At its dawn, ransomware was a rudimentary threat that locked down computer screens with terrifying police-themed alerts and asked for prepaid cards to bring the systems back on track. In 2013, cyber extortionists added encryption to their genre and started accepting bitcoins for recovery. This shift gave rise to CryptoLocker, which became a game-changer and a catalyst for a massive digital plague.
Written by guest contributor David Balaban,
Things got worse in 2018 when malicious actors shifted their focus from individuals to organizations. As a result, multinational corporations, municipalities, hospitals, universities, and critical infrastructure entities are on the receiving end of destructive digital assaults these days. The recent Colonial Pipeline attack became a classic demonstration of this impact. It disrupted fuel supply along the U.S. East Coast and showed how such foul play could affect numerous people’s lives.
As if the peril of unauthorized encryption weren’t serious enough, ransomware makers are lacing their schemes with extra layers of intimidation. Some gangs extract data from compromised networks and threaten to make it public unless the victims pay up. To top it off, DDoS raids are often used to coerce non-paying organizations into cooperating.
The rapidly escalating ransomware threat is a call to action. Governments, businesses, and security professionals should combine efforts to forestall the spread of these deleterious programs. In fact, there are some promising initiatives and ideas in this area. The following paragraphs will describe them in detail.
The need for a global anti-ransomware strategy
Ransomware prevention should become one of the building blocks of every country’s security policy. Nation-states also need to share information regarding malefactors’ tactics to step up their preparedness for these attacks and facilitate an effective response. An important task for law enforcement agencies around the globe is to prioritize operations aimed at taking down ransomware infrastructures.
Another effective way to inhibit the menace is to chase down crooks involved with some extortion campaigns and ensure extensive mass media coverage of these episodes. Earlier this year, South Korean police apprehended an affiliate of the GandCrab Ransomware-as-a-Service (RaaS) platform. The more such stories hit the headlines, the fewer wannabe criminals will be breaking bad down the line.
One more piece of the anti-ransomware puzzle is to be tough on any country that serves as an oasis for cybercrime. For example, it is common knowledge that some high-profile cyber extortion groups have Russian roots, and their misdeeds appear to fly under the radar of local authorities. The prime example is a notorious gang dubbed REvil, which is reportedly responsible for the newsmaking attack against the world’s largest meat supplier JBS in May 2021.
Disrupting the ransomware economy
Every ransomware attack boils down to money. To make fortunes illegally and get away with it, felons have created an intricate extortion model with Bitcoin, Ethereum, or other cryptocurrencies at its core. Following the payment trail in a decentralized blockchain-based ecosystem is extremely challenging. To add insult to injury, bad guys often leverage so-called cryptocurrency mixers that reduce the coin traceability down to zero.
With that in mind, tighter regulation of the cryptocurrency territory could be the remedy. This is doable through laws that require the owners of coin exchanges and crypto kiosks to provide data to law enforcement, act in accordance with the Know Your Customer (KYC) rules, and abide by anti-money laundering regulations. If it were possible to link Bitcoin transactions to specific individuals, the operations security (OPSEC) of ransomware authors would go down the drain.
The flip side of this approach is that any extra pressure and control of the cryptocurrency market will ruin the very concept of a decentralized, privacy-centric network. Therefore, legislators and major players in this industry have to reach a consensus before giving the green light to such groundbreaking changes.
Hardening the defenses at the enterprise level
Since organizations are in the crosshairs of ransomware distributors, corporate executives must rethink their protection techniques in line with the current challenges. As mentioned above, these attacks increasingly involve data leaks in addition to well-trodden encryption practices. Threat actors use special websites where they post stolen data to keep stubborn victims on their toes.
Under the circumstances, data backups don’t suffice to recover from a ransomware disaster anymore. Organizations are additionally faced with reputational risks stemming from dumps of sensitive files on “public shaming” sites. And yet, this doesn’t diminish the importance of a backup strategy, which remains a key prerequisite for maintaining business continuity after the incident.
The use of a DDoS mitigation service is one more element of well-thought-out ransomware countermeasures. It will help if criminals try to swamp the enterprise network with a large amount of traffic as part of a scare tactic.
A serious obstacle to building solid protection against this vector of cybercrime is that proper security on the company’s end isn’t always enough. The enterprise infrastructure may be breached through the network of a managed service provider (MSP) or another third party that has access to some corporate digital assets. Therefore, questioning the InfoSec practices of such partners won’t go amiss.
Of course, the best way to avoid these problems is to never get hit in the first place. Companies need to hone their personnel’s security awareness via periodic training. The starting point for most ransomware incidents is a phishing email with a malicious attachment or link in it. Every employee needs to know how to spot such stratagems and not be ensnared.
To reduce the damage from a potential attack, it is recommended to stick with the principle of least privilege when architecting corporate networks. According to it, staff members should only have access to enterprise resources that fit the context of their duties. This way, if someone on your team slips up by executing a malicious file, the attack surface will be limited.
Deploying traditional anti-malware and a reliable intrusion prevention system can raise the bar higher for crooks. Penetration tests are worthwhile, too. They help identify vulnerable network areas and prioritize the fixes.
Paying up is a slippery slope
Infected organizations should think of ransoms as the last resort rather than the first thing on their agendas. Pumping more money into the global cyber extortion cesspool will encourage crooks to come up with new pressure mechanisms, mastermind advanced exploits to infiltrate networks, and launch RaaS platforms to extend their reach. Recovering from an attack can be long and extremely difficult, but compared to funding this disgusting form of cybercrime, it seems like the lesser of two evils.