From the Shotgun Approach to Triple Extortion: The Evolving Ransomware Threat
In the (relatively) brief history of computer crime, many kinds of attacks have, for one reason or another, become obsolete and faded from view. Ransomware, however, is only becoming more of a threat. Since the first known attack in 1989, damage from ransomware has continued to grow in scope and severity. No organization can afford to wait it out and hope for some painless universal solution. According to a Fortinet survey, 67% of businesses and organizations have been targeted by ransomware.
Pests to Predators
Ransomware began as more of an inconvenience than true impact to a given business — a few computers locked here or there, with ransom maybe paid if something important wasn’t backed up. But ransomware gangs refined their techniques over time, researching their targets to pinpoint the greatest operational impacts: preventing the mission from being accomplished, whether that was making widgets, providing health services, or something else. More pain caused, bigger ransoms, more money.
How It Got Even Worse
Ransomware began as a crime of opportunity, with attackers almost randomly infecting vulnerable machines and seeking ransom – the shotgun approach. Things have changed.
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has noted just a few of the ways ransomware has become more effective and costly:
Ransomware groups are sharing information about victims with each other. This makes follow-up attacks more likely.
Moving from “big-game hunting” to smaller victims. Ransomware groups have seemed to learn that high-profile attacks bring more law-enforcement disruption, so they are diversifying their target lists to more mid-sized victims.
Attempting “triple extortion.” The first ransom demand is now often just the starting point. Because attackers control the machines and siphon data out, they now threaten to:
Publicly release sensitive information (this can be customer information, personally identifiable information [PII], or other types)
Disrupt Internet access or other important services
Embarrass the victim by revealing the attack, which can lead to issues with partners, shareholders, and other interested parties
Some Ways to Improve Readiness…
Although overall ransomware remains a top concern, there are proactive measures organizations of almost any size can, and should take, to minimize the impact of a ransomware incident. Although there is a range of technical controls available to prevent, detect, and respond to ransomware, there are also process, practice, and awareness moves in addition that can position organizations to handle a ransomware attack much better. A partial list of these proactive measures includes:
Ransomware Playbook: Have you documented, in detail, the right steps to take at the right time when ransomware appears? Ransomware has several wrinkles that a “normal” malware incident does not.
Ransomware Tabletop Exercise (TTX): Actually going through a ransomware incident is a very stressful and usually expensive proposition – but you can learn a lot through a well-done practice action to make sure all detection, response, and recovery is on the same page.
Ransomware Assessment: Do you think you have a good idea of how your environment, security controls, incident response, and remediation plans are matched against the latest ransomware threats? Or maybe aren’t sure? An objective, third-party assessment can show areas for improvement and where you can get the biggest bang for the buck.
…And Why Readiness Makes Financial Sense
Every business has different approaches to risk tolerance, security spending, and cost/benefit analysis, but some raw numbers can be helpful in putting ransomware into a business perspective. Two numbers in particular are useful: the average cost of recovering from an attack and the average ransom demand.
Just basic consideration of those raw numbers suggests that getting ready for ransomware – making response and recovery more efficient in addition to just preventative controls – could lead to a good return on the investment. It should be noted that the numbers above do not capture reputational damage, loss of customer confidence, and other costs that are difficult to quantify but are real.
Ransomware is obviously not going away any time soon, and will probably remain at peak levels as FortiGuard Labs research shows. Organizations that haven’t been hit yet can continue to ride their luck, or they can take a good look at where they stand and become a harder target. And on the other side of an attack, if the worst has indeed happened, recover as smoothly and thoroughly as possible.
How Fortinet Can Help
To help navigate ransomware effectively, our Incident Readiness Subscription Service can help organizations with a rapid and effective response when an incident is detected and also help better prepare for an unforeseen cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).