Organizations continue to fall victim to ransomware, and yet progress on tackling these attacks, which now constitute one of the biggest security problems on the internet, remains slow. From small companies to councils, government agencies and big business, the number and range of organizations hit by ransomware is rising. One recent example; schools with 36,000 students have been hit, leaving pupils without access to email as attempts were made to get systems back online. That is at least four chains of schools attacked in the last month.
Ransomware gangs are getting craftier, and nastier, in their relentless pursuit of profit. It is not enough to break into computer systems and encrypt the data to render it useless. Now, the crooks are stealing some of the data and threatening to reveal it. It is not just data such as customer records: the cyber criminals will look for anything that might be sensitive or embarrassing on the network, and use the threat of publishing it as leverage against victims. And in many cases it seems to work.
What can be done to stop these attacks? Organizations of all sizes need to understand the ransomware threat, and figure out how to improve their own security even getting the basics right can go a long way towards deterring attacks. The software industry also needs to do a better job of building secure software. Is this going to happen? That is unlikely, as there's just too much pressure to ship software fast and generate profit. The multiple ways companies can customize and integrate software also means that even if it ships as perfectly secure, security holes will emerge as soon as it is used in the real world. Worse, ransomware groups are adept at seizing on newly discovered flaws and utilizing them as part of their attacks, with the ransom money providing funds to sustain longer and more complicated attacks. In the longer term, the general shift to cloud computing, which has so far proved more secure, might help.
Tackling the perpetrators themselves is the next challenge, although here geography plays a big role. Many of these groups are located in Russia, which means that law enforcement has found it hard to pursue cases. It may be possible to disrupt the efforts of these groups in other ways; police have had some success in disrupting botnets and other online crime rings, so perhaps something similar is possible here, even if this disruption tends to be only temporary. There is little chance of improvement in the short to medium term, unless there's a significant thawing of international relations.
To pay or not to pay? One of the trickiest decisions concerns ransom payment. It is understandable that a company may feel it has no choice but to pay up to regain access to its data, given that the alternative is to go out of business. But as every ransom paid rewards the cyber criminals and sends a signal to others that there is no end to the profits to be made.
Ransomware gangs are opportunists and may not realize that a company is based in the US, and may encrypt the systems anyway. They are unlikely to hand over the decryption key just because the victim can't pay up. If companies cannot pay ransoms and do not have any other way to restore their data, they will face huge costs and disruption, potentially enough to put them out of business. Even organizations with backups and the required technical know-how will be forced to spend time and money restoring their systems. That could put them at a significant disadvantage compared to ransomware victims based elsewhere.
Ransomware gangs are certainly capable of avoiding certain territories when planning attacks (they tend to avoid Russia for example), in the longer term, a ban on paying ransoms may have the desired impact by making American organizations less profitable targets. Still, there is no sign that the government is currently planning on going down this route.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments