Ransomware has evolved rapidly in recent year, and it has become extremely devastating and expensive for organizations. There are many misconceptions about ransomware attacks, often due to enterprises’ failure to adapt to changes in threat group tactics, techniques and procedures (TTPs). TTPs change rapidly as threat groups continuously evolve to become more efficient and profitable.
Ransomware attacks make media headlines on a regular basis. In 2022, 79% of surveyed organizations reported experiencing a ransomware attack, and among that population, three-quarters reported that they were financially or operationally impacted by these attacks.1 But early ransomware primarily targeted singular end-user machines. It has since evolved into massive networkwide data encryption efforts. In fact, the encryption process is but one part of a threat group’s multiprong approach to increasing profitability and frequencies of ransom payments, which is typically the ultimate goal. More than 90% of threat groups are financially motivated and operate in an attempt to generate profits and a return on investment (ROI).
The encryption process is but one part of a threat group’s multiprong approach to increasing profitability and frequencies of ransom payments, which is typically the ultimate goal.
To better combat ransomware, it is worth examining these changes and some common misconceptions.
Threat Groups Are Untrustworthy
Not too long ago, if someone decided to pay a ransom, they might not receive the decryption keys after doing so. However, today, ransom payers usually do receive the keys. This was a quiet shift that took place over several years. Before this shift took place, the unsophisticated encryption process could be considered hit or miss. Today, ransomware and threat actors hit more than they miss. Often, they can encrypt most of the data—and do so quickly.
Just several years ago, a threat group would take many months to move around in a network, find data sources, monitor traffic and begin an encryption process. Fast forward to today, and the average attack-to-encryption time is 4.5 days.2
During the early days of ransomware attacks, threat groups would occasionally move to a domain controller and gain access to an active directory. This granted them the keys to the kingdom and had a detrimental effect on the victim organization. Today, because of poor active directory security and configurations, threat groups can often elevate their credentials and their own active directory rapidly.
Additionally, many modern post-intrusion ransomware attacks include a triple-extortion component. Not only do attackers encrypt data, but they also exfiltrate data (including confidential data) and they may inform the media of the ransomware situation or upload data onto websites including the dark web. Attackers could also threaten to mount a distributed denial-of-service (DDoS) attack if the ransom is not paid. In many cases, they will attempt to name and shame a victim into making a large payment. This triple-extortion methodology simultaneously devastates an organization while increasing the frequency and amounts of payments made to the threat groups.
Threat Groups Are Unorganized
In the early days of ransomware, attacks were not as targeted as they are today. Many attacks were conducted randomly through malicious links and uniform resource locators (URLs) sent in emails. Today, threat groups target organizations. One of the biggest changes to ransomware is that the modern ransomware attack group utilizes sophisticated business practices to apply its trade. In the early days of ransomware, little or no business strategy was used. Modern threat groups make changes based on sound business strategies and ROI. In some cases, threat groups work with other threat groups to carry out the life cycle of an attack. One threat group may have expertise in penetrating the network and maintaining persistence, while another group excels in data exfiltration and rapid encryption. Thus, threat groups today are more organized and professional. They are more sophisticated and efficient at doing the things that generate profits. Their business strategies change to promote more profitability.
Application and system software vulnerabilities are now more common attack vectors. This is especially true with vulnerabilities on Internet-facing systems. Anything that is Internet-facing is constantly being scanned by threat groups around the world as they seek to find known or unknown vulnerabilities. Some threat groups invest in the purchase of information (often on the dark web) about zero-day vulnerabilities. Threat groups may research and strategize methods of evolving and becoming more sophisticated and profitable while reducing the risk of being caught for their crimes.
Backup Data Offers Complete Protection
Another common misconception is that if you have good backups, which are not encrypted, you are not apt to pay a ransom if attacked. It is important to realize key facts about backup strategies. Even if the backups are protected, how long will it take to perform the restore? It is common to see organizations take weeks or months to perform complete restorations. Organizations may suffer significant business losses during the time it takes to restore. In fact, this is the most expensive aspect of ransomware attacks. The loss accrued by not being able to conduct business as usual during a ransomware attack is by far the most important aspect of ransomware attacks.
The loss accrued by not being able to conduct business as usual during a ransomware attack is by far the most important aspect of ransomware attacks.
Decryption Keys Are the Keys to Everything
A consideration that is not commonly understood is that even if the ransom is paid and the victim receives the keys to decrypt their data, decryption takes time and usually does not result in successful decryption of everything. Only 29% of victims are able to restore all their encrypted data.3 This leaves a significant amount of data unusable, which could have extreme consequences. Ransomware attacks do not cause only monetary damage. In the United States in 2019, 764 organizations in the health care sector were forced to temporarily stop operations due to ransomware. The same year, 113 US government institutions and 1,233 US universities and school districts were targeted with ransomware.4 These attacks can have a significant impact on the lives of citizens who depend on the affected services—and can potentially be fatal.
Ransomware Attacks Are One and Done
Eighty percent of organizations that are targeted with ransomware experience repeat episodes after the initial attack.5 Re-entry after the initial attack should be expected unless the victim organization can determine how the attack occurred and close the gap(s). Closing the gaps could mean applying a missing patch, correcting a misconfiguration, protecting the endpoints with better security such as a managed detection and response (MDR)/extended detection and response (XDR) product, adding strengthened multifactor authentication (MFA) protocols, or requiring more end-user education to guard against malicious links and emails.
Conclusion
As ransomware attacks become increasingly profitable and threat groups continue to evolve, the risk associated with these attacks continues to be one of an organization’s most significant sources of risk and a concern for everyone. No one is completely immune from modern, post-intrusion ransomware attacks. All organizations should prepare for the inevitable risk of an attack and build their defenses, strategies, playbooks and restoration plans accordingly. This starts with understanding modern ransomware and avoiding falling into the trap of misconceptions.
Endnotes
1 Hensley, B.; “2022 State of the Threat: A Year in Review,” Secureworks, 4 October 2022
2 Kessler, G.; “An Overview of Cryptography,” 2 November 2022
3 Kaspersky, “Over Half of Ransomware Victims Pay the Ransom, but Only a Quarter See Their Full Data Returned,” 30 March 2021
4 Kochovski, A.; “Ransomware Statistics, Trends and Facts for 2022 and Beyond,” Cloudwards, 14 November 2022
5 Firewalls.com Security Blog, “What Is a Repeat Ransomware Attack?”
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.