Regarding ransomware, there’s a big misconception in the industry. The conventional wisdom is that ransomware threats will escalate and that we will continue to battle them in perpetuity. However, while millions of ransomware attacks continue to occur annually, last year, ransomware threats actually declined by several percentage points, and more recently, in October of this year, the number of ransomware attacks across several critical infrastructure sectors dipped.
Check Point Software Technologies has found that one in 34 companies globally have experienced an attempted ransomware attack in the first three quarters of 2023, an increase of 4% over last year. In 2022, ransomware incidents in India experienced a 53% increase compared to the previous year, as reported by the Indian Computer Emergency Response Team (CERT-In).
Lockbit emerged as the predominant ransomware variant in India, with Makop and DJVU/Stop ransomware following closely. Notably, 2022 witnessed the emergence of new variants like Vice Society and BlueSky, the same report stated. The primary targets for Makop and Phobos Ransomware families were medium and small organizations, whereas Djvu/Stop variants remained prominent in attacks targeting individuals. The majority of these attacks appear to result from organizations and individuals neglecting to update patches for known vulnerabilities.
It is a possibility that ransomware is going to die out; it’s about to become extinct – maybe not tomorrow, but within the next few years. What I don’t mean to say, however, is that the global situation will calm down completely and that companies can relax. The war is far from over, but the dynamics are changing. That’s because ransomware gangs have started to shift gears and are focusing on exfiltration of data, and not destruction and chaos. Here’s why:
Rationale for ransomware’s recess
Succeeding against today’s cyber security infrastructure isn’t as easy as it once was. In the cat-and-mouse game that is deployment of threats and development of fresh defenses on the part of cyber security firms, the latter group is winning. Defenses have advanced significantly.
At Check Point, we advocate for a stacked prevention-first approach, and we advocate for this because of very strong reasoning. Point products in isolation work to some extent, but cause complexity and will not offer the same joint visibility as technological defense layers, where individual controls work in harmony with each other. Also, the application of artificial intelligence in conjunction with machine learning or deep-learning algorithms has caused significant advancements on the defender’s side.
As a result, cyber criminals need to continuously create new attack methodologies, in a potentially endless and exhausting cycle. The hackers may only hold out for so long, eventually losing interest in ransomware in favor of simpler and equally lucrative cyber schemes. After all, running attack ops costs money, and if your return-on-invest laterally moves farther out, the business case simply does not make sense any longer. The principals of economics apply for both sides, and this becomes evident in such examples where hacking groups simply give up on their traditional approaches and venture off to new ones. And these ventures explicitly include stealing and selling data.
The recent case of a hacking group calling on a successfully hacked victim by contacting the U.S. Securities and Exchange Commission (SEC) for help goes to show that we have a much different dynamic out there now than previously: Companies seem to not disclose attacks, so the gangs do that on their behalf. Not on the usual darknet wall of shame boards, but by calling the regulators. If this is new for you, let me explain…
Ransomware attackers’ desperation
In the aforementioned example, the ransomware group known by the moniker Alphv and/or BlackCat disrupted digital systems that belonged to a small California-based company. The hackers stole data.
In an apparent attempt to pressure the company to provide ransom payment in exchange for the data, the hackers seem to have filed a complaint with the SEC for failing to disclose the breach within four business days, as newly required by law. The chutzpah (and desperation)!
Ironically, the new SEC breach disclosure rules will not actually take effect until mid-December, thus the hackers may have indeed been a bit over-zealous in their approach (if not wholly out-of-line).
With GDPR, we have similar laws in Europe, although no similar example has surfaced yet, where the perpetrators tried something comparable with a national data protection officer.
Simple tricks to stay out of trouble
As noted earlier, I predict that more traditional ransomware approaches are going to extinguish themselves. Ransomware groups will precipitate their own demise, as running the infrastructure is costly. Thus, they now almost exclusively come for a quick cash-out. The case of MGM has shown the speed at which the teams are operating. The end game is clear as day: getting access to corporate data, and then pressing for ransom in exchange for non-disclosure.
To make it hard for them to succeed, certain measures must be applied.
I worked in the encryption business many years ago at a company called Utimaco Safeware. Back then, we already told our clients to employ encryption to prevent stolen data from falling into the wrong hands. This wisdom holds true today more than ever. And while this sounds banal to you perhaps, a lot of companies do not practice proper cyber hygiene yet.
Therefore, I am including a few basic tips to help increase resilience against exfiltration of data. Here’s what I recommend moving forward with:
· Focusing on encryption of your data at-rest and while in transit; doing so will render it nearly impossible for cyber criminals to rifle through the data and later sell them.
· Encryption of backups; doing so prevents attackers from traveling back in time to reach target, and you would be surprised how often unprotected backups are the first go to point for attackers.
· Having dedicated key management for cloud-based data repositories; doing so helps with controlling 3rd party (SaaS provider) lump risks.
· Ensuring that you have adequate endpoint hygiene; have encryption on disks, have identity access management done properly. Doing this will help in minimizing identify misuse, which in turn might open a door via privileged access.
Further thoughts
OK, ransomware might not go extinct in entirety. But the dynamics are changing. And while the bad guys will continue to be successful in some cases, in adhering to the above points, you can make their lives much harder and perhaps scare them off completely.