The ransomware threat is on the rise. It’s one of the top three most concerning threats for Chief Information Security Officers (CISOs), alongside social engineering attacks and OT/IoT attacks. Recent research reveals that a huge 96% of CISOs have experienced a ransomware attack in the past year1, more than half of which significantly impacted business systems and operations2.
In light of various large-scale, high-profile world events occurring this year – from elections to large-scale sporting events – and the increasing ease with which attacks can be carried out, many feel that the threat of ransomware is even higher than in 2023. Many expect to see a rise not only in the number of attacks but also in the technical acumen and skills being used to carry out the crime.
Increased sophistication = increased threat
The barriers of entry to commit ransomware attacks have lowered considerably. Ransomware is becoming increasingly commoditised, and bad actors with a small amount of knowledge can easily buy a tool online that would allow them to attack with far less effort than would have once been the case. That said, organisations should not be naïve to the sophistication of the leading ransomware groups. Terms like ‘script kiddie’ suggest limited technical capabilities among adversaries and an amateur approach to ransomware attacks. That’s not necessarily the case, particularly when we look at how some of the most prolific ransomware gangs operate, and the attacks they have most recently claimed.
While groups such as Black Basta and Rhysida, responsible for the infamous Southern Water and British Library ransomware attacks, are often opportunistic in their targets, many ransomware groups are also becoming more professional, choosing their targets carefully. Often the size of these targets is an important factor in the attack. Certain ransomware groups appear to have deliberately targeted critical infrastructure and major institutions in recent times. What’s more, the gloves are somewhat off – in the sense that hospitals, schools, and other such institutions are now regarded increasingly as ‘fair game’ to ransomware groups.
One of the most prominent tactics these groups deploy is a ‘double extortion’ technique, where they exfiltrate a victim’s sensitive data in addition to encrypting it. The data is then not only stolen, but is at risk of being leaked or sold online, giving the attacker(s) more leverage in ransom fee negotiations, and increasing their chances of pocketing the ransom fee.
To pay or not to pay?
The increasing sophistication of cybercriminals is forcing victims to make difficult decisions. 83% of businesses that were subject to a ransomware attack last year paid the ransom fee. More than half of those paid more than $100,000, and one in eleven shelled out to the sum of $1 million+3.
Being forced to consider the legal, ethical, and technical arguments of paying a ransom fee is an unenviable situation. Naturally, business operations need to continue.
Many desperate organisations gamble with their reputations in the hope of decrypting their data, recovering their systems, and preventing the release of sensitive material. Yet even after payment, many of these companies are unable to fully recover their lost capabilities. The British Library, for example, is still recovering from its attack more than three months on.
Combating threats in 2024
It’s increasingly hard for organisations – private or public – to fully guarantee they can protect themselves. The problem is one of increasing sophistication of some attacks and the sheer volume of them. And this is perhaps the greater issue: the more parties looking for an exploit, the more likely they are to find one. On top of that, the ‘dwell time’, during which bad actors can be detected while moving around a network, has come down from months to days, or in some cases just hours.
When it comes to prevention, security leaders need to ensure they have appropriate software in place, with the ability to detect anomalous activity as it occurs. However, even when using the best software, companies still need to ensure they are observing the fundamentals. They should consider network segmentation and offline, regularly-tested, segregated backups. Maintenance tasks and patch management should be assigned internally, with regular checks that they have been successfully executed.
Multi-factor authentication should be strongly considered on every account, particularly in the case of administrators. And, at the most basic level, staff must be properly educated to ensure simple things like password security, avoidance of clickbait, and observation of anomalous behaviour and requests. It’s akin to eating your vegetables, drinking plenty of water, getting exercise – in that companies ultimately know what they should do on a basic level, but don’t always do it.
Ultimately security leaders need to move towards a not ‘if’ but ‘when’ mode of thinking, assuming they will be infiltrated by ransomware actors at some point, and ensuring they have a solid and rapidly deployable response plan ready to safeguard their networks the moment it’s needed. Tabletop exercises are critical. Businesses need to think about stakeholder engagement, the sharing of information, and the technical lift that will be required – all of the things that need to happen in response to an attack. Organisations will benefit from having these processes well defined and rehearsed to minimise disruption should the worst happen.