We Need to Discuss the Ransomware Problem

By Jacob Ingerslev, Head of Global Cyber Risk, The Hartford

Jacob Ingerslev, Head of Global Cyber Risk, The Hartford

Although it’s been around for a long time, ransomware has hit a new high lately. So, what’s the reason for the spike? Throughout the evolution of ransomware, two major shifts have occurred, which have led to an increase in the frequency and severity of attacks. The first major shift in ransomware took place with Bitcoin ransoms six or seven years ago. Cryptocurrency provides criminals with a more efficient ransom collection process and greater anonymity than the previously used pre-paid cards or wire transfer methods. Another significant change has occurred in the past year with the move to more sophisticated ransomware delivery methods. That tactic, combined with cryptocurrency, has led to a dramatic increase in ransom demands and more extreme consequences of not paying the ransom.

The Challenge in Understanding the True Extent of Ransomware Attacks

One major challenge in understanding the extent of the ransomware issue is that most attacks go unreported. There is currently no legal obligation to report ransomware attacks to federal law enforcement, and most organizations prefer to avoid the stigma and potential reputational impact of revealing that they fell victim to a cyber attack. The lack of reporting of ransomware attacks is evident in the annual report from the FBI’s Internet Crime Complaint Center, which in 2019 included just $9M in reported ransomware losses. As a result, the public knowledge of ransomware is restricted to the few attacks that can’t be kept secret and therefore make it into the public domain. Attacks against healthcare entities, educational institutions, managed service providers, and government agencies often hit the news because services are unavailable, while other sectors mostly keep quiet about attacks. One unfortunate effect of that is the lack of awareness of how serious the problem is and of the reasons why cybercriminals are able to successfully carry out their attacks.

"As providers of insurance to many of the organizations impacted by ransomware attacks, our industry has a unique insight into the true extent of the attacks and why they continue to happen"

The Insurance Industry’s Unique View of the Risk

As providers of insurance to many of the organizations impacted by ransomware attacks, our industry has a unique insight into the true extent of the attacks and why they continue to happen. As with any insurance product, we track the causes of loss and the resulting loss amounts and analyze that data on a quarterly basis to monitor for trends. While insurers’ view is limited to their own customer base, it is substantial enough that material trends can be identified. In each case, insurers know whether the ransom was paid, how much was paid, and the financial consequences of not paying the ransom. As part of the claim process, insurers work closely with the incident response firms that assist organizations impacted by ransomware infection. Through that work, insurers are able to determine the root causes of how criminals successfully compromise victim organizations and deliver ransomware into their networks. 

How are the Criminals Getting in?

From an exploit perspective, the recent spike in ransomware activity is due to a combination of both new and traditional attack methods. We know that the most common attack vector for ransomware delivery is Remote Desktop Protocol (RDP) - an attractive tool for cybercriminals because it provides automatic access to a significant portion of the network once compromised. At the same time, it’s easy for criminals to identify targets because RDP is often exposed to the Internet and can be found with basic scanning tools. Once RDP is identified by the criminals, they turn to more traditional methods such as brute force attacks and credential harvesting to gain access and deploy ransomware. RDP credentials can even be purchased in dark web forums for as little as a few dollars. Phishing is still prevalent in the distribution of ransomware, and some recently discovered VPN vulnerabilities are also starting to appear among the top attack vectors. 

Paying vs. Not Paying the Ransom

With each ransomware attack, one of the key considerations is whether to give in to the demand and pay the attackers. Historically that was a less complicated consideration because of the relatively small ransoms demanded by criminals. That balance has changed dramatically in the past year, with ransom demands now frequently starting at millions or tens of millions of dollars, and even relatively small businesses can be faced with a seven figure demand. In each case, that decision is influenced mostly by the victim’s ability to recover from a back-up. To increase their success rate and apply the most amount of pressure on the victim organization, criminals have adapted their approach to include tactics such as destroying or encrypting any available back-ups stored on the network. Another tactic is stealing sensitive data before launching the ransomware attack itself and threatening to disclose the data if the ransom isn’t paid. Paying the ransom should always be the last resort, and it’s important to note that just like hostage negotiations, ransomware demands are frequently negotiated. Working with an experienced incident response firm is crucial in terms of making an informed decision about whether or not to pay the ransom, including its legal permissibility. 

Focus Should be on Prevention and Recovery

Knowing the typical entry points for ransomware and securing them can greatly reduce the risk of an attack, but the best approach is to assume that an attack may eventually succeed. Disabling RDP is the most effective preventative solution, but hiding the service behind a VPN is a good alternative if RDP is essential for network operations. The use of strong passwords, network-level authentication, and multi-factor authentication is critical in preventing brute-force attacks or unauthorized access with stolen or default passwords. However, prevention is only one half of the solution to the ransomware problem, and companies should focus equally on their ability to recover if they do get infected. Frequent and tested back-ups as well as using off-line, air-gapped, or immutable back-up storage will significantly increase the chances of a successful recovery from a ransomware infection. Ransomware is here to stay, so it’s time to prepare and protect your network against the next attack.

Weekly Brief

Read Also

A Cloud Services Security Playbook

A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive
Managing Access-Point-Risk without Interfering Too Much With Business Processes Efficiency.

Managing Access-Point-Risk without Interfering Too Much With...

Luther Uthayakumaran, Head Strategy and Innovation, Sydney Water
Is your carrier keeping your SMS Two-Factor Authentication Secure?

Is your carrier keeping your SMS Two-Factor Authentication Secure?

Steve Buck, Chief of Security Business Unit, Mobileum
How Modernized Encryption Standards and TLS 1.3 May Impact Your Security Strategy

How Modernized Encryption Standards and TLS 1.3 May Impact Your...

Ben Schoenecker, CISSP, Director of Information Security, Hendrick Automotive Group
White Box Cryptography (WBC)

White Box Cryptography (WBC)

Dr. Tsirinsky, CTO, E.S. Embedded Solutions
Vulnerability Management - Don't Guess

Vulnerability Management - Don't Guess

Angelo Murano, CISSP, CRISC, CISM, Head of Information Security-ING Americas