7 Years After the CryptoLocker Attack: Ransomware Protection Updates and Best Practices
As we all see, ransomware attacks have dramatically increased recently. Not only large corporations are at risk. Attackers increasingly focus on encrypting and stealing confidential data from medium and small businesses, social organizations, and industrial facilities, which are not always adequately protected.
In this article, I will try to answer frequent questions related to ransomware. Here are some of them:
- How to properly build protection and minimize the risks?
- How do you assess and minimize the risks associated with ransomware?
- What are the most effective defense techniques now?
- How can a business protect itself if its budget is not big?
- What impact has the COVID-19 pandemic had on the ransomware market?
- Are large-scale incidents like WannaCry possible in the future?
- What are the forecasts for the evolution of ransomware attacks?
The Current State of the Ransomware Market
The ransomware market is growing exponentially. Its economic model includes not only ready-made malware but also services of developers, the sale of access to corporate networks, etc. The damage from ransomware is estimated at tens of billions of dollars.
The focus is shifting towards the theft of valuable data. There are even some ransomware programs that do not include an encryption module. The growth of the ransomware market suggests that the threat will not disappear anytime soon.
Many people are wondering whether the average size of the ransom for the victim will grow. Experts believe that as more successful ransomware attacks appear, the average check should decline according to the demand and supply law. In general, the ransom amount depends on the category of data, the attacker’s goal, and the type size of the attacked company. Attackers are aware of their victims’ budgets and will not demand the amount that the company cannot pay.
Although we have so many years of experience, the question still arises: “Why is the problem of ransomware still not solved?” I think, most likely, the problem has to do with the human factor.
As to security technology, it has been on the market for a long time and is constantly evolving, but they have problems too. These technologies have issues with the insufficient implementation of profiled protection tools due to the lack of correct risk assessment. Proper configuration and operation are also not ideal.
Many organizations rely only on backup tools, although the best protection strategy is to also use preventive measures, methods of protecting information, and their combination. In the event of a successful attack, backups act as the last line of defense. Besides, backups do not save you from data breaches.
Ransomware code can be easily purchased on the darknet. The price ranges from 10 to 3000 USD depending on the required functions. Even without experience, it is possible to launch an attack with the help of a bunch of hired cyber crooks or using Ransomware-as-a-Service (RaaS). There are a lot of RaaS offerings on the dark market. Affiliate programs are very well organized in this business.
At the moment, hackers are often implementing attacks through RDP and using targeted phishing campaigns. Earlier, most attacks were carried out by mass spam campaigns.
If the victim does not pay the ransom, the attackers put stolen data up for auctions and successfully sell it, as happened recently with the stolen code of the Cyberpunk 2077 game.
Risks vs. Protection
The risk assessment of a ransomware attack is similar to the risk assessment of an APT attack. The cost of stolen data is added to the losses from downtime of systems and business processes. In addition, some countries fine businesses that do not properly protect their users’ data and send payments to hackers.
So, business owners compare these possible losses with the cost of protection solutions that allow them to eliminate the risks.
Every security approach, be it sandboxing, IPS, user training, or domain restriction, covers only some of the risks. If servers or workstations do not have specialized protection tools aimed directly at ransomware, then the protection is weak.
Ransomware Protection Approaches
Ordinary Users
First, let us try to answer the question: “Is it possible to keep ransomware at bay by only using technical means?” As I noted earlier that technical means are only a tool. A security specialist plays an equally important role in protection.
Besides, if we take an ordinary user sitting at the desktop, we all know that he needs regular security awareness training as the weakest link is always a human. At the same time, basic training is not always ineffective because the attacker has a lot of attempts; sooner or later the employee will make a mistake and click a malicious link leading to malware. Therefore, it is more effective to teach the user to report the incident in case of an error and not be afraid.
Policies
For employees who are now working remotely, the best ransomware protection practice consists of a set of specific security policies. These are essentially preventive measures: monitoring workstation processes and blocking suspicious activity.
Security Professionals
The current security solutions are effective, but they are only a tool. Experience and due diligence on the part of the operating specialists are extremely important.
Configuration
Correct configuration of security solutions is extremely important so that attackers cannot disable these mechanisms and launch an attack.
How to Stop the Spread of Ransomware
In addition to widely discussed micro-segmentation, I would like to stress the importance of digital hygiene that includes timely software and operating system updates, white and blacklists, filtering email and web traffic, strict control of running processes and so on. The correctly structured access matrix will also come in handy as the delineation of permissions and privileges will minimize the risks of proliferation.
How Effective is Whitelisting and Monitoring
Since the ransomware developers are constantly improving their code, changing its modules, and randomly generating file names, whitelisting is highly likely to be effective.
Monitoring is extremely important. On average, attackers need to spend several days or even weeks preparing for an attack. If you set up proper monitoring, it is enough to spot abnormalities.
If there is no proper monitoring, attackers disable security barriers by changing security settings on the system. If it is possible to get the backups, they will delete the backups.
Optimal Ransomware Protection in 2021
I agree with most experts that protection should be based on automated EDR and XDR because speed always helps to reduce damage. Ordinary security operations centers may respond to an incident within several days, giving precious time to an attacker to gain enough privileges in the system. Detection of suspicious activity, file changes, requests, alerts — all this should be covered and automated.
It can be done by fine-tuning the rules and behavior patterns. Machine learning comes in handy here. Later the rules are implemented on all endpoints. It is recommended to devote much time to analyzing logs and viewing events to fine-tune rules and exceptions.
In general, the implementation of EDR goes like this: you detect everything that causes conflicts or alarms, then exceptions get configured, then best practices are applied, and the system gets deployed. This approach helps to successfully combat false positives.
Building Protection with Limited Budgets
For this, XDR is the best thing. It works quite efficiently in automatic mode. At the implementation stage, a professional will be required to create response scenarios (playbooks). No highly qualified employee is required to later operate the XDR. XDR is quite effective, for example, if an email attack is taking place. It will block malicious activity and minimize employee involvement.
Here is an example of a backup solution for companies with a small budget: create local backups locked for modification and deletion. Next, you need to configure and strictly restrict administrative access to this backup storage.
Cloud Security Could be the Silver Bullet
The benefits of leveraging the cloud to combat the scourge of ransomware are not restricted to data backups. Cloud-based protection is also an incredibly effective way to nurture a resilient security posture and address the dynamically changing vectors of these attacks.
For instance, Alibaba Cloud is a sure-shot way to step up an organization’s defenses against cyber assaults, in general, and extortion through ransomware, in particular. Its capabilities run the gamut from sensitive data discovery and continuous data risk monitoring to resource access management and cloud-based encryption. The latter, by the way, prevents crooks from mishandling stolen digital assets for blackmail purposes, which is an escalating menace these days.
As ransomware operators are increasingly using DDoS to pressure victims into paying up, stopping such raids in their tracks is one more element of today’s security paradigm. An end-to-end cloud security product can tackle this challenge and keep a protected digital infrastructure up and running if malicious actors try to flood it with rogue data packets. By and large, the cloud is a robust foundation for creating a multi-pronged ransomware protection strategy.
Ransomware Evolution and Predictions
Proactive defenses are being actively implemented. It is expected that it will be more difficult to distribute ransomware. The emphasis will shift to stealing data. Attackers will focus on more valuable types of data.
Ransomware is constantly evolving. There are already instances of ransomware for *nix systems.
Cybercrooks will continue to demand ransom payments as long as attacks are successful and victims continue to pay.
The likelihood of large-scale (WannaCry) attacks remains high.
As to the possibility of the emergence of revolutionary defensive techniques in the fight against ransomware, I think the classic opposition of the shield and the sword can be applied here. Even the greatest attacking tool sooner or later receives an equivalent defensive response and vice versa. Serious superiority of one side over the other is unlikely to last long.
If the company has well-built protection against ransomware, the hackers will not launch the attack as it will be unprofitable for them.
Conclusion
Ransomware operators shift their focus towards stealing the most valuable data, attacking corporate networks and critical infrastructure. They use Ransomware-as-a-Service to evolve and scale their attacks. There is no perfect solution that can protect against ransomware completely, and it is unlikely that it will appear in the future. Only an integrated approach of technical (XDR EDR automation, monitoring) and organizational (user training, analytics) measures combined with proper backup strategy will minimize the risks coming from ransomware attacks.
About the Author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
