantee a safe release of the encrypted files, prevent proprietary data from being released publicly, or stop future attacks.
The Expansion of Ransomware
Ransomware is a booming business for threat actors. In 2020 alone an estimated $350 million was made in ransom payments. The damages incurred by victims to ransomware attacks includes not only data damage and loss, but also business downtime and stained reputations. “Global ransomware damage costs will reach $20 billion by 2021 – which is 57X more than it was in 2015.” Alongside an increase in attacks, in particular on the healthcare, government, and education industries, the US government implemented new policy and laws. Ransomware is now recognized as a threat to national security, and victims falling foul of cybercrime are warned against paying attackers.
Why Are Attacks Getting Easier?
The attacks which are most difficult to prevent make use of evasive techniques. While in the past these evasive attacks were strictly related to nation-state attacks, today malware strains can be easily purchased on the Darkweb by anyone. A threat actor with even limited knowledge can launch a sophistical ransomware attack, if he has malicious intent.
One of the results of the global shift to remote working is an increase of unmanaged devices. These are especially vulnerable if they lack sufficient security solutions to adequately protect the remote connection and are used by a workforce, yet must recognize the dangers of malicious links and websites. There are multiple dangers with remote working, namely potentially-infected systems connecting remotely. On-premises endpoints are increasingly under threat as well, as insufficient ransomware protection has led to more targeted attacks from even stealthier malware, capable of bypassing the perimeter security to reach the endpoint. Conti was able to hit more than 120 networks in its first two months because of its speed of encryption and advanced evasive capabilities.
This is readily available for sale on the dark web as an executable kit. It is supplied with regular updates and simple to navigate interfaces, similar to any other IT product purchased online. The RaaS provider helps to set up and execute the attack, and even enables a communication channel with the victim -a true one stop shop for malware. FickerStealer for example, sold on hacking websites, is easily deployed to steal sensitive information and passwords, which are then sent back to the malware owner.
These are undertaken with an explicit motivation driving the attack such as monetary, political or data theft from a specific company or institution. These attacks are most often executed as a campaign to infiltrate the target over time, and not as isolated events. Sectors targeted include government agencies, political associations and specific businesses, such as banks. For example, targeting the SWIFT application of a bank. The attacker will write a specific piece of malware code to run through the network and only search for SWIFT applications. Once found, the money will be redirected to the attacker instead.
This is used in more than one attack can still evade detection from most ransomware protection solutions, which only safeguard against known Malware strains. Using a copy and paste strategy of starting with the same lines of code then tweaking the code just a little, or adding additional lines of code, the ‘version 2.0’ Malware can bypass security tools reliant on identifying the DNA of the malware, by being just different enough to fool virus checkers.
Small and medium sized businesses (SMB’s) are particularly vulnerable to ransomware with limited budgets assigned to ransomware protection and remote user protection to secure their assets, they are often viewed as an easy target. All sensitive data and private details are an attractive target for threat actors. In 2019, as many as two out of five SMB’s fell victim to a ransomware attack.