Ransomware is on the rise in 2020
A growing concern for every industry just about everywhere is the topic of ransomware. Ransomware is not a new threat (the first documented case of ransomware occurred in 1989 for a whole $189), but incidents of ransomware have been increasing exponentially lately, especially as the world still reels from all of the destabilizing events of 2020. Ransomware is when a compromised system or network is encrypted or rendered otherwise unusable by a malicious third party, who then promises to restore functionality if a ransom is paid. Obviously, this is bad for any business, but, for certain organizations, this can be catastrophic — imagine what would happen if a hospital or other essential service suddenly no longer had the ability to use critical systems.
Unfortunately, this is not just a hypothetical — hospitals have, in fact, suffered from ransomware attacks, and, in late September of this year, the first ransomware-attributed death occurred when a hospital in Germany suffered an attack. In fact, just yesterday (October 28, 2020), several branches of the US Government released a joint cybersecurity advisory warning that credible threats of ransomware have emerged against US healthcare providers, with imminent attempts at execution being very likely. At a time when COVID-19 cases are on the rise in multiple states and countries, the threat of a ransomware attack against healthcare providers is especially ghastly, but, for malicious actors, that is the point: they are intentional trying to take advantage of chaotic times and uncertainty in order to get a payday. Naturally, there is no guarantee that paying off a cybercriminal will restore services (and the US government, in fact, states that paying off certain ransomware threats may violate certain sanctions and could land you in legal jeopardy), so it is absolutely crucial to plan for and develop a response to a potential ransomware incident before one occurs.
But what are some of those mitigation techniques?
First, every business and organization needs to keep (and test) regular backups of critical systems. These backups should be isolated from whatever network the original implementation lives on. This way, if the worst happens and a ransomware attack is executed, you can still quickly restore services by loading a pre-compromised backup. Backups are critical, and every business, regardless of size or budget, should absolutely take this very basic step — no organization is “too small” to escape the threat of ransomware. And besides, keeping regular backups is good common sense. I can’t count the number of times a backup has saved me from just small, random mistakes or system errors, never mind the threat of a network-wide, intentional sabotage.
Additionally, as I wrote about a few weeks ago, engage in Multifactor Authentication whenever and wherever possible. Ransomware is not typically the first compromise of a system — it is often the result of a series of compromises and escalations. The first step to prevent this culmination is to take the basic precautions necessary to prevent even “small” intrusions. Again, prevention often comes down to good cyber hygiene. Use the strongest security possible, avoid default settings, don’t reuse passwords, etc.
Another two crucial points I want to mention — email safety and patch management. In the past, many ransomware compromises have started with an email phishing campaign. Don’t click on links in an email — even if it is in an email that seems to be from someone you know. If you can, open a browser and find that link the old-fashioned way. Additionally, never open email attachments, even from people you know, until you have verified with the sender that it is legit (and, even then, consider checking via file hashing). Given how easily email can be the initial attack vector in a cyber incident, you should always approach any email with suspicion. It may sound like paranoia, but it is a small price to pay to avoid catastrophic consequences.
Additionally, if you are a system or network admin — patch your devices and systems! I recently attended an online webinar by IBM about ransomware, and one of the most surprising takeaways for me was that more ransomware incidents in 2020 started by scanning for outdated software than by email phishing. Remember my blog post from last week? The entire penetration of the system rested on one outdated plugin. Keeping your devices up to date may sound like a minor thing, but it is crucial to staying ahead of threats.
Of course, these are only a few small ways to mitigate the risk of ransomware. There are many more that I don’t have time to go into, but I’ll link a few useful resources below. In an ideal scenario, the indicators of compromise can be detected before a ransomware attack is activated, but threat hunters and analysts will need to stay vigilant, setup alerts, and monitor for suspicious activity, as the time between the initial compromise and the actual ransomware attack has been getting shorter and shorter these days. Complacency is a luxury that no one has.
FireEye has a good blog post about how to detect ransomware-related compromises before they happen: https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
IBM has a great article about the trends of ransomware in 2020 and what to do about it: https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/
I linked it earlier in the post, but the Joint Cybersecurity Advisory on ransomware is worth reading in its entirety, and it includes some good prevention measures and indicators of malicious activity as well: https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
Kaspersky’s article on how to prevent and respond to ransomware attacks is also a good, straightforward read: https://usa.kaspersky.com/resource-center/threats/how-to-prevent-ransomware
