The critical infrastructure systems we rely on to deliver water, electricity, fuel and other essential services are under siege. Increasingly, ransomware is becoming cyber criminals’ attack method of choice, for they understand that even short periods of downtime can cause far-reaching disruption and damage. This puts extreme pressure on victim organizations to pay up in order to decrypt data and restore operations quickly.
While industrial systems may be top-of-mind today, the threat of ransomware knows no boundaries, and no individual or industry is safe from its reach — especially in the age of cloud, mobile and highly distributed workforces.
U.S. Acting Deputy Attorney General John Carlin recently told the Wall Street Journal, “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events.” During the height of the COVID-19 pandemic, for example, ransomware operators targeted hospitals and healthcare organizations with unrelenting attacks. Ransomware accounted for 54.95% of healthcare data breaches and cost the industry $20.8 billion in downtime last year alone.
But why is ransomware so pervasive, and how do these attacks continue to be so successful? To answer these questions, it’s important to understand how opportunistic and targeted ransomware attacks work.
What is an Opportunistic Ransomware Attack?
A whopping 86% of breaches are financially motivated, according to the 2020 Verizon Data Breach Investigations Report. Attackers know that ransomware is one of the quickest and easiest ways to turn a profit. And since do-it-yourself ransomware kits are plentiful on the dark web, the barrier to entry is low.
By distributing ransomware in bulk using common “spray and pray” tactics — such as phishing, social engineering and exploit kits — attackers can target many organizations and infect numerous desktops, laptops and servers in one fell swoop. Once deployed, the ransomware prevents users from interacting with their files, applications or systems until a ransom is paid, usually in the form of an untraceable currency like Bitcoin.
The 2017 WannaCry outbreak is perhaps the best example of an opportunistic ransomware attack. With the ability to self-replicate, this ransomware strain went viral, infecting more than 200,000 systems across 150 countries. The attack impacted organizations across many sectors, bringing business operations to a grinding halt. Britain’s National Health Service (NHS) was forced to close critical healthcare facilities, cancel surgeries and turn away patients for several days. Many organizations faced similar challenges.
Ransomware has become a preferred means of extortion by opportunistic attackers for two key reasons. First, many organizations fail to practice proper security hygiene when it comes to backup and recovery. Backups may be few and far between, meaning that once data on endpoints and servers is encrypted and held for ransom, organizations are forced to choose between losing important data forever or forking over Bitcoin to (hopefully) get their data back. Second, many organizations rely too heavily on traditional anti-virus solutions, which are often not effective in blocking ransomware. These solutions work by maintaining an inventory of known malware and blocking future executions of that malware. Because ransomware files slightly morph with each new version — and new versions are created by the minute — these solutions have little chance of preventing an infection.
What is a Targeted Ransomware Attack?
In recent years, more sophisticated attackers have shifted to targeted ransomware approaches in search of bigger payouts. In what is sometimes referred to as “big game hunting,” these attackers target very specific organizations based on their ability (or need) to pay large ransoms, using customized tactics, techniques and procedures (TTPs).
These attackers are very creative, often going to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities, while pinpointing the most valuable data to encrypt and hold for ransom. They’re also extremely patient, escalating privileges to circumvent security systems and evading detection for months — or longer — before deploying the ransomware payload. During this time, attackers often target data backups (if they exist) so the organization cannot restore files after they’ve been encrypted. And these attackers expect to be compensated for putting in the extra work. According to the 2021 Unit 42 Ransomware Threat Report, the highest ransomware demand from 2015 to 2019 was $15 million. In 2020, the highest demand doubled to $30 million.
A recent example of this long-tail, targeted approach is the Hades ransomware attacks. ZDNet reports that ransomware operators are targeting large multi-national organizations with annual revenues of over $1 billion and have successfully attacked at least three companies in the transportation, retail and manufacturing industries.
Based on Accenture researchers’ analysis of these Hades ransomware attacks, the threat actors followed a familiar attack path: steal valid credentials from a corporate identity and use these credentials to infiltrate the company via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN). Once inside, the attackers escalated privileges and moved laterally to establish persistence on the network. From there, they exfiltrated data and then deployed the Hades ransomware to encrypt files and demand hefty ransoms in a one-two, double extortion punch.
The researchers noted, “We observed significant effort by the threat group to disable or bypass endpoint defenses, including Endpoint Detection and Response (EDR) tooling, using both custom tooling and hands on keys approaches.”
Perhaps the most troubling thing about targeted ransomware attacks is that just because an organization has been targeted once, it doesn’t mean it won’t happen again. To maintain persistence on target networks, attackers often construct backdoors that allow them to reenter at will. Most companies cannot withstand the business impact of one ransomware attack, let alone two.
Opportunistic or Targeted, the Initial Attack Vector Remains the Same
Whether opportunistic or targeted, ransomware attacks start on the endpoint. Inadequately protected desktops, laptops and servers are pervasive — and each one provides a potential entry point for attackers to steal and encrypt data.
By examining numerous ransomware attacks, one thing is abundantly clear: relying on a single endpoint security solution — endpoint detection and response, anti-virus or otherwise — is not enough to stop every threat. In fact, organizations are wise to adopt an assume-breach mindset to reduce the chances of ransomware encrypting files, even if it does enter their environments. And ultimately, a defense-in-depth approach is necessary, layering a variety of security controls to eliminate gaps, reduce exposure and strengthen overall security posture. When it comes to endpoint security, one plus one really does equal three.
Privileged Access Management is a critical, yet often overlooked, component of an effective endpoint security strategy. If a malicious attacker or insider gains access to a privileged credential, he or she will appear to be a trusted user. This makes it very difficult to detect risky activity.
In combination with endpoint detection and response, anti-virus/NGAV, application patching and OS patching, organizations can significantly reduce risk by managing and securing privileges on endpoint devices. And by implementing restriction models that only trust specified applications run by specific accounts under specific circumstances, organizations can detect ransomware quickly and with certainty. By taking this comprehensive approach to endpoint security, organizations can defend from every angle and block attacks before they cause harm — whether they’re “sprayed” in their general direction or headed straight toward them.
To dive deeper into ransomware attack trends and mitigation strategies, register for our June 1 webinar, “Ransomware Exposed: Key Learnings from Examining 3 Million Samples.”