Ransomware is extremely destructive in nature, making it an attractive tool for threat actors to reap financial gain. Steve Forbes, Government Cybersecurity Expert, Nominet, offers his best practice advice for business leaders to protect their assets and prepare in advance for attacks of this sort, which are only set to increase.
Ransomware has rarely been out of the headlines over the past 12 months, with giant multi-nationals such as Toyota, Okta, Vodafone and Samsung falling victim to attacks by prominent criminal gangs. The surge in ransomware attacks in recent years has disrupted critical national infrastructure, global supply chains and even nation states including Costa Rica and Montenegro. Worryingly, the trend shows no sign of abating as we move through 2023.
Indeed, the NCSC has contended with a record number of ransomware incidents over the past year and has identified the attacks as the most significant cyberthreat facing businesses and individuals in the UK. Of the 63 recorded cyber incidents that were significant enough to require a national level response by the NCSC, 18 involved ransomware.
Despite being a relatively unsophisticated method of attack, a successful ransomware breach has the capacity to grind an organisation to a halt – and cause significant disruption to the general public. Meanwhile, with the objective of ransomware actors almost always being to profit financially, businesses face the multiple threats of financial loss, internal disruption from data breaches and substantial reputational damage.
2022 in review
Ransomware gangs such as Laspus$, Conti and LockBit were active around the globe, constantly bolstering their tactics and causing public embarrassment for the companies they attacked. Toyota was forced to suspend its production line for a short time when hackers struck a supplier; Vodafone,Samsung and Okta were hit by Laspus$, which breached security systems and threatened to release sensitive data and information. In the case of Okta, thousands of companies that use its cloud software also came under threat.
Laspus$ was perhaps the most notorious gang operating in early 2022, hitting a string of businesses, before a series of arrests halted its progress. This successful law enforcement was a direct result of the increased collaboration between governments and agencies around the globe – a lesson for businesses and authorities in 2023. The sharing of threat intelligence and cyber strategies has supported the takedowns of ransomware groups alongside wider multi-government takedowns like the action against REvil in 2021. Sometimes ransomware gangs are responsible for their own downfall – Conti shut down last year following the leak of internal chats and part of its source code.
Despite the efforts to disrupt gangs, there was no decrease in ransomware activity in the UK last year, which, according to the NCSC, was because members of exposed groups would often move on to work with others – demonstrating how the ransomware landscape continues to diversify and evolve.
Dealing with ransomware
Businesses should assume they will be hit by a ransomware attack at some point this year. This means it is critical to take all necessary precautions to try and prevent it from happening. Frequently, it comes down to getting the basics right. The NCSC’s ‘10 steps to Cyber Security’ is a good place for any business to start. Through steps like enabling firewalls, patching software in a timely manner, good identity and password management and having resilient backups on hand, organisations can easily bolster their security posture. While backups won’t prevent ransomware, they will speed up recovery and reduce the need for the company to pay the ransom.
We should all remember that these groups are enterprises as well as criminal gangs. Much like businesses, they are trying to survive and make as much profit as possible – although clearly on the wrong side of the law. But like businesses, they are looking for the biggest return from the lowest risk. They also want to create for themselves a reputation for success by demonstrating they have the ability to take down large targets. These relatively simple motivations mean that ransomware activity will continue to grow this year and into the future.
High-profile incidents such as the Colonial Pipeline attack have created a public outcry and increased political pressure, according to the NCSC Annual Review. The result has been increased scrutiny for ransomware groups and other threat actors, forcing some to adapt and adjust their techniques to better avoid detection and defences. That ever-evolving threat will continue to grow this year, creating further challenges for businesses as they strive to stay ahead of and prevent intrusions.
The ransomware trend in cyberspace
The destructive nature and financial viability of ransomware makes it an attractive tool for threat actors to utilise, who have an almost unlimited number of organisations to attack. One area of growing popularity among state actors is wiperware. The primary motivation for using wiperware is pure destruction and not financial gain. It erases data from systems completely and makes it difficult to recover those files – rather than offering victims the chance to decrypt them. This method allows threat actors and nation states to act decisively and destructively against their intended targets. With geopolitical tensions high, this signals genuine hostile intent as part of a wider political or military campaign.
Some wiperware activity seen at the beginning of the Ukraine conflict mirrored the NotPetya style attacks of the past. To date, much of the disruption has been enacted by DDoS attacks, which take networks offline via the use of botnets that have been built up over the last several years. These methods have been a much easier type of attack to carry out with fewer repercussions than targeted wiperware. And similar to NotPetya, while the majority of businesses will not be targeted by wiperware, they may well be impacted if the intended targets are part of their supply chain.
Businesses will need to be on high alert as it’s not a question of if they’ll be attacked, but when. Threat actors will ultimately continue to utilise ransomware because of its straightforward nature, the chance of notoriety it provides and the financial gains available. Concerningly, the hackers are only getting better at finding vulnerabilities and exploiting them quickly to achieve their goals. To put their best foot forward against this activity, business leadership teams need to have a comprehensive understanding of their security posture in order to put in place the right resources to keep their systems secure.
Collaboration will also be key, both among a company’s key stakeholders and with law enforcement and government bodies – should the worst-case scenario occur. Agencies such as the NCSC have the expertise and processes in place to help organisations hit by a serious cyberattack. Many businesses don’t realise that if they are transparent with law enforcement and inform them immediately after a breach, they give themselves the best chance of taking on and eventually recovering from the attack. When behaviour like this is adopted alongside implementing cyber basics, a business puts themselves on a stronger footing.
This best practice will be essential in 2023 and beyond, with ransomware attacks likely to increase further. The more that IT teams are empowered to proactively prepare to take on these threats, the more protected everyone will be.