The Ransomware Gold Rush Continues…

Ransomware: New “Big-Game Hunting”

Ransomware attacks are on a sharp upward trend and with the rise of Ransomware as a service (RaaS) the threats will only increase. Ransomware as a service (RaaS) is a subscription-based model that enables affiliates to use already-developed ransomware software to execute ransomware attacks. In a turn straight out of a cybersecurity nightmare, affiliates via RaaS are able to earn a percentage of each successful ransom payment.

The lucrative opportunity that ransomware software presents to criminals combined with the rise of cryptocurrencies has fueled the modern-day ransomware gold rush. Ransomware attacks are a gold rush for cybercriminals, with payout averages rising 21 percent in 2020 to nearly $234,000. Speed is essential when mitigating a crisis situation, but many organizations simply don’t have an incident response plan or the tools in place to defend their networks when they are attacked. Untraceable cryptocurrencies are emboldening cybercriminals like never before.

Bitcoin and other cryptocurrencies are fueling a wave of ransomware attacks to the tune of $1.4 billion in the U.S. Hackers encrypt the victim’s data and then require the victim to pay a fee in bitcoin or certain other cryptocurrencies to obtain the decryption key needed to release the data.

Ransomware operators are not afraid to target even high-security events such as the U.S. Presidential Election or hospitals dealing with COVID-19. In fact, Victims of the 11 biggest ransomware attacks in 2020 spent over $144.2 million on costs dealing with investigating the attacks and rebuilding their networks.

As if things were not difficult enough, zero-day attacks are on the rise. A zero-day vulnerability is a flaw within a hardware or software system that developers didn’t discover during the testing process. That vulnerability can be exploited by malware to cause all sorts of problems. If you think zero-day attacks only happen to careless users, think again. In January 2020, a Microsoft zero-day was discovered, involving Internet Explorer, that would allow someone to gain remote access to a computer. Also in January, Chinese hackers used a zero-day in the Trend Micro OfficeScan antivirus system used by Mitsubishi Electric to gain access to the company’s network.

Evolving Threat of Ransomware

2020 was a tough year for everyone. COVID-19 changed the world in many ways and unfortunately created an environment ripe for ransomware attacks. The pandemic enabled cybercriminals to have a greater attack surface. With most organizations opting for remote work and people using their own devices that aren’t centrally managed. IT professionals had to scrabble really quickly to support all the additional devices. The scramble has not stopped, and the vulnerabilities remain.

The consequences of not addressing the ransomware problem are critical and in some cases can even be deadly. As evident by an attack on a water plant in Florida early this year. In the so-called Oldsmar incident, cybercriminals remotely accessed the system for about three to five minutes, opening various functions on the screen and one of the functions gave the attacker access to the amount of sodium hydroxide in the water. The incident highlighted cybersecurity experts’ persistent concerns about the security of the country’s critical infrastructure.

Even more alarming than the water plant was the notorious Solarwinds attack. After compromising the infrastructure of SolarWinds, the hackers gained access to their network and applications monitoring platform called Orion. Using that access they were able to produce and distribute trojanized updates to the software’s users.

This was a BIG deal because according to SolarWinds their customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.

Traditional Security is NOT enough

Company assets can no longer be fully defended by a firewall, designed to protect discrete physical servers stored away in dark locked rooms. The world has gone virtual making servers, applications, and data both fluid and mobile. Organizations are running applications and servers in the public cloud, taking data completely outside the scope of traditional security methods and putting it out of your immediate control. As perimeters change, organizations must approach data protection and risk entirely differently.

The most common form of malicious code is ransomware and in 2020 we saw many prime examples. Phishing scams in which hackers pose as trusted figures to trick people into handing over passwords are getting increasingly sophisticated. Webmail services and Saas accounted for 34.7 % of all phishing attacks globally. 1 in every 8 employees shares information on a phishing site. More than 60,000 phishing websites were reported in March 2020.

The ransomware gold rush is in full swing because criminals have a wide variety of methods to attack unprepared organizations. Take for example the increased use of drive-by attacks where even amateur hacker is able to embed code into unprotected websites that automatically downloads malware to the servers of anyone who visits that website.

Lack of Cybersecurity Awareness

According to an extensive survey, almost 40% of employees admitted to not knowing what ransomware is, and many of them have already been victims. Stopping a ransomware attack that’s already in progress adds another area of uncertainty. A full 45% of respondents said they wouldn’t know what to do in response to an attack.

Since most ransomware is delivered via malware found in phishing emails, users need to be trained to not click on those emails. Even with the most advanced perimeter network protections, malicious actors use creative ways to reach users undetected. Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach. In other words, ransomware has the potential to ruin any organization that is unprepared.

Through cybersecurity awareness training, organizations help users get up to speed with their IT security procedures, policies, and best practices. While this education is necessary and essential it is not enough.

As long as cybercriminals view ransomware as profitable they will continue to launch attacks. The reason is that while data is valuable, they are typically not so interested in the data as they are in the bitcoins they hope to get from the victim. Bitcoin accounts for approximately 98% of ransomware payments. With the blockchain revolution in full effect and the price of bitcoin rising, organizations need the tools to combat this new reality.

Defend and Protect against Malware

The best way to deal with a malware attack is to avoid getting infected in the first place. While that sounds easy in theory it is extremely difficult if your adversary has access to zero-day exploits — attacks that exploit a previously-unknown vulnerability in a computer application. Basically, you can’t guard against the unknown.

Think of your network as a secured bank located near a busy and high crime train station. Unbeknown to you, the train station provides a secret entrance into your vault. A zero-day is that secret entrance into your most important vault. You were never concerned about the entrance because you were not aware of it.

A strong security posture takes more than having the right defenses in place, you also need to establish solid plans to ensure you react to any breach in the right way. The strong move is to take what action you can to guard against these attacks while employing the best tools on the market.

In a world with evolving cybersecurity threats, trust is not an option. That is why the zero-trust security model is becoming the norm. Moving to a zero-trust model helps counter the security threats created by disintegrating network boundaries, insider exploits, and ransomware by locking down access rights in a more disciplined manner than ever before. Doing so leaves far smaller margins for unauthorized entry and nefarious activity.

Zero Trust Security is effective but you need to address legacy networks. In plain English, the dynamic cyber-threat landscape has made legacy security infrastructures ineffective. That is why it is critical to identify your valuable assets and define identity-based “micro-segments” around them to create multiple junctions and inspection points that block malicious or unauthorized lateral movement so that in the event of a breach, the threat is easily contained and isolated.

In the battle against ransom-intended malware, there is an industry of vendor solutions for anti-ransomware. Available software can play a critical role in supplementing your existing security infrastructure, but it is only one piece of the puzzle.

Problem, Reaction, Solution

The ransomware gold rush is real and only gaining momentum. So what’s the problem? In reality, ransomware exists because of a series of failures. While apparently unrelated, they combine to create the conditions under which ransomware can flourish and become one of the biggest menaces on the internet today.

We can not depend on the users to keep up with all the threats, attacks, and vulnerabilities. Ransomware attacks are getting bigger and bolder — at a time where many organizations don’t have the resources to fight them off. While the switch to home working has allowed many organizations and workers to remain productive, it has also brought additional risk; security vulnerabilities in remote-desktop protocols — combined with the use of weak passwords by staff — has provided cyber attackers with an additional way into networks.

If we want to stop the next decade from becoming the decade of ransomware, we need to make some significant changes. Enter Zero Trust. The purpose of zero trust is to eliminate implicit trust from the network, taking a deny-by-default position instead. A zero trust architecture requires authorization for any person or device attempting to connect to a network or access network resources, even for users already within the network perimeter.

In short, Zero Trust is about enforcing consistent security and access controls. Today’s solutions have to be in line with the way people work. Everything that requests access to an organization’s network must undergo a strict verification process. There can be no exceptions. This includes users on-site and working remotely as we are moving to work from anywhere. This means no device left behind. From the company laptop to a worker’s personal smartphone, if they want access they must undergo a strict and consistent verification process.

Defense in the era of the ransomware gold rush is important but your organization needs to operate and being off the grid is not an option. The bottom line is that you need an effective defense that is able to:

  • Minimize the burden on IT while protecting users and data more effectively.
  • Eliminate forklift upgrades without sacrificing security.
  • Use a phased approach to avoid disruption while maintaining a strong security posture.

In 2020, ransomware gangs made at least $350 million in ransom payments. They took advantage of organizations that were not prepared or empowered with the right tools.

The Security marketplace

Organizations are up against many players and adversaries, including the Nation States, all taking advantage of the malware “Gold Rush”.

I am very encouraged by the host of innovative ideas and the many security players in the space. One such player that caught my eye recently is Airgap Networks (see Airgap.io) with some exciting ideas including,

Their Zero Trust Isolation platform ring-fences every endpoint (user devices, IoTs, BYODs, TVs, HVAC, bulbs, thermostats, etc.,) using network controls. No forklift upgrade or any software agents are needed, this is critical to avoid agent bloat and ensure every network-connected device is protected.

While security software and staff training (e.g., how to identify phishing attacks, avoid using weak passwords, etc.) are essential to prevent attacks before they happen, attacks and breaches are inevitable. Another cool Airgap’s idea is the Ransomware Kill Switch™ enabling organizations to minimize the inevitable breach and ensure the resumption of normal operations as soon as possible.

Ransomware Kill Switch — Ring-fence from device to vLAN based on Threat Risk Levels.

Designed on top of Airgap’s Zero Trust Isolation platform, the Ransomware Kill Switch mitigates the propagation of ransomware on a network. As soon as malware is detected, the Ransomware Kill Switch with “1-Click’’ instantly stops all lateral traffic, isolating and containing ransomware to the infected device or devices.

While all lateral traffic is halted, vertical (North/South) traffic can continue uninterrupted, thereby ensuring negligible disruption to users and to the business. The incident response team can now source and mitigate the ransomware, secure in the knowledge that malware will not propagate across the network.

Let’s be honest, organizations need all the help they can get. It’s the new battleground, but also remember the people who made the most money in the ‘49ers Gold Rush were the merchants that provided the tools to the miners. In this classic Good v Evil fight, security vendors can be today’s heros/winners, helping organizations take on the armies of hackers.

In addition to these measures, how powerful would it be to have access to a Ransomware emergency shutoff switch? The average time it takes for ransomware to start encrypting the files on your network is only 3 seconds. The shutoff is a powerful weapon that provides the peace of mind you need in today’s ever-threatening cybersecurity landscape. It provides additional protection by:

  • Blocking lateral propagation of the ransomware, the Ransomware Kill Switch protects all devices inside your organization.
  • Blocking access to windows file-share, AD, storage, and backup services, Ransomware Kill Switch ensures your key resources are protected when you are under attack.
  • Blocking access from your servers to mission-critical services such as ERP, CRM, etc, the Ransomware Kill Switch ensures that your employee and customer’s data is protected.

If this sounds too good to be true, you owe it yourself to schedule a demo. Contact us at https://airgap.io

About Airgap

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out https://airgap.io

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store