Ransomware has been around for years. So why are high-cost, invasive ransomware attacks making so much news these days? Simply put, criminals go where the money is. And there's still a lot of money to be had in ransomware attacks because victims pay the ransoms.
In one recent case, two Iranians made off with $6 million in ransoms paid over a 34-month period, according to an indictment filed by the U.S. District Court for the District of New Jersey. These attacks caused an estimated $30 million in damage to 200 victim organizations.
Every time organizations choose to pay the ransom, they provide motivation for criminals to continue using ransomware attacks, according to an article in the New York Times and another article in New Scientist.
Because ransomware is lucrative, ransomware developers are also innovating to sneak their malware into systems without user interaction, and to hide under the radar and persist in victim systems, according to Fortinet's 2019 Q2 threat landscape report.
Most ransomware still relies on simple phishing or web drive-by campaigns requiring the user to click a link or download a file to start the infection. However, the Fortinet report points to improvements in newer ransomware packages, such as Ryuk, which netted nearly $4 million for criminals in its first 30 days, according to CrowdStrike. Ryuk utilizes more targeted spearphishing, and includes sophisticated evasion and persistence techniques.
Another recent ransomware package, Sodinokibi, bypasses the user and targets servers directly by using zero-day exploits against Microsoft Windows and Oracle's web logic server (among other exploits).
Ransomware takes advantage of many technical weaknesses to encrypt and lock organizations out of their own data. But, ultimately, these attacks all prey on the single consistent vulnerability that makes victims pay the ransom: a lack of proper off-site (disconnected) backups. With a safe backup, organizations can recover their data without having to pay the ransom.
"As long as these attacks continue to be successful, adversaries will continue to use them, so organizational change is required to mitigate this activity," said Shawn Henry, president of CrowdStrike Services, in a recent SANS NewsBites issue. "Ensuring clean backups for recovery and restoration is an absolutely critical best practice."
Prevent, Protect, Respond
Henry also advised that organizations maintain good hygiene throughout their infrastructure, while monitoring for anomalous activity.
"In most cases, this type of attack can be prevented by employing fundamental security protocols, including patching, network segmentation, changing email procedures and curtailing user privileges," Henry noted.
For more resources, check out the FBI's article on ransomware prevention, which includes best practices for network hygiene as well as backups. For ransomware removal tools, however, the New York Times article recommends a European initiative, No More Ransom.
The No More Ransom site includes an extensive library of decryption tools that just may empower victims to say no to these ransom demands. Take away the money, and criminals will go elsewhere.