Will Ransomware End?

Author: James McMurry, CEO and Founder at Milton Security

A short history of ransomware

Will Ransomware End? - Extortion has been around since humans realized someone else had something they wanted - find something the other valued and hold it hostage until an acceptable trade took place. In today’s world, with more connected devices and data flowing between endpoints, data has become that thing of value.

While ransomware has been a hot media topic for the last five years or so, the concept has been around since the 1980s when floppy discs were still the standard. Attackers would put a virus or trojan on a floppy disk that would then execute on the computer and demand that money be sent to a PO Box. Today, threat actors find back doors into systems, encrypt every piece of data they can, and threaten to make that sensitive data public unless their demands are met.

Even if demands are met and the ransom is paid, the bad guys are still bad guys and often don’t live up to their promise of providing the key or deleting the exfiltrated files. Based on data, over 85% of organizations that are attacked with ransomware and pay are still unable to fully decrypt their data, receive corrupt data, or have their data leaked on the dark web even after payment.

Why is it exploding?

There are a few reasons that ransomware has reached epic proportions. First, our ability to connect across the globe means that threat actors no longer need to be in the vicinity of their target. Second, with the release of cryptocurrency, the transfer of money has never been easier. Finally, if organizations are paying top dollar and you are still hidden, why stop?

Data is our most valuable commodity and we’d do just about anything to protect it. With nearly 40 billion connected devices, anyone, anywhere, as long as they have an internet connection, can traverse networks. Whether that is simply visiting a webpage, receiving an email, or logging into a remote desktop, our connected nature allows us to get things done around the globe as long as we have access. But access is a fickle concept. Phishing, social engineering, and even a robust list of the most common passwords is all that might be standing between access denied and access granted.

PLATINUM

Innovators

Cryptocurrency was touted as a deregulated financial system built on the blockchain that is owned by the masses rather than an institution. People working to chain transactions together that could not be easily tracked or tampered with provided the protection from watchful eyes.

While cryptocurrency in itself is not inherently good or bad, this method of semi-invisible payment gave attackers the advantage of getting paid quickly, and making tracing of funds that much more difficult. While it’s easy to send money to a PO Box and wait for someone to check it, cryptocurrency transactions occur in the ether.

The largest single ransomware payout in 2021 was $11 million, paid by US based meat supplier JBS. In addition, the average ransomware payment increased 82% since 2020 to an average $570,000.

How can organizations mitigate ransomware attacks?

As long as organizations employ humans, there will always be attacks that slip through the cracks. We can increase training to help recognize phishing, potentially malicious websites, and social engineering tactics, and even set rotating passwords, but that will only get us so far. There are a handful of methods, such as 2FA / MFA, fully-patched systems, offline backups, threat hunters, and solid incident response plans is how an organization develops security maturity. This process can help organizations mitigate ransomware to a point where it is almost non-existent, but they take time, strategy, and budget.

Require 2FA / MFA

2-factor or Multi-factor Authentication (2FA / MFA) is absolutely a must in an effort to mitigate ransomware. Even if credential phishing occurs as an employee tries to log in to a fake site, or an attacker slips in unnoticed with a bounty of commonly used passwords, without access to the other form of authentication, the attacker only has part of the solution. Could the attacker also gain access to the correct token generator for the particular user they are trying to masquerade as? Sure. Does it make it infinitely more difficult to gain access? You bet it does.

Patch your systems

It is fairly easy to identify systems that are not correctly patched when a zero-day vulnerability is discovered. We hear the stats of potentially vulnerable systems all the time. If these stats can be found by a simple Shodan search, you can bet that attackers also know how to locate their next target. When a vulnerability is disclosed, companies responsible for those hardware or software products are generally quick to release patches to correct the issue.

At that point, they have done everything they can to alleviate the problem, it is up to the organizations to understand where they, and their supply chain, fit into that equation. Every organization should know what systems and services they utilize, quickly match known CVEs, and respond with patching to the current version when necessary.

Proper backup protocols

Backups are critical to every organization. Amazon and Google have extremely robust backup plans in place, and rightfully so. They have huge security teams and budgets to match. So what are the key components and best practices of their backup plans that other organizations can learn from and implement?

We could provide a long list of proper backup protocols, but the two main ones to address are:

Backup to Immutable Storage (go look this up right now)
Test your backups quarterly

Hunt the threats

Again, standing on the shoulders of giants like Amazon and Google can teach organizations that a dedicated team of Threat Hunters in a 24x7x365 Security Operations Center (SOC) is the best line of defense against ransomware. Ultimately, a threat actor will slip through and gain access to your system. It’s not a matter of “if”, but “when.”

Having a team of experts who understand what threats look like, can identify suspicious activity, and quickly mitigate those attacks is the single best way to ensure the safety of your data. Most organizations do not have the resources to fully staff an effective and efficient SOC.

This is where Milton Security is able to assist. Milton Security has been protecting organizations and their brands for over 14 years through MDR, XDR, and Threat Hunting SOC-as-a-Service. With a team of expertly trained Threat Intelligence Specialists, Threat Hunters, and Engineers, backed by powerful AI and Machine Learning, Milton Security can stand watch over an organization on a true 24x7x365 schedule.

Be ready to respond

When ransomware hits, again, “when” is the key word here, your organization will be at a critical juncture. How do you respond? What do you do first? What happens now? You will want to have all of these questions answered before that time comes. More importantly, you’ll want someone by your side to help guide you through. Someone who has been there and seen the other side - the cool, calm, and collected voice of knowledge and reason. Milton Security is that voice. With a dedicated Milton Security Incident Response team, you will know exactly what to expect and how to respond. From the first 36 hours of crisis management to the full restoration of your systems, Milton Security will safely guide you through this critical period.

The big takeaway here is that ransomware, at its core, is like any other threat. The attacker has to be able to get in or bypass common barriers to the network in order to deposit the malicious payload and exfiltrate the data. If you can reduce the attack surface by implementing certain functionalities, back that up with processes and procedures to identify and correct gaps, and respond to attacks when necessary, you can mitigate most of your vulnerabilities to ransomware. This is how you develop security maturity.

PLATINUM

Innovators

PLATINUM

Innovators

Will it ever end?

Will ransomware end? That’s the ultimate question and the reason you are here in the first place. Cryptocurrency is here to stay, and good or bad, threat actors will continue to take advantage of the anonymity of it to remain as untrackable as possible. Law enforcement and regulatory penalties for paying ransoms are on the horizon and approaching quickly, but those are proactive measures - you need to get back up and running as soon as possible and if submitting to demands means you have that opportunity, then a fine or slap on the wrist is worth it. Nation states are dumping huge amounts of funding into ransomware families and affiliates in order to support the disruption it causes, a classic case of David and Goliath.

Ransomware is likely to be around for a while. It’s predictable revenue for attackers with slim chances at being caught. It’s the open bank vault with no one watching. The only way to minimize the risk of being attacked is to develop your security maturity through:

Requiring 2FA / MFA for ALL users even if it is inconvenient and reduces the user experience
Making sure your systems are fully patched
Having a Immutable Storage and tested backups
Hunt for threats as though they already exist
Be ready to respond at all times

Milton Security has a team of trained Threat Hunters and Incident Responders that can stand watch over your network and systems and alert you to unique and suspicious behavior. When ransomware rears its ugly head, you will know exactly what to do and be confident in your ability to quickly return to normal.