What did you hear in the news today?
It’s hard to miss by reading the news today but Ransomware is becoming part of the common language vernacular. Every couple of months, you will hear of a Fortune 500 company, a hospital, an oil company, or a pipeline company struck by a ransomware attack. The recent news of Colonial Pipeline ransomware attack made headlines, mainly because it directly affected the lives of normal people who drive everyday in the Northeastern United States. The ransomware attack which encrypted critical servers used to manage the flow of oil from Texas to the north-east states were completely locked-up, pushing gas prices up by 50%. It wasn’t long before the management of Colonial Pipeline paid the ransomware in order to regain control of their business.
More recently, Kaseya ransomware attack made the news headlines. Some experts called this attack possibly the largest ransomware attack in history. The FBI had described the incident as a “supply chain ransomware attack” that exploited a vulnerability in the Kaseya VSA server. Once they had gained access, they pushed a ransomware file as a malicious update across Kaseya’s base of MSP(Managed Service Provider) customers, who are responsible for remotely managing thousands of computers on behalf of their clients. This attack perpetuated by the Russian cyber-gang REvil had demanded over $70 million dollars in ransomware.
EXPECT MORE NOT LESS OF RANSOMWARE
The increase in frequency and severity of ransomware attacks signal the future of cyber-attacks to come. It has become the preferred modus operandi of cybercriminals, in large part because of the high rate of return in comparison to other cyber-attacks. Ransomware attacks just illustrate the importance of critical files, servers and end-devices that are used to run a business in a modern corporation. The sudden lack of access can slow or even completely stop the day-to-day operations, putting a heavy spotlight on the management team. Let’s take a look at some of the drivers that have made ransomware the preferred method of attack of cybercriminals.
FACTORS DRIVING RANSOMWARE
Wall Street is watching
From a Wall street perspective, the management team is ultimately responsible for the security and day-to-day running of the business. A cyber-attack that directly impacts the business can be very difficult to hide from customers, partners and investors. It can highlight mismanagement by the executive team who have not invested the time and money into proper security measures to prevent a breach by cyber-criminals. Major cyber-attacks where companies where sensitive data has been breached or encrypted through ransomware have led to key executives to resign. CEO’s are well aware of this fact and is in part what drives quick payment to ransomware cybercriminals.
An attacker needs to get paid
Another factor driving ransomware attacks is the method of payment - Bitcoin. One can look at the rise of Bitcoin and the growth of ransomware attacks over the last couple of years and see that they are highly correlated. The anonymity and difficulty of tracking Bitcoin has been the high-octane fuel burning underneath ransomware attacks. Without it, ransomware attacks would quickly lose their value as a preferred method of attack, since obtaining monetary compensation is the ultimate goal of cyber-attackers. In comparison to other types of cyberattacks that are focused on breaching the enterprise perimeter and stealing sensitive data to be resold on cybercriminal underground, the ROI of a ransomware attack can be very high and immediate.
Knowledge is Power
Cybercriminals are often very technical and have an advanced understanding of modern operating systems, application vulnerabilities and the layout of enterprise networks. This has become a necessary job requirement in order to successfully execute a successful ransomware attack. The ability to understand how these systems operate and use this knowledge to navigate through an organization’s IT infrastructure without ever being detected is critical. Without this knowledge it could extend the time an intruder is within a network and flag the attention of SecOps. This technical know-how lays the groundwork for a successful ransomware attack.
Lateral Spread powers Ransomware success
From a cyber-attackers perspective, the success criteria of a successful ransomware attack is measured by the spread of ransomware across an organization, increasing the likelihood of encrypting critical servers and endpoints used by the organization to run day-to-day operations. Cybercriminals leverage their knowledge of IT systems and how they interoperate to figure out techniques to quickly spread ransomware as quickly as possible. Just infecting a single endpoint or server in-of-itself doesn’t mean the attack was successful. By spreading the ransomware to as many corporate devices it ensures that the ROI of their attack will be very high.
NETWORKS WERE NOT BUILT FOR RANSOMWARE
Most enterprise networks were not designed to prevent the spread of ransomware. Many of the network designers and architects who currently work in major organizations started their careers long before ransomware came on to the scene. The architectural requirements of building enterprise networks were centered around accessibility and collaboration - not security. The assumption was that security was built at the enterprise perimeter, enabling internal networks to be free and open so that employees could get work done faster and more efficiently without any constraint. However this paradigm in enterprise networks philosophy is being challenged by the latest ransomware attacks that are turning internal corporate networks on its head.
A CHANGE IN NETWORK PHILOSOPHY
There is an emerging trend in Cyber-security that has gained traction in enterprises - Zero Trust. Zero Trust by design is built around the security philosophy that you can’t trust any one individual device or service in a corporate network. In particular, Zero Trust networks reflect a fundamental change in network and security design philosophy. In a Zero Trust network, each device should have it’s own security rules that implement a least privilege communication, only using the open network ports that are actually necessary for day-to-day operations. What results is that each device on the network implements its own security perimeter, establishing specific rules on who and what can be communicated by each device. The very concept of open networks is being challenged by the successful lateral spread of ransomware that is forcing corporations to rethink how they design their network through Zero Trust.
WHAT DOES ZERO-TRUST MEAN FOR RANSOMWARE?
Zero Trust doesn’t mean that organizations will be assured complete protection from any ransomware infection. There are too many attack vectors that exist for a modern enterprise to prevent that from happening. But what organizations can do is redesign their networks so that they can “contain” ransomware from spreading, taking away from cyber-attackers the very method that forces the hand of organizations to pay up to their attacks. The degree of Ransomware spread across critical enterprise devices can serve as a tipping scale that can determine whether management should finally pay or not pay to their attackers. This by measures of degree can change the course of a targeted cyber-attack, helping to limit the damage of ransomware attack to organizations.
Ransomware attacks are not going anywhere anytime soon. Organizations should expect that ransomware attacks are going to be a part of the regular routine in the years to come. As history has shown, organizations can’t completely prevent ransomware from entering their networks, cybercriminals will always find an enterprising way to circumvent security countermeasures. But what organizations can do is to use an emergency shut-off “kill switch” and limit the blast radius of a ransomware attack through Zero Trust network segmentation, helping to contain the attack to an infected end-device, isolating the rest of the organization from the ransomware attack. This allows security teams to regain control back from cyber-attackers and ensure they can more easily manage remediation and perform a security post-mortem on the factors that led to the attack, helping to prevent further ransomware attacks in the near future.