When 30 countries get together to discuss a problem, you know it’s serious. Last October, the US hosted a multi-country meeting to discuss an online scourge: ransomware. The problem is getting so bad that it isn’t just costing companies millions each year – it’s also threatening critical national infrastructure. So what is it, why has it become such a problem, and what do we do about it next?
Ransomware has become a headline issue in the last few years but it existed long before that. Consumer-targeted malware froze victims’ machines and demanded payment twenty years ago. The problem for criminals was getting money from the victims’ accounts to theirs.
Then, along came cryptocurrency. Ransomware criminals traditionally had to try and convince victims to buy gift cards or make payments via money transfer services like Western Digital. Starting with bitcoin in 2009, cryptocurrency offered a fast, friction-free payment method that exploded over the next decade, with more digital currencies appearing almost weekly. Some, like Monero, were specifically geared to be as anonymous as possible.
This gave criminals a perfect payment channel, which paved the way for more professional attacks. The first ransomware strains were often poorly coded, enabling victims to share encryption keys and recover their own data. Later strains tightened up encryption and also used more sophisticated techniques.
Ransomware began deleting shadow volumes files, which are backups of files created locally by Windows machines and a critical tool for Windows to restore files locally. Ryuk has been spotted automatically crawling and deleting any shadow volumes or other backup files that it finds, using simple scripts. Locky, Wannacry, and Cryptolocker all target shadow volumes. Most ransomware volumes will also crawl networks looking for shared volumes, meaning that backing up to a network drive won’t protect you.
Introducing human hackers
In the last few years, ransomware evolved again. It became more like a business. The criminal community behind it separated into different groups that operated on an affiliate model called ransomware as a service. The ransomware authors license their malicious software to others who find victims to infect. They then pay the authors a fee.
Ransomware groups began sourcing large volumes of vulnerable attack vectors on the dark web. These included not only stolen login credentials but also vulnerable remote desktop protocol (RDP) ports that they could use to infect endpoints with ransomware. They then automated attacks, hitting vulnerable points using bots to see which networks they could gain a hold in.
Once they infect a vulnerable network, many of today’s ransomware attackers do far more than just let the software run. Instead, they spend time manually picking their way through a victim’s network themselves, finding more machines to infect. This lateral movement enables them to find the victim’s most valuable resources. They often use everyday administrative tools that already exist on the target’s network, like PowerShell and Windows Management instrumentation, to avoid raising suspicion. This process is called ‘living off the land’.
This more manual technique allows ransomware thieves to do more than encrypt data. Today, they’re stealing it too. That way, if a company is able to recover its data from a backup, they can still try to extort money by threatening to publish the information.
The result?
Ransomware has evolved from a time bomb to a smart missile, seeking out the most valuable information in your organisation. But it doesn’t stop at one data cache; it finds all the targets it can, maximising its blast radius.
Those attackers don’t stop at primary data. They’ll do their best to access a victim’s backups too. This is often relatively easy, as some backup files have headers containing detailed information about their contents.
Those backups are often an easy way to collect large amounts of sensitive data in one easy raid. Cloud backups are even better because ransomware thieves that gain access to those accounts can often steal the backups without triggering any alerts on the victim’s internal network. They can then pursue sensitive data at their leisure.
Criminals that find those backups can delete them before detonating their ransomware. That stops the victims restoring data from them.
The alternative is not to delete the backups at all, but instead to leave the ransomware lying dormant for weeks on the network. The ransomware files will then get backed up along with everything else. After it eventually detonates, the victim might restore the files only to find themselves infected again immediately.
The problem is getting worse
How can companies protect themselves against these ransomware attacks? Basic cybersecurity hygiene measures apply. Training end-users to watch for phishing attacks, scanning incoming emails and outgoing web sessions are all good lines of defence. Using multi-factor authentication for online accounts will help stop ransomware thieves from hacking accounts while switching off unused RDP ports will close down attack surfaces, as will regularly patching software.
Beyond that, though, companies need security solutions built for ransomware – especially with the rise of Ransomware-as-a-Service.
Ransomware-as-a-Service is exactly what you think it’s going to be, and it is becoming a significant threat as more and more threat actors are turning to it, meaning your solutions for recovery and cyber resilience will be even more crucial. The world isn’t like it used to be, that’s for certain. No longer do you only need to fear those with the capability to execute a ransomware attack, you now have to make sure you’re protected from every angle, because RaaS has enabled those with little knowledge and know-how to unleash attacks at their leisure. The kits are easy to access on the dark web, which ultimately means more attacks and attackers will usually utilise a “spray” tactic, hoping something lands. What does this mean for you? It means your defences and backups have never been more important.
The ransomware scourge isn’t going away. It’s going to get worse, and more companies are going to get hit. As we’ve seen, relying on traditional backups is cumbersome and unreliable. When online crooks come calling at your organisation, will you be ready?
James Hughes, EMEA Enterprise CTO & VP of Systems Engineering at Rubrik