Ask any CISO what keeps them awake at night and the answer is bound to be: ransomware. A proven money-maker for cybercriminals, ransomware can be devastating to your business – it can wipe out core operational systems; can cost you millions of dollars to recover from; can result in a stock downturn and job losses; and it should be entirely avoidable.
A brief history of ransomware
Ransomware 1.0 really kicked in with the advent of cryptocurrency, allowing cyber criminals to anonymously monetize the attacks. In this first iteration, the malware was sent out in massive quantities of malicious emails into the wild and it would demand payment from whatever machine it happened to infect. This reached a peak when, in May 2017, the global WannaCry outbreak used an automated attack mechanism to infect hundreds of thousands of machines, bringing panic across the security industry, and impacting critical national infrastructure like healthcare institutions. Unprecedented in its scale, WannaCry underlined the fact that ransomware was able to create massive extortion opportunities from public and private organizations alike.
The current incarnation, often called big game hunting ransomware or ransomware 2.0, is a more targeted and methodical attack. Criminals will compromise an individual endpoint (either via email, remote desktop protocol, or a vulnerable internet-facing device like a VPN), enter the network and attempt to hide. Over time they will escalate their access privileges, identify valuable data, exfiltrate information, poison backups, and then plant the ransomware.
When the malware is detonated, the victim has little recourse. The option of not paying is challenging because backups are compromised, and, even if they do recover on their own, the attacker will leak all their sensitive data. It’s a bleak situation – and the reason that CISOs the world over fear this very situation.
So, while this is bad enough, what comes next?
The next stages in ransomware
As cloud adoption has accelerated, partially driven by Covid, firms have more reliance on third party systems and data storage. In 2021, we can expect to see ransomware evolve to more aggressively target the cloud infrastructure, either using it as an access gateway to corporate identities, or directly attacking the data stored within. This ‘ransomware 2.5’ model will drag SaaS solutions into the attack space and widen the criminal’s potential impact and leverage.
Advances in attack methods, however, may bring additional risk. Trickbot, a ransomware-linked downloader, has experimented with the ability to stay resident in the BIOS of a machine, persisting past an OS reinstall, and being able to tamper with core controls. Residing at this BIOS level, the malware has the potential to ‘brick’ the device. As a result, ransomware crews may increase (or switch) the leverage to pay from public release of sensitive corporate data to the threat of simple device destruction, requiring the firm to buy new hardware before they can begin their recovery journey.
Ransomware 3.0, however, represents a further development of the attack chain, with the ability to extend the repercussions and create a longer-term income stream for the attacker. To understand that, however, we need to take a step back.
Rethinking the CIA triad
Most security professionals view Confidentiality as their main job role, with Integrity and Availability being more of an IT Ops responsibility. Many firms, however, recognize their importance as part of a national infrastructure (regardless of whether they are hydroelectric plants, public transport services, or payment companies) and have long held a different view on the prioritization of this classic CIA triad.
- In many CNI (Critical National Infrastructure) firms, data Integrity is the most critical aspect. Without this, the service will be making incorrect decisions, each of which could create a safety issue - imagine operating train prioritization and speed believing the points to be directing rail traffic a certain way, when they are not.
- Second to Integrity is Availability. In most cases, it is better to have no system at all, rather than one that is operating on incorrect data – imagine creating thousands of car parts that are 2mm too big, or having a healthcare system which provides incorrect details about patients’ medical history.
- Finally, comes Confidentiality. Losing your client database may be reputationally damaging, legally challenging or may negatively affect customer loyalty, but it will rarely cause safety issues as the previous two may.
The opportunity exists for criminals to include attacks on Integrity as part of their ransomware deliverable. As part of their current attack path, it would not be a large diversion for the criminal to poison certain data records and allow then to be absorbed into the backup chain.
Now the criminal has additional leverage, and this could be realized in two ways:
- If a firm decides not to pay the ransom, and to recover and rebuild without the ‘help’ of the attacker, they may then be notified of key data discrepancies which would undermine their service. If the attacker has poisoned the backups, the firm will not be able to trust their systems/records and may need to pay to be told of the introduced data errors.
- If the firm does pay the ransom and recover their data, the attacker may revisit and demand further payment to highlight the data errors.
A firm facing a simple data leakage can recover, as can one with a temporary service outage, however, organizations are built on customer trust. If suddenly customers cannot trust their banks to tell them how much money they have in their account or cannot trust their safety when they board a flight, this will simply take their business elsewhere. Reputational damage on this scale is simply unrecoverable.
Ransomware is an evil attack vector, and security professionals are right to view it as a real concern. It puts organizations in front of very challenging decisions, with few positive outcomes on the horizon. In the words of WOPR from ‘Wargames’, “the only winning move is not to play” – as such it’s more vital than ever that CISOs take every action to avoid such an attack.
- Protect the obvious gateways – Leaving VPN gateways unpatched is an invitation for trouble; the same is true of RDP connections, or any internet facing gateway. Ensure that perimeter patching and control is complete and monitored daily.
- Focus controls around the major attack vectors, emails and people – Prevent malware/downloader attacks by ensuring that both your email hygiene, and your security awareness training, are as good as they can be. This is where the vast majority of attacks originate.
- Detect and prevent credential compromise – Credential theft and misuse are universal starting points for attackers. From there, they can launch Business Email Compromise (BEC) and Email Account Compromise (EAC) attacks, as well as steal data; tamper with records and plant ransomware. Credential compromise is the first sign that your organization is under attacks so pay particular attention to this attack vector.
- Reinstate offline backups – The appeal of near-line, instant backups has led many companies to do away with offline versions, meaning attackers with stolen credentials may be able to tamper with, or poison your backup systems. Consider offline alternatives.
- Invest in backup analysis software – Big tech companies now process analytics about data movements, enabling them to identify subtle data changes over time. This may go unnoticed during an attack, but it gives you a way to identify a path back to full data integrity.
- Review your ransomware playbook – If you don’t have a ransomware response playbook, then stop reading right now and go and make this your #1 priority. Think about how you may be able to gain confidence in data integrity if you can’t trust the backups.
- Gold plate your solution where necessary – Ensuring the safety of critical systems can mean investing in an entirely parallel, but disconnected, computing infrastructure that provides backup should the primary system fail. This is not cheap, but it can be your ultimate fail safe to ensure continuity of service in the event of an attack.
Andrew Rose, Resident CISO, EMEA, Proofpoint