Ransomware is raising its head as the number one cybersecurity trend posing a threat to global organisations and business processes. Keith Glancey, Head of Solutions Architects at Infoblox, discusses the severity of the ransomware threat in the cybersecurity market and how organisations should implement the right technology tools to better protect themselves.
Ransomware is not a new phenomenon. However, with each year that passes, the threat it poses to both individuals and businesses seems to grow. With several high-profile companies falling victim to ransomware attacks in 2021 – including the UK arm of Salvation Army and Ireland’s Health Service Executive, it’s clear that no one is safe.
In fact, it is estimated that today there is at least one ransomware attack on a business every 11 seconds. The frequency of these attacks is far from diminishing their individual impact. Quite the contrary, with recent research discovering that the average ransomware recovery costs for businesses have more than doubled in the past year, rising from US$761,106 in 2020 to US$1.85 million in 2021. And that’s without the long-term reputational damage.
With attacks on the rise and the cost of falling victim more devastating than ever, it’s never been more important for businesses to take steps to minimise the ransomware threat and protect their employees and their customers. However, in the majority of cases, this is much easier said than done.
The perfect storm
Over the years, ransomware has become an increasingly popular attack method for hackers looking to gain a large return on investment. Time and time again, organisations are so desperate to avoid the downtime that follows an attack that they pay up, which is understandable. After all, when a business suffers downtime, every second, minute and hour that goes by results in more money lost. In the most extreme ransomware cases – for example, when critical services, such as hospitals, are under attack – the impact could be deadly.
The bigger the pay out, the more successful an attack is. And, when the COVID-19 pandemic struck, it presented new opportunities for cybercriminals to cause increased disruption, boosting the earning potential. In fact, cyber intrusion activity globally jumped 125% in the first half of 2021 compared to the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors behind this increase.
A huge pandemic challenge that businesses continue to struggle with is securing the new remote and hybrid work landscape. Remote working has opened up many new avenues for bad actors to explore and manipulate. Unsecure Wi-Fi connections, mass document sharing via unapproved cloud folders and browsers with insecure plug-ins are just a few examples of the problems today’s IT and security teams are facing. Left unprotected, these areas can pose a significant risk to corporate networks.
One of the most infamous ransomware attacks this year was on the Colonial Pipeline. The attack shut down systems that supply 45% of the eastern US’s fuel, and has now been attributed to the breach of a Virtual Private Network (VPN), commonly used by remote employees to connect to a company system. Although a spokesperson for Colonial Pipeline has said that this VPN was an older model than the one employees were using to connect to the network, the attack method highlights how any employee working offsite and using their own networks can be a potential risk.
The rise in Ransomware-as-a-Service
Whilst tried and tested ransomware distribution tactics – such as malicious websites, email campaigns and even USB memory sticks – are still alive and kicking, over the last year or so, other, newer methods have also increased in popularity. One such method is Ransomware-as-a-Service (RaaS).
A subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks, RaaS gives everyone the power to become a hacker. There’s no technical knowledge required; all individuals need to do is sign up for the service. Platforms are closely modelled after legitimate SaaS products. They include support, community forums, documentation, updates and more. Some even offer supporting marketing literature and user testimonials. Users can choose to sign up for a one-time fee or for a monthly subscription. There are also special features which you can pay for such as a status update of active ransom infections, the number of files encrypted and payment information.
RaaS has opened the floodgates when it comes to ransomware. In fact, research discovered that almost two-thirds of ransomware attacks in 2020 used RaaS tools. As well as popularity, RaaS attacks are growing in notoriety and were behind some of the biggest headlines this year. REvil and DarkSide – two key players in the RaaS space – were responsible for the attacks on the Colonial Pipeline and JBS. The size and sophistication of these attacks should concern all cybersecurity professionals, and their relative success highlight how the RaaS market is only likely to grow moving forward.
Detection and prevention
With RaaS becoming so established, organisations battling against ransomware need to level up. As with most complex issues, there’s no silver bullet for cybersecurity. But organisations have the power to turn the tide. More often than not, ransomware attacks succeed when the victim isn’t effectively prepared. Therefore, organisations should expect ransomware attempts to target their networks, and prepare accordingly.
Detection and prevention are two critical parts of the ransomware puzzle. One effective way that IT teams can protect their network is by increasing visibility. This is where DNS (Domain Name System) tracking comes in. DNS is a core network service which means that it touches every device that connects to a company’s network and the wider Internet. What’s more, some 90% of malware, including ransomware, touches DNS when entering and exiting the networking, making it a powerful tool in the cyberdefence toolkit. When applied to security, DNS can help protect against ransomware attacks by detecting and blocking communication with known C&C servers that distribute malware, helping to stop an attack before it even starts.
To take DNS-based security to the next level, businesses can merge DNS with DHCP (Dynamic Host Configuration Protocol) and IPAM (IP Address Management). This combination of modern technologies – known as DDI – can pinpoint threats at the earliest stages, and paired with DNS security can identify compromised machines and correlate disparate events related to the same device.
When it comes to ransomware, business leaders should zero-in on specific protection, but also zoom out to secure the entire IT stack. Achieving full visibility and defending from the network edge will likely be a priority for security teams moving forward. Using core infrastructure like DDI as the security control plane will give organisations the upper hand and enable them to protect their networks and their employees from the latest ransomware threats.