Ransomware Attacks Leave Lasting Damage
Organizations hit by ransomware attacks also report tightened budgets and lingering impacts on productivity, profitability and security posture, suggesting the extensive damage caused in the wake of ransomware attacks has long-lasting effects.
A Keeper Security survey of 2,000 U.S.-based workers found that nearly all companies targeted by a ransomware attack paid the ransom, and another 22% did not disclose whether or not they paid, which suggests the real number could be much higher.
The vast majority—87% of impacted companies—said they enacted stricter security protocols after the attack.
More than three-fourths (77% percent of respondents) reported being unable to access systems or networks as a result, with 30% down for a day or less, 26% offline for up to seven days and 27% getting knocked out for more than a week.
As for causes, 42% of ransomware attacks originated from phishing emails, 23% from malicious websites and 21% from compromised passwords.
Oliver Tavakoli, CTO at Vectra, an AI cybersecurity company, explained that ransomware starts out like all cyberattacks—but it differs in that it ends in data exfiltration, data encryption and extortion.
Stopping Ransomware Before it Starts
That means that stopping ransomware early enough (before exfiltration and encryption begins) is roughly equivalent to stopping any cyberattack after it has entered your organization but before it has done significant harm.
“This requires both a set of detection technologies for endpoints and networks and an operational capability to react to the signals produced by them in a timely fashion,” Tavakoli said. “Many organizations are still in the early days of implementing detection and response capabilities.”
He noted the ransomware attacks seen in recent months all still involve attacks on traditional on-premises networks.
“Over the coming year, ransomware focused on the cloud will begin to emerge,” he explained. “This will include attacks on organizations’ public cloud assets as well as attacks on data stored in business-critical SaaS applications.”
Keeper’s study revealed that 29% of employees did not know what ransomware was prior to their employer being attacked, indicating organizations must commit to security awareness training for all employees.
Mark Cravotta, Keeper Security’s chief revenue officer, said because the threat environment changes continuously, employee cybersecurity training also must be continuous.
“Many organizations conduct annual training as a security audit requirement,” he said. “While this may satisfy an audit, the training does not enhance the security posture and readiness of the organization.”
Tavakoli said while an employee may become the unwitting entry point for a ransomware attack by clicking on a link in an email, trying to achieve perfect security at the perimeter of an organization has proven to be impossible: Company culture and employee education only gets you so far.
“It’s just that, with the recent spate of ransomware, the potential end result of such intermittent failures have become more dire,” he said. “So while you should continue to improve your perimeter posture by educating users and reducing and hardening your internet-facing services, you must achieve a degree of resilience to attacks which have already gotten past your first line of defense—build the capability to detect them and to respond to them with a sense of urgency.”
Tavakoli also noted the pandemic has caused both dislocation for security operations teams and has shifted the focus of those teams to implementing solutions that enable smoother work-from-home (WFH) scenarios.
“Significant changes to environments often come with new security exposures, and the focus of infosec teams has shifted from cyber hygiene and better operational capabilities to just supporting the needs of the business to be agile in the face of change,” he said.
Reflecting the New Reality
Recently, Keeper did another study in the UK, which found that 66% of organizations relaxed their cybersecurity policies to accommodate remote work, and 22% still haven’t updated their cybersecurity policies to reflect the new reality of a distributed workforce.
“IT administrators have a lot less control over employee devices and connections for employees working remotely,” Cravotta said. “Further, when COVID-19 forced lockdowns, many companies scrambled just to enable remote workers, virtually overnight. The rapid change and lack of planning resulted in security compromises to maintain business continuity.”
Hank Schless, senior manager of security solutions at endpoint-to-cloud security specialist Lookout, noted that mobile ransomware will also continue to get more advanced, with threat actors figuring out how to combine two mobile attack tactics to successfully deliver ransomware on mobile OSs and make it an easier attack to use at scale.
“Social engineering is not a new phenomenon, but it’s much more difficult to detect on mobile devices,” he said. “In the era of COVID-19, it takes place over social media, text message or other third-party platforms that are primarily accessed on mobile devices.”
Schless explained once they earn the target’s trust, attackers can convince victims to download malicious apps or log into a webpage—both of which could deliver ransomware to the device.
For example, screen overlay attacks have been a common way for attackers to execute ransomware attacks because it allows them to lock the user out of the device until the ransom is met.
In 2020, there were instances that proved attackers have learned to convert these screen overlays on mobile devices. These tactics present an entirely new threat type on mobile that traditional security tools cannot protect against.
“IT and security teams cannot simply try to extend existing anti-malware tools to mobile,” Schless said. “They need to leverage a modern endpoint protection platform that protects the user and their device from these types of attack.”
Cravotta pointed out cybercriminals who launch ransomware attacks don’t just encrypt a company’s systems anymore; they steal data and threaten to sell or publicly release critical company information to the dark web unless the ransom is paid.
This is called double extortion, and the majority of ransomware attacks now fall into this category. But cybercriminals are not stopping there.
Cravotta noted that “triple extortion attacks” are now emerging, where cybercriminals not only encrypt systems and steal data, but also launch DDoS attacks against the organization’s network.
“The expectation is that there will be more frequent attacks, involving not only ransomware but data breaches and DDoS, with higher ransom demands and more damage done to organizational systems, employee productivity and company goodwill,” Cravotta said.
