The Evolving Threat of Ransomware

Ransomware surged during the COVID-19 pandemic to become one of the biggest threats facing businesses. This was echoed by the World Economic Forum’s recent risk survey that reported cyber security as second to climate change as factors that will shape the next decade, with the pandemic coming third place.

Although the shift to remote and hybrid working has helped many companies stay in business, it has also made them easier targets for ransomware gangs, especially organisations that rely on system availability such as manufacturing, healthcare, and financial institutions.

The impact and economics of ransomware

The impact of ransomware is more than just the encryption technology itself. The real risk lies in removing a business’s ability to perform mission- or business-critical services or processes which leads to wide-spread disruption – such as shutting down production lines or causing a backlog in processing financial transactions or delivering healthcare services.

The financial effects of ransomware have become particularly pronounced in 2021. Today, 99% of ransomware attacks are attributed to organised crime with the motive almost always being financial.

According to a recent study, the average cost of a ransomware attack is estimated to be $4.62 million with financial impact encompassing escalation, notification, lost business and response. This is not only more costly than any other type of data breach, it also does not include the costs of the ransom demand itself.

Attacks are getting more complex and harder to prevent

While ransomware is not a new threat to businesses, it is one that has received attention at the highest levels of government due to its increasing complexity and severity of impact.

By nature, these types of attacks have become more sophisticated and complex in that they bypass and even exploit security controls, from encrypting regular backups to bypassing multi-factor authentication.

New ransomware strains are polymorphic to help avoid detection; they scan for endpoints, servers and backups; steal privileged account access credentials; switch off malware protection; and install backdoors that allow them to come and go undetected. 

Some native Windows features are even utilised by ransomware gangs to increase the impact when the payload is executed. As an example, the tool ‘Restart Manager’, which Windows uses to close files when shutting down a system, is used by ransomware to close files so it can encrypt everything. This is considered to be a ‘living off the land’ attack whereby native tools are leveraged to avoid detection.

Threat actors have also shifted tactics from often only encrypting a company’s systems to a hybrid attack that includes crippling its network and exfiltrating its data. For example, the Conti ransomware group uses its Happy blog as a mechanism to release an organisation’s exfiltrated data publicly if the ransom demand is not met. One of the most significant attacks carried out by the Conti group was against the Irish Health Service Executive (HSE) that forced the national health and social services provider to shut down its entire system, which led to appointments being delayed and cancelled.

Unfortunately, these attacks are becoming more complex, costly, and challenging to identify and stop, acting on potential targets’ weaknesses much faster than enterprises can react. By probing common-known vulnerabilities and exposures for weaknesses and quickly capitalising on them, these attacks are often launched faster than internal security teams can patch them.

Protecting your business requires a multi-layered approach to cyber security

What this tells us is that the gap is widening between how long a threat actor can hide itself inside an organisation’s network and the time it takes for a business to detect the threat.

While there is no silver bullet to solve or defend against ransomware, a multi-layered approach is needed to improve a company’s cyber security posture overall with strategies that cover all different stages of an attack.

From a Board and C-suite perspective, understanding their organisation’s most critical products, services, business processes and data is crucial. Protection and end user education are similarly vital and being able to respond quickly in an ongoing way can also help any defence and response approach.

In his next blog, ITC Cyber Advisor Neil Lappage will share six actions businesses can take to stay one step ahead of ransomware.