Public, private efforts to curb ransomware ramp up but the tsunami continues

It’s crystal-ball-gazing time for cybersecurity experts. But you don’t need a crystal ball — you don’t even need to be an expert — to predict that the ransomware tsunami will continue, and probably get worse.

Statistics on the number of attacks in the year just passed are all over the map, According to Statista, there were 623.3 million of them worldwide in 2021 and in the first half of 2022 there were just 236.1 million. If that trend holds, there would be “only” about 472 million attacks in 2022 — a decline of 24% from the previous year.

But ZScaler reports that ransomware attacks — where attackers encrypt the files of an organization and demand a ransom to decrypt them and/or not to make them public — are up 80% from 2021, with the biggest increases against healthcare (650%) and restaurant and food service (450%).

And SonicWall, in its 2022 Cyber Threat Report, finds that while ransomware attacks decreased 23% worldwide in in the first half of 2022, they increased 63% in Europe. It adds that “even in decline, year-to-year ransomware volume exceeded full year totals of 2017, 2018, and 2019.”

If there is any potentially good news, it’s that not all attacks succeed. Sammy Migues, principal scientist with the Synopsys Software Integrity Group, said he doesn’t know what statistics are the most credible but thinks it likely that successful attacks “have declined somewhat as the organizations that can afford to do better perimeter security are doing that. I can also believe that organizations that can afford to be better prepared to deal with the aftermath might be contributing to a lower average cost per event when calculated over all known events in a year.”

Indeed, tech review site Cloudwards, reported that “39% of attacks were intercepted before they could encrypt any data. This means that antiransomware software is stopping a significant number of attacks.”

Don’t celebrate

But don’t break out the champagne just yet. If the Statista estimate holds, that would still mean there was an average of about 15 attacks every second of the year. Even if close to 40% failed, that remains a catastrophic tsunami.

And there are other measures indicating that ransomware is a plague that is as bad as ever and still getting worse.

Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said even if attacks overall decreased, “it’s more interesting to see in which areas they went up. Are there changes where ransomware was more targeted to organizations in certain sectors? Also, even if this information is hard to get, what was the monetary impact of those attacks this year compared to previous ones?”

While not every attack is reported publicly, multiple estimates say ransomware costs the private and public sectors at least $20 billion a year. According to Cloudwards, that collective bill is expected to increase by more than 1,300%, to $265 billion, by 2031.

The individual cost to organizations has skyrocketed as well. According to security firm CrowdStrike, the first attack was 33 years ago, and the victims had to send all of $189 to a post office box in Panama — in the range of a speeding ticket.

No more. According to CloudAlly, the average ransom organizations paid in 2022 was $812,360, although at least 10% reach well into the millions. The largest demand on record so far was $50 million, in the 2021 attack on Taiwanese computer maker Acer by the REvil ransomware gang.

And security firm Sophos estimated the average cost to an organization to recover from an attack was $1.4 million, which doesn’t count legal jeopardy, possible regulatory sanctions, higher insurance premiums, and brand damage.

Add to all that the bleak reality that ransomware attacks have evolved to become easier to execute while delivering more malignant damage. Criminals no longer have to write their own malware — they can subscribe to it from groups offering ransomware as a service, a pay-for-use malware. The vendors provide a platform with code and operational infrastructure to launch attacks, and then take a cut of what victims pay.

Modern attacks also frequently involve so-called double extortion. Instead of just demanding money to unlock encrypted files, attackers exfiltrate it and threaten to make it public if the victim doesn’t pay. That data could include the personal information of employees, intellectual property, and other proprietary information.

Security blogger Brian Krebs, in a post last month, noted a couple of more recent trends. In one, attackers target healthcare organizations that offer consultations over the internet by sending them booby-trapped medical records for the “patient.”

Another involves “carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading,” Krebs wrote. He quoted Hold Security founder Alex Holden saying that while this tactic is not easy and ultimately is “not going to be forensically solid, that’s not what they care about. It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

And the damage from ransomware attacks can go beyond the digital into the physical realm. An attack on a hospital could easily disrupt surgeries and interfere with medications or the functioning of implanted devices. An attack in the dead of winter that takes down a portion of the power grid could leave people in danger of freezing. An attack on a transportation system that shuts down traffic lights could easily lead to fatal crashes.

From pandemic to endemic

Given all that, one might think ransomware would qualify for the kind of response we’ve seen to a medical pandemic — declaration of a state of emergency.

Not so much. The Institute for Security and Technology’s Ransomware Task Force, backed by dozens of tech organizations including giants like Microsoft, Cisco, Amazon Web Services, and FireEye called nearly two years ago for a public/private coalition to “disrupt the ransomware business model,” but progress isn’t keeping up with the problem.

According to a status report from the group a month ago, “we have seen a great deal of action to combat ransomware, but we have also seen the scale of the threat continue to grow.”

The report quoted Lindy Cameron, head of the UK’s National Cyber Security Centre, saying that “even with a war raging in Ukraine, the biggest global cyberthreat we still face is ransomware.”

Indeed, this plague seems to have moved from the equivalent of pandemic to endemic. Everybody’s aware of it and of the best ways to make themselves a more difficult target, but they’re not in emergency mode. It’s apparently viewed as a cost of doing business, much like retail firms simply budgeting for “shrinkage” from shoplifting.

But, as experts have been saying for as long as ransomware has been around, it doesn’t have to be that way. There is no way to be entirely bulletproof, just as a vaccine doesn’t guarantee you won’t get Covid, but it can help you become a much more difficult target. And if you do get “infected,” you’re less likely to end up in critical condition.

It takes a combination of technology and training. The advice includes

• Back up everything: Create regular backups that are not connected to the network. If it’s accessible through a network that gets breached, it’s obviously worthless — it will be encrypted as well. But if it’s isolated and protected, an organization can rebuild its system quickly at minimal expense without paying the ransom.
• Improve detection and protection: Ransomware has observable patterns that ransomware protection software can detect. In some cases, attackers will fall for “bait” — files that are fake. It’s crucial to keep any antiransomware software up to date.
• Think like attackers: Besides email phishing, the top two most popular intrusion methods include unsecured remote desk protocol (RDP) endpoints and the exploitation of corporate virtual private network appliances. That is in part because millions of people are still working from home two or more days a week and are therefore not inside a better-protected office environment. So organizations should harden the security of those parts of their networks. That means maintaining them with upgrades and patches, requiring strong passwords and two-factor authentication (2FA) for users, and limiting access only to those who need it,
• Limit plug-ins: They can be an entry point. Either disable them or make sure they are updated regularly.
• Verify before you trust: All documents should have viewable file extensions from trusted sources. Don’t let your system download irrelevant documents that may be coming from malicious sources.
• Know what software you have and maintain it: Keep strict track of the software components running applications, systems, and networks, and keep them up-to-date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open. A software Bill of Materials can help with that, and ought to be a security fundamental.
• Train your workers: Most employees want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords or don’t create complex ones, the best technology in the world can’t overcome those failures. That’s why more than 90% of all attacks on organizations are phishing — criminals know it has a better chance of working. So organizations should train workers to spot, and avoid, clicking any unknown link or attachment, even if it appears to come from a trusted source.
• Limit access: You should value all your employees. But the more of them who have access to sensitive data, no matter how dedicated they are, the greater your risk. So organizations should employ network segregation to limit access, known as the principle of least privilege. That means a given employee has only the level of access required to perform necessary tasks.

Cipot said while all that advice is good, it needs enforcement to be effective. “If you have a rule that no one is allowed to install unapproved software on their laptop but never check on it, then you are only halfway there,” he said.

To that list, Migues adds that one of the best ways to prevent attacks from succeeding is to “make lateral movement as difficult as possible for unauthorized entities. There could be a hundred parts to this, ranging from good host security to good cloud shared-responsibility models, to network segmentation, to API security, to zero trust, to a bunch more,” he said.

“Part of this is understanding all the endpoints and security boundaries in your organization and ensuring that each is prepared for the hostile environment that it lives in, such as with endpoint security, good firewalls, good logging and analysis, and so on.”

And Krebs wrote that another potential problem is that some organizations create a response plan for a ransomware attack but then never rehearse it to find out how long it will take to restore their data. If it’s going to take months, they will likely be forced to pay.

Cipot agrees. “Imagine you have a football team and the only training they get is a written advisory on how the game is played. No one trains for the game or even sees the ball before the game. You can’t expect they will be able to do anything in a game against a trained opponent,” he said.

“The same goes for basically anything you do. How can you know if your plan works if you never test it?”

Finally, it’s true that ransomware prevention measures cost money and time. But the harsh reality is that the costs of paying cybercriminals and recovering from a ransomware attack are likely to be greater, by orders of magnitude, than any “savings” from failing to implement good security.

You may never know the ROI, but that’s the point — you don’t want to know.