Have you heard the story of the LockBit gang? If not, consider yourself lucky. The LockBit gang is known for its widespread ransomware attacks targeting organisations around the world and in early 2024, became a focal point for the UK and the FBI due to its prolific and disruptive activities. By pooling resources, sharing intelligence, and coordinating their legal and technical strategies, international teams were able to identify, pursue, and apprehend key members of the gang, disrupting one of the most active ransomware schemes of all time, and sending a strong message to similar criminal entities about the global community’s commitment to combating cyber threats.
The Extent of the Ransomware Problem
The financial impact of ransomware attacks is staggering. Notable cases included attacks on Western Digital, the City of Dallas, Prospect Medical Holdings, MGM Resorts, Boeing, Henry Schein, and Ardent Health Services. These ranged from data theft and business disruption to a massive $100 million loss for MGM Resorts due to operational disruptions.
According to the World Economic Forum, 2023 saw a concerning surge of ransomware activity, up 50% year-on-year in the first half of the year. March 2023 was the record breaker with a staggering 459 cases reported, a 91% increase from the previous month and a 62% rise compared to March 2022. The most active ransomware groups included Clop, which exploited a vulnerability in Fortra’s GoAnywhere MFT, and LockBit.
The healthcare sector, in particular, felt the dire consequences of ransomware attacks, with at least 141 hospitals directly affected. The financial toll on healthcare was profound, with the average cost of a healthcare data breach reaching an all-time high of $11 million.
What can we do about this?
Well, unfortunately managing these attacks is very difficult. Cybercriminals often operate from countries with either weak cybercrime laws or a lack of enforcement infrastructure, making international cooperation difficult. The anonymity of cryptocurrencies, which are commonly used for ransom payments, further complicates efforts to trace and apprehend these attackers. And there’s also the decentralised nature of ransomware operations, as we explored in our discussion of RaaS, which allows attackers to launch sophisticated campaigns with minimal risk of detection.
Never Pay the Ransom
This is not just cautionary advice. It’s a principle backed by cybersecurity experts and law enforcement agencies worldwide. Complying with ransom demands presents several risks and consequences, both immediate and long-term. For one, there’s no guarantee of data recovery. Studies and real-world experiences indicate that a significant number of victims who pay do not get all their data back. Paying also emboldens cybercriminals, signalling that the victim is willing to comply. This not only puts the victim at risk of future attacks but also encourages the perpetrators to target others.
If you’re the victim of ransomware and considering paying, think about where your money is going. Ransom payments directly finance criminal operations, enabling them to refine their attack methodologies, invest in more sophisticated technology, and expand their targets.
Each successful transaction is a testament to the viability of ransomware as a profitable venture for cybercriminals. The economic model of ransomware is built on the willingness of victims to pay, ensuring its continuous growth and sophistication. Yes, a ransomware attack can leave you feeling like you’re backed into a corner, with no choice but to cough up the cash, but the negative implications of paying far outweigh the possibility of a positive result.
Immutable Cloud Storage Is Key for Ransomware Recovery
Immutable storage is pivotal in defence against ransomware attacks. It’s like a safety deposit box where you store your information and no one – not you, not your employees, and not attackers – can access it.
The significance of immutable storage in ransomware defence cannot be overstated. In the event of an attack, having backups that are untouchable means you can restore your data to a pre-attack state without paying the ransom. This not only minimises downtime but also significantly reduces the financial and operational impact of the attack.
Cloud services play a vital role in providing immutable storage solutions. Major cloud providers like CTERA offer services designed with immutability in mind, leveraging write once, read many (WORM) policies to protect data. Cloud-based immutable storage then, is an essential component of a comprehensive data protection strategy, offering scalability, reliability, and accessibility, alongside robust defence against ransomware threats.
It’s a way for you to be both proactive against attacks, and ensuring any cyber threats that sneak through the battle lines don’t disable your business operations. Immutable storage doesn’t just protect individual organisations. It’s also key to the broader fight against ransomware.
Advanced Detection and Response Techniques
Artificial Intelligence (AI) and Machine Learning (ML) are changing the way we identify and neutralise ransomware activities. These technologies excel in sifting through massive volumes of data at high speeds, enabling us to identify suspicious patterns and anomalies that could indicate a ransomware attack in progress.
One of the key strengths of AI and ML in this context is their ability to offer real-time detection and behavioural analysis. Unlike traditional, signature-based defences, which rely on known threat databases and thus can only defend against previously identified ransomware, AI and ML systems learn from the data they process. This continuous learning allows them to identify new and evolving ransomware strains based on behaviour and other indicators, rather than waiting for a specific signature to appear.
In cloud environments where data flows dynamically and the scale and complexity of operations can render traditional defences less effective, AI-driven systems allow us to implement continuous monitoring. And if they find a problem, they can automatically trigger alerts and initiate actions to mitigate the attack. The behavioural analysis offered by AI and ML also provides insights into the tactics, techniques, and procedures used by attackers, which can improve overall security and allow us to conduct detailed forensic investigations post-attack. With this knowledge, we’ll know how the attack happened, which vulnerabilities were exploited, and how we can prevent similar incidents in the future.
A Call to Action
The persistent nature of ransomware means we need to be continuously vigilant and adaptable. This threat is not static; it morphs, adapts, and finds new ways to exploit vulnerabilities. Businesses, regardless of size or sector, have to evolve to battle against ransomware, perpetually learning and improving their security practices.
To stand resilient in the face of ransomware, a multi-layered approach to defence is not just advisable; it’s imperative. But the journey towards creating it is a marathon, requiring endurance. What can you do while passing the time on building your cyber defences? First, foster a culture of cybersecurity awareness in your business. Then implement a comprehensive defense strategy. And next, don’t pay the ransom. Just don’t.
The path forward is challenging, but by taking collective action and making a commitment to cybersecurity, we can pave the way for a safer digital future.
Aron Brand, CTO of CTERA has more than 22 years of experience in designing and implementing distributed software systems. Prior to joining the founding team of CTERA, Aron acted as Chief Architect of SofaWare Technologies, a Check Point company, where he led the design of security software and appliances for the service provider and enterprise markets. Previously, Aron developed software at IDF’s Elite Technology Unit 8200. He holds a BSc degree in computer science and business administration from Tel-Aviv University.