With a united front, we can turn the tide against ransomware

While Covid-19 is still causing mayhem in parts of the world, it’s begun to fade into the background for many Americans, including myself. While recent strains are proving to be even more contagious than earlier ones, the percentage of infected people who need to be hospitalized has dropped significantly. The death rate has fallen even more.

What’s this got to do with security? Because the strategies that have helped the world manage Covid -- new vaccines, new behaviors and collaborations between government and the private sector – can also be applied to a cyber-contagion that’s running rampant: ransomware. Defined as any attempt to shut down a company’s access to its own data until it pays to have it reinstated, new ransomware attacks occur every eleven seconds, according to Cybersecurity Ventures. VMware estimates it has blocked more than 1.1 million ransomware attacks in the last 90 days.

And the lethality remains unacceptably high. According to Cybersecurity Ventures, ransomware attacks cost companies $20 billion in 2021, up 57x since 2015, and the attacks have become increasingly brazen and dangerous. Ransomware was the method used in 2021 to shut down the Colonial Pipeline that delivers oil to the Eastern seaboard. In April, attackers took down a large part of the Costa Rican government’s computer infrastructure, including its tax and customs collection systems. 

Fortunately, there is good news, as well. Unlike just a few years ago, a blueprint has emerged for how companies and society can fight back. The parallels with the fight against COVID are notable:

1. Better basic hygiene: Just as many people agreed to social distance and wear masks, CIOs can train their teams to always keep systems properly patched, and prevent communication pathways that should never otherwise be used – like a web-server should never answer an email, so don’t let it. 
2. More information sharing: While contact-tracing had a mixed record in the fight against COVID, it was a useful tool on college campuses and other environments to limit damage. In the cyber-context, sharing information on ransomware attacks can warn others about the identity and nature of those attacks. In early 2021, the Biden Administration announced new regulations requiring government contractors to disclose when they are facing ransom demands, and in March of this year the Cybersecurity & Infrastructure Security Agency introduced a Shields Up program with a range of voluntary suggestions for companies to fend off attacks. In April, the Department of Justice announced it had successfully worked with companies involved with critical infrastructure such as banks and water distribution to remove malware that had been planted by Russia’s G.R.U. intelligence service to launch debilitating ransomware attacks
3. Adopt effective technology: Just as millions agreed to take vaccines and boosters, companies can deploy a range of tools that are proven to prevent or at least lower the damage of ransomware attacks. Companies should embrace zero-trust concepts, which are designed to prevent lateral movement by an attacker. The most sophisticated attacks use legitimate communication pathways that a real application would also use, so the technology must be powerful enough to read every transaction to figure out friend from foe. This is a hard problem, but not impossible. Advanced distributed security systems are making significant strides. Distributed east-west security is to ransomware what mRNA was to COVID. 

The progress is real. According to Coveware, the average ransomware payment in the third quarter of 2021 was $154,108, down 34% from the year before. A main reason is that more companies are adopting new approaches that back up their data far more often, and provide nuanced, graduated alerts that an attack might be under way. While they may lose a few minutes of their most recent data, companies can still operate. As a result, more companies are simply refusing to pay the ransom. According to the Corvus Risk Insights Index, less than 20% of ransoms were paid in the last quarter of 2021, compared to 44% in the third quarter of 2020.

No doubt, the fight against ransomware will have many ups and downs. Already, attackers – often using “ransomware-as-a-service” tools that are widely available on the dark web – have developed devious new tricks such as “intermittent encryption” that steals only some of your data at a time, making it much harder to detect and stop attacks. And ransomware will continue to mature as an industry, because it’s a very profitable business with very low barriers to entry. Some say it won’t be long before ransomware attackers offer flexible payment plans, to help their victims get their data back. 

But for the first time since the scourge of ransomware began, companies have the ability – both individually and collectively – to make life much more difficult for attackers. 

Sources

i. VMware Internal Analysis, May 2022