In mid-July last year, Saudi Aramco — the biggest oil company in the world — confirmed that its data had been leaked after hackers demanded $50 million from it.
Two months earlier, the Colonial Pipeline Company in the US was hit by a cyberattack that triggered panic-buying of petrol in regions where the company supplied fuel.
The two attacks had one thing in common: ransomware, the malware that encrypts data on the system being attack even as its deployer demands money — ergo the term ransom in the name — and threatens to make the data public if they are not paid.
Ransomware is not exactly a new malware type. However, it is now worse than ever and a primary threat for businesses across the globe.
Ransomware attacks on high-profile organizations in public and private sectors grabbed headlines throughout 2021, and cybersecurity experts believe this criminal enterprise will reach new heights in 2022.
Companies are hemorrhaging millions of dollars to ongoing ransomware raids.
A recent study by Cybersecurity Ventures estimates that the cost of ransomware remediation is set to rise more than 13-fold to over $265 billion annually, and attacks will increase from every 11 seconds to 2 seconds by 2031.
Speaking to TRENDS, cybersecurity experts explained why ransomware remains one of the biggest cybersecurity threats to businesses.
“Ransomware has been around for decades and has been through several transformations to become what it is today. From the 1989 AIDS ransomware to the 2021 Colonial Pipeline attack, ransomware criminals have frequently surprised us with their destructive ingenuity,” Toni El Inati, RVP Sales, META & CEE, Barracuda Networks, told TRENDS.
“One of the more recent developments is their embrace of a ‘nation-state cyberattack’ model, in that they direct significant effort into the compromise of a well-researched high-value target,” he added.
In the past 12 months, Barracuda researchers have seen a 64 percent increase in attacks, year over year.
Ransomware criminals traditionally relied on a numbers game. They deployed massive spam campaigns to reach as many people as possible, knowing that there was always a percentage of targets who would get infected and pay the ransom.
As the ransomware “industry” matured, these criminals became experts in this type of crime.
Individual threat actors who have proven their worth in the underground economy can move among hacking gangs the way the rest of us move to new companies to advance our careers.
Gangs have also been known to form “partnerships” to share resources.
The combination of experience, skill, and innovation enables these groups to deliberate and agile in their attacks.
“This relatively new method of targeting specific victims is known as ‘big game hunting’ and it’s been very effective at creating big paydays for the hackers. It’s also raised public awareness of Ransomware and elevated the response of many governments around the world,” explained Inati.
Sharing his thoughts, Gregg Petersen, Regional Director – MEA at Cohesity, said ransomware continues to be a powerful and potentially devastating type of cyberattack.
“In particular, ransomware as a service (RaaS) has seen continued evolution during 2021. This phenomenon, whereby bad actors develop software and make it available to non-technical cybercriminals, has opened up more opportunity for targeting smaller and medium-sized organizations,” he said.
“The logic is clear. A ‘bespoke’ attack on a large organization can yield multimillion-dollar payouts, but needs technically astute execution. A generalized attack on smaller organizations via RaaS may have smaller individual yield, but a greater overall yield.”
In its Sophos 2022 Threat Report, the cybersecurity firm has said the release of some materials relating to RaaS has helped them to identify tactics, techniques and procedures that might indicate an attack in progress, helping them to thwart attacks.
RaaS will continue to be a significant threat in 2022. For chief information officers (CIOs) and chief information security officers (CISOs), the challenge is not just ensuring their defenses are solid and able to cope with evolving ransomware strategies, but also that they have a suitable set of recovery plans in place to deal with issues when they arise; which they inevitably will.
Joseph Carson, Chief Security Scientist and Advisory CISO, ThycoticCentrify, said companies must take ransomware very seriously as it will continue to be the biggest cyber threat, and as we can see from this eye-watering high ransom demand, the price being paid for not being prepared is on the rise.
“It only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire company,” he added.
Ransomware is no longer just about encrypting files but also stealing data, making it a multifunctional weapon.
Suppose a company has a solid backup to restore systems affected by a ransomware, rendering the encryption useless.
In that case, the criminal gang can threaten to disclose damaging data that could directly impact the stock price, brand, employees, and potential customers.
That’s what happened with Aramco last year.
Talking about the financial losses, Inati said, “We have noticed that ransom amounts are increasing dramatically and now the average ransom ask per incident is over $10 million. In our research this year, 8 percent of the incidents had a ransom ask less than $10 million, while 14 percent of the incidents had a ransom ask greater than $30 million.”
Joseph Carson said, “What we are seeing with Ransomware is that cybercriminals continue to abuse privileged access, which enables them to steal sensitive data and deploy malicious Ransomware. This means that organizations should prioritize privileged access as a top security measure to reduce the risks of Ransomware and ensure strong access controls and encryption for sensitive data.”
Measures for protection
Inati said the first step in protection was to protect user credentials from email attacks.
“This involves blocking phishing attacks before they reach users’ inboxes, trainings employees to recognize phishing attempts, and having tools and procedures in place to effectively execute incident response,” he explained, referring to the type of attacks where threat actors pose as a trusted entity and steal login credentials, personal information, and other details from their targets.
“To prevent data exfiltration and encryption, you must protect the top attack vector for data breaches — your web applications. To implement an effective ransomware protection strategy therefore, you need to secure your applications, protect access to your applications, and prevent lateral movement on the network.”
According to Petersen, the first measure or technology mandate that should be considered is adopting a 3-2-1 rule for data backups, whereby organizations must have at least three copies of their data stored on two types of media, with one backup copy kept offline or offsite.
Carson also emphasized the importance of backup.
He said, “The best way to defend against ransomware and become resilient to such ransom threats is to have a solid backup and recovery plan. It is critical that companies have backup plans, and it is also important to have some automation in place and have the plan tested and ready. It is never good to be testing your incident response plan during an incident.”
Ransom payment
The IDC ransomware report found that only 13 percent of organizations that experienced a ransomware attack or breach in the last year did not pay the ransom, despite the average ransomware payment totaling almost $250,000
This highlights the dilemma organizations are faced with when hit by ransomware.
The unfortunate reality is that paying ransom often achieves the opposite result of remediation, with criminals often seeing companies who pay ransoms as weak.
For example, the REvil ransomware group has revealed how it targets specific organizations with ransomware, like by hacking insurers first to see their customer database.
Darkside, the group behind the Colonial Pipeline attack, has revealed it typically searches through a victim’s system looking for insurance coverage to determine how high it can raise demands, especially if the victim is insured.
Cybersecurity insurance
Many insurers are now automatically increasing cyber insurance premiums by upwards of 15 percent depending on their customers’ industry of operation.
Others like multinational insurer AXA have announced their cyber insurance covering ransomware will no longer be sold.
With IDC’s 2021 Ransomware Study: Where You Are Matters! report revealing that more than one-third of organizations in the past 12 months experienced a ransomware attack or breach that blocked access to data or systems, organizations are now faced with not just malicious actors but also being held to ransom by their cyber insurance policy coverage — or lack thereof.
Industry predictions for GCC
Cybereason, in its latest industry predictions for 2022, urged the GCC region’s businesses, employees, and consumers to be ever-watchful in making the new hybrid ecosystem a safe environment in which to work, shop and live.
Lior Div, CEO and cofounder, Cybereason, said, “For our 2022 predictions, we wanted to go beyond the usual hot topics and buzzwords lists that generally pass for insights.”
He explained: “While it’s important for our customers to prepare for more of the same when it comes to things like skills gaps and the use of cloud and AI in cybersecurity, we believe they do not need domain experts to inform them of the obvious. We prefer to focus on the future shape of the threat landscape and what current threat research tells us about risks that may be just over the horizon.”
More than 90 percent of UAE businesses are concerned about ransomware attacks, according to a Cybereason report highlighting the disconnect between perceived threat and preparedness.
Ransomware has swept the region anew since the pandemic created more complexity in infrastructure and a disconnect between remote-working employees and the IT function.
According to recent Cybereason research, 63 percent of UAE businesses paid bad actors between $350,000 and $1.4 million following ransomware incursions in the two years before June 2021.