Ransom(ware) Handbook 2021 – Part 1 – Threat Landscape

Posted on by Alex Holden

If you have never had to deal with ransomware, you should consider yourself lucky. But this luck runs out every day for more and more people. I remember my first experience, from nearly a decade ago, with coaching a company through this experience. I walked into an eerily quiet office full of people, entered a boardroom where a pale-faced CEO asked me if we could get the company’s data back. I said, “Getting the data back without paying the ransom is unlikely, but we can help you with recovery.” No one wanted to negotiate with the cybercriminals who encrypted much of this multinational enterprise’s infrastructure and demanded a $50,000 ransom.

Today, I still often face the same solemn-looking IT personnel, lawyers and top executives on video calls asking for help. Even now, the message is still terrible, ransom prices are higher and dealing with recovery is still difficult.

Ransomware – Shortcut in Cybercrime

Why is ransomware so popular? A typical crime cycle is complex and often unrewarding. For example, let’s take a look at credit card breaches of the past: first, hackers needed an opening, exploit or access to leverage to get to POS devices. POS malware was often custom written and if not fully tested could trigger alarms. Even if the credit card data were stolen in large numbers, only a small fraction of credit cards would actually be sold on the black market. The rest of the data would be rendered unusable after the breach was discovered. While this type of crime is still common, its complexity and shortcomings give even more potency to ransomware attacks.

Ransomware attacks simply shortened the crime cycle, relying on the concept that the highest value for data would be to its owners. There is still an element of infiltration and mass exploitation that requires stealth and techniques. Yet, once encryption is successful, it starts the endgame.

Ransomware Attack Dissected

Most ransomware attacks start with a malicious email, which gives phishing attacks new targets and new monetization of successful exploits. Getting a victim to open a malicious attachment is becoming an art form among cybercriminals. It is no longer a poorly written email; rather, it is a well-crafted message nearly exactly matching a real communication. You cannot fully rely on your endpoint protection to detect the malicious payload as the bad guys constantly change signatures and behaviors, often far ahead of the defenses.

Once there is a foothold within the infected device, exploration starts rapidly and with stealth to explore the local network with the goal to escalate rights to a privileged domain account. Then there is a focus on disabling defenses like backups and anti-virus before deploying the encryption.

Ransom – Shortcut in Ransomware

Over the past decade, ransomware has become a predominant force in cybercrime because of its simplicity. As it is increasingly more difficult to deploy the ransomware, and the victims can still manage to recover some or all of the data from backups and other resources, it is the embarrassment of the breach and data disclosure, which turns out to be the most impactful for many of the victims. A new wave of exploitation is making its rounds, replacing ransomware in its simplicity and effectiveness. The idea of stolen data ransom turns out to be much more powerful than just arresting the data from its users.

Now, the cybercriminals do not need to exploit the entire network—they do not always need administrative access. Often just a single user is enough to gain access for stealing the critical data from the network. Today more than ever, the threat of data exposure in the face of customers, partners and privacy regulations is driving more businesses to pay ransom.

The economics of these attacks also shifted from technical exploitation to a more data-centric focus. As ransomware simplified cybercrime, ransom simplified ransomware—less technology, yet similar gains and advances.

Remote access made the COVID-19 pandemic more tolerable for some businesses, but it also created gates into corporate networks from the outside that are not always guarded by multi-factor authentication. What’s worse is that there is so much data going across the network—and a lot of it is in the cloud—that it is not always easy to identify a malicious data exfiltration.

Extortion – The New Endgame

Once the data is stolen or encrypted, the worst part of the game begins. Cybersecurity specialists work with technology, but the blackmail and extortion game hits us on a human level. The cybercriminals who deal with ransom and ransomware often lack basic humanity in their lust for profits. We have seen extortions against hospitals in the midst of a pandemic, cancer treatment centers, elderly care and even veterinarian clinics. Begging does not work, nor do appeals to the bad guys’ humanity. They speak only in terms of profits, and negotiations with them take a special amount of strength and courage.

In 2021, the extortion game hit a new low with bribery of negotiators, journalists and company insiders into paying ransom at the highest possible amounts.

It is indeed a gloomy picture of our current state of threats from ransom and ransomware. However, there is a turning tide in our existing defenses that would greatly improve our chances against victimization. In part two of my blog, we will discuss the practical advice of re-imagining our defenses against ransom and ransomware based on current weaknesses and deterrents that effectively work against this type of cybercrime.

Click here to read part 2.

Alex Holden

CISO, Hold Security, LLC


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs