Defeating ransomware doesn’t take fancy—it takes fundamentals

Taylor Armerding
Nov 8 · 6 min read

It’s past time to retire the declaration that any ransomware attack has been a “wake-up call.”

If any of them truly had been, ransomware would be a minor annoyance by now, not an ongoing calamity at epidemic levels. Indeed, based on the increasing number and the scale of damages from ransomware, it looks like the collective targets of those attacks, instead of waking up to join forces and crush one of the great online scourges, have figuratively been hitting the snooze button.

So, no surprise, 2021 may have been lousy for everybody coping with inflation, the product supply chain and COVID, but for ransomware attackers it’s been a very good year, continuing an ongoing trend in which it seems every year gets better. SonicWall reported that from 2019 to 2020 the number of attacks spiked 62% worldwide and 158% in the U.S. That trend looks to be continuing this year.

The U.S. Justice Department estimates there is an average of 4,000 ransomware attacks per day, or about 1.46 million per year

Keep in mind, those are just the ones that get reported. If underreporting wasn’t a problem, Congress wouldn’t be considering multiple bills to address it.

Also, as has been noted in hundreds of stories, criminal ransomware gangs have evolved to become more sophisticated and more, uh, persuasive.

Persuasive in that your organization is no longer protected if it has offline backups of all its data, because attackers no longer just encrypt data. They threaten to make it public, which could compromise intellectual property plus personal and financial data. So now it’s two levels of blackmail.

The endless list

Just in the past couple of weeks there have been high-profile ransomware attacks on the National Rifle Association, video gamers’ Windows devices, and the Sinclair Broadcast Group, which operates dozens of TV stations across the U.S.

Also, on Nov. 1 the FBI issued a “private industry notification” warning that ransomware gangs are targeting companies involved in “significant financial events” like mergers and acquisitions for a more targeted kind of blackmail.

“Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

The list could go on — and on — but you get the idea. Ransomware is rampant, and rampantly successful.

“It’s time to wake up already and take cybersecurity as a serious business,” said Rehan Bashir, managing consultant with the Synopsys Software Integrity Group. “Data breaches have serious social and economic consequences.”

Easier for them, harder for us

It’s not that defenders are literally asleep, of course. In multiple ways it’s that ransomware attacks get easier to perpetrate all the time while preventing, detecting, and responding to them gets harder.

As has been noted by multiple experts, you no longer need to be that sophisticated to launch attacks. Toolsets to enable phishing, initial access, credential abuse, and open source ransomware payloads are available for free on GitHub.

Multiple countries — Russia is the most prominent but there are others, including North Korea — are safe havens for ransomware gangs as long as those gangs don’t attack the host country’s interests. And those perpetrators are beyond the reach of most western countries.

Demanding payment in cryptocurrency makes it difficult to impossible to track them. The gross income is the net, since they’re beyond the reach of the IRS.

And, as Nate Warfield, CTO at Prevailion, noted recently on Threatpost, there is evidently some level of honor among thieves. They cooperate and collaborate better than the good guys do.

“By spreading the work across multiple criminal groups, it makes the tactics, techniques, and procedures harder to attribute to any single actor,” he wrote. “It can obfuscate the intentions of the malicious actor, and it allows ransomware-as-a-service cartels to prioritize high-value targets.”

Still, defenders could, and should, do better. In some cases they aren’t even doing security basics like multifactor authentication, or they are relying on tools like antivirus solutions that are becoming obsolete since they can be more easily bypassed.

Add in the human factor — well-intentioned employees who fall for increasingly sophisticated and credible phishing attacks — and it looks like the playing field is tilted overwhelmingly in favor of the criminals.

Use the tools

But experts have been saying for years that the targets of ransomware — pretty much everybody who’s not a criminal — have tools and techniques available to tilt the field back to something approaching level. That’s still true. Yes, it will take work, time, and money, but it almost always takes far less of it than it would to recover from an attack.

Besides the basics mentioned above, organizations need to address what has become a major weakness for them, and therefore attractive to attackers: the software supply chain.

Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said one way for organizations to make themselves a more difficult target is to keep their systems and software up-to-date. But, he adds, that takes keeping track of what’s in your software.

In virtually all cases, software components have “dependencies” on other components from other sources or vendors. Those dependencies have dependencies themselves that can reach multiple levels deep and into the dozens to hundreds. If an organization doesn’t keep track of all that, it won’t know when an update or patch is available.

“Organizations aren’t keeping an eye on the software suppliers,” Cipot said. “The whole software supply chain is, in many cases, set up questionably.”

Much of the reason for that, he said, is that organizations focus more on “features, functionality, and price. Those should not be the only criteria by which you buy products. Supply chain security means making sure that everything you implement is following your rules and policies, and is also able to be maintained as needed.”

Confronting the ransomware scourge on a broader level will also take the collaboration of the public and private sectors — something that has been difficult due to a lack of trust. Many organizations don’t want to turn over any private information to the government for fear that it will be used to sanction or prosecute them, or be made public.

But there are moves to address that. While President Joe Biden’s May 12 Executive Order on Improving the Nation’s Cybersecurity doesn’t even mention ransomware, it does put a major focus on improving software supply chain security. It calls for a requirement that federal agencies buy only products that meet stringent security standards. Given the purchasing power of the federal government, most experts agree that would improve security across the board, not just for government contractors.

Procurement leverage

Cipot and others applaud that kind of procurement leverage, noting that the physical safety and security of products has long been regulated by governments. “A car, for example, that is not satisfying certain security and safety measures can’t be sold to customers in the U.S.” he said.

And an 81-page report by the Institute for Security and Technology’s Ransomware Task Force (RTF), released just weeks before Biden’s executive order, calls for a public/private coalition to “disrupt the ransomware business model,” which it says has become “an urgent national security risk around the world.” The task force is backed by dozens of tech organizations including giants like Microsoft, Cisco, Amazon Web Services, and FireEye.

Among the government agencies represented in the RTF are the U.S. Department of Justice, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Secret Service, the FBI, Europol, and the U.K. National Crime Agency.

And there are occasional signs that the good guys are making progress. In the past week, Bleeping Computer reportedon Europol’s announcement that it had arrested 12 people in connection with more than 1,800 ransomware attacks in 71 countries. Also, that a number of decryptors had helped ransomware victims recover files from attacks by ransomware including BlackMatter, Babuk, Atom Silo and LockFile.

Perhaps in response to that, the BlackMatter gang is reportedly shutting down due to “pressure from local authorities.”

But for individuals and organizations, it still comes down to security fundamentals. It has to be taken much more seriously than the physical safety of a building, which in most cases just means locking doors and windows and perhaps using video monitoring. There are vastly more entry points online and attackers don’t have to be physically present. They can be anywhere in the world.

“Organizations still lack a strong cybersecurity culture,” Bashir said. “Cybersecurity is still considered as an expense and an afterthought in many organizations. That needs to change now.”

Cipot agrees. “You have to live security,” he said. “You have to test implementations, run ‘fire drills’ and checks on whether your security is still on par with the latest threats. You need to educate your employees. You need to engage everyone and help them understand it and be able to spot what is wrong.”

“Because depending on who the attacker is, they’ll try all the locks and doorknobs to find the one that’s open.”

Nerd For Tech

From Confusion to Clarification