Today’s columnist, Grayson Lenik of Trustwave Government Solutions, points out that while high-profile ransomware cases make the news, most ransomware victims never report it to the FBI or publicly admit to paying the ransoms. (Photo by Mark Wilson/Getty Images)

Ransomware threats have been growing in frequency and severity in recent years. It’s estimated victims paid nearly $350 million worth of cryptocurrency in ransom payments in 2020, a 311% increase over the previous year. And this number likely significantly underestimates the actual amount paid, as most victims of ransomware never report it to the FBI or publicly admit to paying the ransoms.

For many people, the first they heard of ransomware may have been the recent Colonial Pipeline attack that caused crippling fuel shortages along the East Coast, but  ransomware has actually been around for a long time. The first ransomware attack can be traced to 1989, when a Harvard biologist distributed 20,000 floppy disks infected with a Trojan malware, then forced victims to pay to regain access to their systems. He was quickly caught, but the threat of ransomware has been growing ever since and the methods used have evolved to keep pace with the times.

After this first incident, ransomware remained rare until the early 2000’s when the rise of the internet made it possible for criminals to spread their tactics. One of the earliest examples occurred in 2006 when cybercriminals launched the Archiveus Trojan, which encrypted victims’ My Documents directory and required them to make a purchase from an online pharmacy in order to regain access. While some types of ransomware encrypt data and demand payment in exchange for regaining access, others exfiltrate sensitive or embarrassing data and threaten to publish it publicly unless the victim pays the ransom. The malware often works quietly at first, working its way through an entire network, finding and deleting backups and overriding the encryption key it generates so victims cannot simply conduct forensics to recover their files once they discover the threat.    

As the internet evolved, so did ransomware. In 2013, we saw the first version of Crypto Locker emerge, which was popular for many years and spawned a number of copycats. In 2015 we started seeing mobile variants emerge, targeting smartphones. Then around 2016, a significant change occurred in the industry that set ransomware on a tremendous growth trajectory – the emergence of Ransomware-as-a-Service (RaaS).

RaaS groups are cybercriminal gangs and underground teams of coders who create new strains of ransomware and license its use to others. Much the same way one might pay a license fee to use any popular enterprise software, criminals on the dark web pay for the ability to use these pre-made, easy-to-execute ransomware packages. RaaS has changed the game, making it possible for nearly anyone to execute ransomware attacks.

One example of a RaaS group is the Ryuk gang, which has been known to target managed security service providers (MSSPs). By infecting MSSPs, they push their malware out to all the MSSP’s customers, spreading their attacks far wider than if they targeted organizations individually.

So how can organizations defend themselves from this growing threat? Having dealt with dozens of ransomware attacks and helping commercial and government organizations recover from their aftermath, here’s my advice:

Mind the human element: Although some attacks are sophisticated, the vast majority of ransomware attacks use simple methods like phishing or exploiting weak passwords and remote access to gain entry.  Hackers know humans are often the weakest link. Always enforce strong user access rules and ensure employees are trained to recognize phishing, business email compromise (BEC), and social engineering techniques.

Vet the supply chain thoroughly: Ransomware gangs like Ryuk target the IT supply chain to spread their attacks further. It’s extremely important to thoroughly vet all partners and service providers throughout the entire supply chain. Even if they are a reputable company, vet their processes.

If the company pays the ransom, hire a professional: I never recommend organizations pay the ransom these groups demand. That only rewards and encourages them to continue conducting these attacks on others. However, if an organization decides that it must pay, hire a professional team that has experience handling these types of attacks, including managing negotiations and getting targeted organizations back online smoothly. Involve law enforcement early – the Cyber Fraud Task Forces around the country have excellent resources and can be a tremendous help.

Implement layers of defense: It’s no longer enough to simply have antivirus or intrusion prevention technologies. Organizations must implement layers of defense including antivirus, antimalware, antispam, intrusion prevention, and intrusion detection, all working together. Combine these technologies with the information gained from threat intelligence feeds throughout the industry to make your detection smarter.

Leverage offensive security: Use offensive – not defensive – security to improve the company’s overall security posture by conducting goal-based penetration testing. Don’t just scan for known vulnerabilities, hire people with real hacking skills to attack your organization, test business logic and execute realistic phishing campaigns. Develop signatures and defenses to address the weaknesses they identify.

Ransomware has been around far longer than most people realize, but the rise of RaaS has made it much more prevalent in recent years. As a result, ransomware has grown into a multi-billion-dollar industry that will not go away any time soon. By training employees in security best practices, vetting the supply chain, implementing layers of defense and hacking the own organization, companies can help ensure that the organization doesn’t become a victim.  

Grayson Lenik, director, consulting and professional services, Trustwave Government Solutions