Ransomware attacks have evolved from a cottage industry into a multi-billion dollar mega industry. With increasing sophistication behind RansomOps attacks, ransomware syndicates are reaping the benefits with record profits. Cybereason, technology provider for cyber security solutions, has published a new report, titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, which provides insights into the dynamics of the ransomware industry. EnterpriseIT spoke to the author of the report, Sam Curry, to get more insights into how the ransomware industry operates, who the attackers are, whether data can be recovered on paying ransom and how to strengthen the security posture.
“If we have learned anything from the increase in global ransomware attacks, it is that the public and private sector need to invest now to ratchet up prevention and detection and improve resilience.”
Sam Curry, Chief Security Officer at Cybereason
When did the first ransomware attack take place. Can you share more about the first case and how did this all start.
The first ransomware attack is believed to have occurred in the healthcare industry 30 years ago.
Who is behind these attacks. Are these organized crime syndicates or random fly-by-night operators
Many of the ransomware groups are provided safe haven in countries such as Russia. Notorious groups include REvil, Conti Group, BlackMatter, CLOP and LockBit to name a handful. In 2021, the top ransomware gangs turned profits of more than $500 million dollars. Earlier this year, Cybereason discovered a switch from the ransomware groups being ‘state ignored’ meaning that the Russian government was aware of their activities and purposely ignored the illegal activity. As the Ukraine war broke out, the Russian government took control of many of the ransomware gangs and put them to work on behalf of their government.
Given that evading ransomware attackers is like a cat and mouse game, do you think attackers are more intelligent or how is it that they always seem to be one step ahead
If we have learned anything from the increase in global ransomware attacks, it is that the public and private sector need to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire. Sure, the threat actors might get in, but we can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can — in short — make material breaches a thing of the past. So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.
“To minimize damage and assess preparedness, organizations should identify the critical services that are “single points of failure” for the business. If critical services go down, the business stops, so have a contingency plan.”
How have we created a world where there are new forms of threats and risks to life and safety
Companies may not believe they are in the crosshairs, but they all are. Every business should regularly review business risk, including the impact cyberattacks could have on their business. Even if a company reviewed business risks, doing it again can throw up things that wasn’t obvious then.
For all organizations, now’s the time to eliminate single points of failure, identify partners in your supply chain and contact them now and prepare for contingencies if their business becomes disrupted. In other words, have back-up suppliers ready on speed-dial if needed.
There’s no silver bullet or magic potion that will solve the cybersecurity challenges facing most organizations. To minimize damage and to assess preparedness, organizations should identify the critical services that are “single points of failure” for the business. If critical services go down, the business stops. Have a plan for “what to do if.” This doesn’t have to be perfect, but think now about what has to be done if email goes away or a customer portal or CRM tool gets locked. There’s no perfect solution, but managers will be more creative when there isn’t adrenaline pumping. Know that any thought given to it on what the company will do is an advantage.
Do companies recover all the information after paying ransom
There is honesty amongst some of the thieves carrying out ransomware attacks. Sometimes companies recover all of their data once a ransom is paid and in other instances they might receive data that is corrupted. In 2021, Colonial Pipeline was attacked by the DarkSide ransomware gang and paid a ransom of more than $4 million and the hackers handed over decryption keys that were corrupted and the company had to rely on the backup data systems in place to fully cover. Overall, it doesn’t pay to pay ransoms unless the organization consider the situation a matter or life or death. And in many countries, it is illegal to pay ransoms that fund terrorist or illicit activity.
“Sometimes companies recover all of their data once a ransom is paid and in other instances, they might receive data that is corrupted. In 2021, Colonial Pipeline was attacked by the DarkSide ransomware gang and paid a ransom of more than $4 million and the hackers handed over corrupted decryption keys.”
Is it a good strategy not to pay ransom and lose the data and information
One of the biggest issues organizations grapple with when subject to a ransomware attack is whether they should pay the ransom demand.
According to findings from Cybereason’s global ransomware study of nearly 1,300 security professionals, from earlier this summer, in the UAE, 37% of surveyed companies reported that they had been hit by a ransomware attack in the last 24 months. A staggering 84% of these companies (24% higher than the global average) chose to pay the ransom but what is interesting is that of those, 90% suffered a second ransomware attack, often at the hands of the same threat actor group. The research also divulged that of the organizations who opted to pay a ransom demand to regain access to their encrypted systems, 59% reported that some or all of the data was corrupted during the recovery process.
As such our survey findings underscore why, with the exception of cases where there is a threat to life, it does not pay to pay ransomware attackers. Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks.
What kind of strategies can companies adopt to prevent a ransomware attack
Traditional cybersecurity tools and next-gen endpoint solutions are inadequate in protecting against ransomware because they rely on recognizing previously identified attacks and indicators of compromise.
Organizations need cybersecurity with comprehensive visibility across the environment, and the ability to analyze indicators of behavior in addition to indicators of compromise. It’s important to view the entire malicious operation to understand the scope of the attack and to connect the dots between actions and behavior that may seem innocuous when viewed alone. Viewing the malicious operation gives a comprehensive understanding of what is going on, and gives you the visibility, context, and intelligence necessary to detect and prevent ransomware attacks before the damage is done.
Did you speak with ransomware attackers for the report
Cybereason regularly tracks the movements and activities of dozens of threat groups around the world.
Can you comment on the psyche of victim organizations and speak from their perspective when they are attacked
Being victimized by a ransomware attack is a difficult situation for any organization to be in. Coupled with the fact that each infiltration, attack group, victim organization, jeopardized data set, and potentially impacted third-party is somewhat unique to every situation, many organizations feel like they have a bullseye on their backs.
It doesn’t have to be this way for companies as there are many security products on the market that will help stop the ransomware threat. To disrupt cyber criminals’ operations and to ensure ransomware is stopped before it can have any negative impact, every endpoint within an organization needs to be protected by endpoint detection and remediation software.
What must organizations/individuals do once they know there is an attack.
There is too much focus on the ransomware executable, or how to recover once an organization’s servers and data are already encrypted. That’s like fighting terrorism by focusing only on the explosive device or waiting to hear the “boom” to know where to focus resources. Traditional cybersecurity tools and next-gen endpoint solutions are inadequate in protecting against ransomware because they rely on recognizing previously identified attacks and indicators of compromise.
Organizations need cybersecurity with comprehensive visibility across the environment, and the ability to analyze indicators of behavior in addition to indicators of compromise.
