DUBAI, UAE — Ransomware attacks have dominated headlines over the last two years and will continue to shape the cybersecurity agenda in 2023 and beyond. As ransomware gangs persist in extorting money from businesses, the organizations that yield to these demands inadvertently finance the ransomware industry and further crime. With an escalation of attacks on critical infrastructure and healthcare, the issue extends beyond business concerns. So, how did we arrive at this point, what are the implications beyond business, and what actions should organizations take to break the cycle?
The democratization of data theft
Cybercrime has existed since the 1980s. Since then, the cybersecurity industry has tirelessly highlighted—or “fear-mongered,” depending on one’s perspective—cyber threats. Over the last five years, these threats have exponentially increased, with a staggering 90 percent of organizations reportedly affected by ransomware in the last year alone. While increased digitization of the world has contributed to this rise, the primary driver is the effectiveness of ransomware as a tool for cybercriminals to monetize their actions.
While financial gain has always been a leading motive for cybercriminals, one may wonder why it took so long to reach this point. The answer lies in the implications of new digital innovations. Digital technologies have provided hacking groups with the perfect means of escape, making cryptocurrencies like Bitcoin, secured by blockchain technology, a reliable and almost untraceable method of extortion. This advancement has transformed cybercriminal groups into money-making machines—or businesses in their own right. For instance, leaked documents reveal that Conti, one of the most notorious ransomware groups globally, maintains an HR department, performance reviews, and even an “employee of the month” scheme.
The bigger picture
Beyond the immediate financial and reputational damage inflicted by ransomware attacks, a broader perspective is necessary. Cybercrime has evolved into an industry with experienced specialists, dedicated vendors of tools and services, and even subscription-based Ransomware-as-a-Service (RaaS) products. Like any industry, it requires profits to grow and develop. By paying ransomware demands, organizations inadvertently fuel this industry, and it’s not just businesses that bear the brunt.
Governments, hospitals, and critical infrastructure, including transportation and schools, are increasingly falling victim to ransomware attacks. For instance, attacks on hospitals have become alarmingly common across the US and Europe. Consequently, the US government convened representatives from over 30 countries to address ongoing ransomware attacks on critical infrastructure. Such attacks are not solely nation-state cyberattacks—a separate yet increasingly blurred issue—but also the work of the same cybercriminals who target businesses.
Even though many groups claim to avoid targeting critical infrastructure due to ethical concerns or fear of diplomatic repercussions, ransomware is indiscriminate. Its methods can be far-reaching, and public services can easily become collateral damage. In fact, the volume and severity of ransomware attacks have reached a crisis point. As these attacks affect organizations of all sizes, both public and private around the world, protecting your organization and refusing to pay ransom is crucial to ending the crisis. It’s also arguable that organizations have a corporate responsibility to refrain from paying ransomware demands and financing further crimes. So, what approach should businesses take?
What businesses need to do
Preventing ransomware requires a combination of people, processes, and technology. It’s also important to note that the digital world and the real world aren’t so different: open windows need to be locked at night (patching systems), double locks are more secure than single ones (multi-factor authentication), valuable items or information should be securely stored (data protection), and often the biggest security risks are people and staff (insider threats or failure to follow processes).
However, while prevention is crucial, and preventing an attack will always be more cost-effective than dealing with one, it’s unrealistic to expect businesses to thwart all attacks. The objective isn’t for businesses to completely eliminate successful ransomware attacks, but to reach a point where even a successful attack doesn’t necessitate paying the ransom—effectively saying ‘no’ to ransomware.
This last line of defense hinges on the backup and recovery processes in place. Ransom demands can be disregarded if an organization has a backup of critical data with which to restore the encrypted system. But not all backups are created equal. As ransomware and cybercriminals have grown more sophisticated, they now actively target backup repositories. According to a recent study, backup repositories were targeted in 93 percent of ransomware attacks, with 75 percent of these proving successful.
The traditional rule for backups was the 3-2-1 rule: keep three copies of data, on two different types of media, with one stored offsite. That offsite copy was in case of a physical disaster, like a fire or a flood. However, ransomware is far more common than these physical disasters nowadays. Therefore, in addition to having an offsite copy, modern backup strategies should include having a copy that is either offline, air-gapped (unreachable), or immutable (unchangeable). With this, along with a robust recovery process (designed for recovery) in place, a business can confidently withstand and recover from ransomware attacks without even contemplating paying a ransom.
Ending the cycle
Ransomware has democratized data theft, transforming cybercrime into a profitable, evolving industry like never before. While it’s not the responsibility of businesses to actively tackle or solve this problem at its source, enterprises do bear a duty of care towards other organizations and critical infrastructure around the world to not fuel the fire. Government bodies are now working towards finding solutions to the problem, but businesses need to invest in ransomware prevention to protect themselves from substantial financial damage and the risk of financing further crime.
Edwin Weijdema is Global Technologist at Veeam.
The opinions expressed are those of the author and may not reflect the editorial policy or an official position held by TRENDS.