Few cyberthreats have progressed as rapidly in recent years as ransomware, which has become a global scourge for businesses over the last two decades.
Ransomware has evolved from simple infect and encrypt attacks to double- and now triple-extortion attacks, making it one of the most dangerous security threats of the modern era. Meanwhile, with the rise of ransomware-as-a-service, it has become more accessible to would-be cybercriminals as well.
Techradar spoke with Martin Lee, Technical Lead of Security Research at Cisco Talos, to learn more about the threat posed by ransomware and the steps businesses can take to protect themselves.
What characteristics make ransomware attacks so effective and difficult to counter?
Ransomware is essentially the 21st century equivalent of kidnapping. The criminal steals something valuable and demands payment in exchange for its return. The ransomware business model has progressed over time to become a highly efficient source of revenue for criminals.
A ransomware attack should not be taken lightly. Criminals attempt to evoke an immediate response by encrypting and rendering a system inaccessible. If a critical system is disrupted, the bad folks know that the victim will have a strong incentive to pay.
Ransomware attacks are launched through every possible entry point. Criminals will look for any vulnerability in perimeter defences in order to gain access. The profitability of ransomware drives criminals' tenacity; the attacks' ubiquity makes them difficult to defend against. To defend against such attacks, excellent defences and constant vigilance are required.
What are the most significant changes in ransomware operations since the days of simple infect and encrypt attacks?
Modern criminal ransomware attacks first appeared in the mid-2000s. Initially, these were mass-market' attacks in which criminals distributed as much malware as possible without regard for the nature or identity of the systems being targeted. Although the vast majority of malware would be blocked, a small percentage would be successful in infecting and encrypting systems, and a small number of these would result in payment of a ransom.
In 2016, ther noticed a change in the ransomware model. SamSam, a new ransomware variant, was distributed in an unusual manner. The group behind this malware planned ahead of time, exploiting vulnerabilities in externally facing systems to gain a foothold within the organisation. Once inside, they expanded their access, looked for key systems, and infected them with ransomware.
Criminals can significantly disrupt the operation of an organisation by researching their target and disrupting business critical systems. Criminals use this approach to demand a much higher ransom than if they compromise a single laptop, for example.
In what ways do you expect ransomware attacks to develop further in the years to come?
Ransomware has proven to be a reliable source of revenue for criminals. However, the success of the attacks is not guaranteed. The less profitable the activity becomes as more attacks are blocked.
Malicious emails and attempts to download malware can be blocked by perimeter defences. Filtering connections at the IP address or DNS layer can prevent malware from communicating with its command and control systems. End-point protection systems can detect and block malicious malware, and effective backup solutions can restore affected systems.
With a better understanding of the effects of ransomware and stronger defences, fewer successful attacks will be witnessed and ransomware will become unprofitable. However, as organisations become smarter, so do criminals, and ransomware will continue to exist.
