Ransomware is an appealing method of financial gain for cybercriminals. Rather than having to steal data, find a buyer for it, and then sell it, they can simply lock a computer and force a victim to pay. This speeds up payment and reduces their risk of detection—individual victims may not report the crime, and, if they do, police may not have the resources to investigate every instance. Plus, the rise of cryptocurrencies has allowed cybercriminals to maintain a level of anonymity with regard to payment.
Attacks have become more ambitious. In 2013, CryptoLocker spread among end users across the world, and only a few years later that we saw shifts toward larger businesses and organizations. In 2017, we experienced the widespread WannaCry attacks, which devastated businesses and organizations worldwide, even disrupting the United Kingdom’s National Health Service for a period of time. Over the past few years, we’ve seen more attacks target city governments. While some have attacked large cities like Atlanta, many exploit small city governments that often lack proper defensive resources.
Beyond the choices of targets, cybercriminals have grown craftier in malware creation, delivery, and execution. As businesses have gotten better at defending, cybercriminals have adapted. Take, for example, the SamSam ransomware variant, which begins by focusing on vulnerabilities within critical servers then uses that to gain persistence and propagate out to other endpoints and parts of the network.
Plus, cybercriminals have attempted to use ransomware to increase the length and value of their attack. For example, the Maze ransomware attack from earlier this year added extortion as leverage to get victims to pay the ransom. Criminals had been threatening extortion for a while, but this was one of the first times they made good on the threat by publishing the information of organizations that refused to pay publicly. With increased reporting requirements under data privacy laws, criminals are betting that businesses will pay ransoms to avoid larger compliance fines (although, hopefully, businesses will follow their legal requirements instead).
What to do about it
Criminals have adapted their tactics to maximize their payday and chances of success. But that doesn’t mean the IT industry hasn’t kept pace. Here are a few tips for dealing with modern ransomware attacks:
- Assess risk: We frequently stress the importance of assessing risk. With modern ransomware, a risk-based approach still matters. This lets you best allocate your resources, and can also impress the importance of specific solutions on prospects or customers. For example, if you’re working with government organizations, noting that they’re the focal point for ransomware may help them take their defenses more seriously. Additionally, since criminals have moved away from the large-scale, spray-and-pray approach to ransomware, you’ll want to spend your resources on the customers crown jewels, like servers and laptops with sensitive information. Protecting every device is ideal, but cost-conscious customers could appreciate a more surgical approach to protection that saves them money.
- Keep practicing good cyberhygiene: While ransomware has evolved, don’t lose sight of the basic blocking and tackling of security. Make sure to patch, run antivirus (or use endpoint protection when you can), and back up files in the cloud so you have something ready to go if a local copy gets encrypted. Beyond that, try to lock down common attack vectors—use email protection to prevent malspam and use web protection to help prevent drive-by downloads.
- Follow compliance guidelines: The recent Maze ransomware attack mentioned earlier extorted victims by releasing data if they didn’t pay the ransom. What makes this so potent right now is the increase in reporting requirements for data breaches. If someone gets onto your systems and drops ransomware payloads, they can likely also peer into protected data. Whether businesses don’t see this as a breach or try to avoid potential fines, criminals expect to make money by threatening to expose them. We cannot stress enough that you need to work with authorities and follow compliance guidelines if you detect a breach. Doing the right thing here can take the wind out of extortionists’ sails.
- Use endpoint protection: Where possible, use strong endpoint protection on your customers’ machines. Endpoint protection can help prevent more attacks than just ransomware (or malware) and often take action on your behalf. Ideally, you would put endpoint protection on every managed device, but some customers may be cost-averse and want to stick simply to antivirus. In that case, at least put endpoint protection on the riskiest devices—those containing sensitive data and belonging to high-risk employees like executives or system administrators.
Fighting today’s ransomware
Ransomware has evolved with the times. From choosing higher-value targets to extortion schemes leveraging compliance fines, cybercriminals have modified their ransomware methods to threaten governments and businesses alike. But that doesn’t mean IT service businesses have fallen behind—following the above tips can help you reduce your customers’ risk.
We mentioned endpoint protection in this post. SolarWinds® Endpoint Detection & Response (EDR) not only uses seven AI engines to discover and defend against potential threats, but also can automatically roll back an endpoint to a known safe state after a ransomware attack, maximizing safety and minimizing disruption. Learn more today.