The Future of Ransomware: Preparing for the Next Generation of Ransomware Attacks
Ransomware has been the scourge of cybersecurity and may have led to a recent death. Now it soon may get way more dangerous
The threats to cybersecurity are constantly evolving. As security teams develop solutions to the threats, malicious actors change their tactics to keep chasing their ill gotten gains.
After all, the Game is the Game.
And the game keeps changing. In recent years, ransomware has been the weapon of choice for hackers looking for a payday.
In 2017, the WannaCry ransomware attack put this threat on the map when it took the United Kingdom’s National Health Care Service (NHS) offline, along with many, many others. Later that year, the NotPetya attack — which was likely carried out by Russian state hackers — caused billions of dollars of damage when it swept through global systems, shutting down multinational companies.
According to reports, ransomware attacks netted hackers some $25 billion in 2019. The stakes have only continued to rise since then as more organizations fall victim to this form of attack and the dollar amounts mount higher and higher.
The good news is that organizations of all types have woken up to the need to confront this threat and adopt better security procedures. Unfortunately, the ransomware game is staying a step ahead, and may even be preparing for the next step of its evolution in the near future.
The Rise and Evolution of Ransomware
Criminal gangs have realized that they could skip the step of having to find buyers for stolen data by simply breaching a victim and denying them access to their data unless they pay up. This has allowed them to go after a whole new set of victims than before, forcing more organizations to understand that they have something worth targeting.
At first, the hackers targeted individuals for small amounts of Bitcoin before moving onto larger organizations like city governments and even hospitals. Taking these big operations offline raised the stakes from a few hundred dollars to thousands and even millions. Fitness tracker-maker Garmin was reported in August to have paid out a multi-million dollar ransom after their attackers demanded $10 million.
Then like in any good game of cat and mouse, security professionals found that they could mitigate the risk of being blackmailed over their data by aggressively backing up their data. So even if an organization found themselves locked out of their data, they could turn to their backups and avoid paying.
As the defense has improved to fend off these attacks, the hackers have decided to up their game. Over the past year, we have seen more incidents where the criminals have not just encrypted their victims’ data, but then also threatened to leak its contents if they are not paid.
For organizations that risk significant harm if their internal data, or perhaps more importantly their customers’ data, is made public, this is a serious threat. They face reputational and fiscal harm if this data are leaked, as well as repercussions under GDPR and other regulatory regimes.
In order to explain where the next type of risk is likely to emanate from, we need to return to the basics of information security to see which stone has thus far been left unturned.
Undermining Our Trust in the Data: Confidentiality, Integrity, Accessibility of Data
This information security concept refers to the Confidentiality, Integrity, and Accessibility of data.
Taking this concept to the case of ransomware, the attackers started by threatening organizations’ ability to access their data. Then they menaced to make the data public, risking its confidentiality.
Now, there is talk in the industry that the next step will be for them to compromise the integrity of their victims’ data, threatening to make changes to it if their blackmail is not paid in full.
The idea that our data might not be what it claims to be is very scary. It is a fear of not knowing what we don’t know. Let’s put this in context with the other forms of ransomware to address why this is.
If an attacker succeeds in getting ransomware onto a company’s machines, that organization will be keenly aware that they have been infiltrated because they are locked out. Fairly straightforward, right? Same with threatening to leak information. The attacker shows proof that they have exfiltrated the data and that is enough.
But integrity is a different game because here the attackers are telling the victim that they have changed something in their files, and that they have to pay to find out what it is.
While an attack on a bank where the hackers threaten to change balances a la Fight Club might seem to be a likely candidate for this kind of integrity compromise, a better example would unfortunately be found in the medical system.
Hospitals as a Prime Target for Ransomware
Popular culture likes to think of hackers as clever counterculture heroes who use their smarts to get one over on the suits.
While there may be plenty of folks who fill this image, many more are simply malicious dudes out to make a dishonest buck. No matter the consequences, and their choice of targets speaks for themselves.
Hospitals have been a favorite target for hackers using ransomware for a couple of reasons. First is that they are large bodies with cash and insurance to pay the blackmail. Second, and this is a key differentiator, is that losing access to their data for even short stretches of time can mean putting lives at risk.
In a tragic story from September, an attack on a hospital in Düsseldorf, Germany led to the death of a woman there. According to reports, the ransomware crew mistakenly (or so they claim) hit the hospital, taking a number of their servers offline.
This led the hospital to redirect a woman seeking life saving care to another facility 20 miles away.
When the authorities contacted the criminals to tell them that they had struck the emergency services section of the hospital and not the university (another favorite target), the crew sent over the keys to decrypt the servers. But it was too little too late as the patient died enroute to the other hospital.
The impact of a ransomware attack on a hospital is that without access to patient records, doctors are rightfully unwilling to provide care to patients because they lack the necessary data to make decisions. In some cases as we know, this can be fatal.
Now imagine the chaos and potential loss of life if doctors cannot trust that their records are correct. The liability alone would be enough to cripple operations. They wouldn’t be able to administer medication using their systems or move forward for surgery. The list of what ifs are endless.
Admittedly, hospitals may be an extreme case. As noted before, financial institutions and others are likely to be the intended targets of these attacks because changes there can have huge fiscal consequences — thus making them more likely to pay.
But the problem is real for all sorts of organizations who will now need to think about how they should prepare for this likely next step in the arms race.
3 Tips for Protecting Data Integrity
We face a complex challenge in securing data integrity, but like most security issues, a bit of good hygiene and following of best practices can go a long way.
The human element of dealing with ransomware is likely your first line of defense. Work with your employees to identify suspicious phishing emails with malicious links or attachments.
Some attacks will still inevitably slip through, so additional technical steps can help to mitigate the damage.
1. Keep Backups
While far from the perfect solution given the risk to confidentiality, this is still the most important action to take to reduce your exposure to ransomware attacks.
There is some discussion about how often to update the backups and if it is possible or preferable to keep an offsite backup that is not constantly connected to the network. However you decide to run your backups, just make sure that you do it.
2. Monitor for Malicious Activity
You never know where or when an attack will come from, so make sure to monitor activity. Logs can help to tell part of the story and provide indicators that can help in the recovery process.
Part of the story will be on the network, while the other half is likely to be on the machines themselves. Keeping an eye on both can help to paint a fuller picture.
3. Segmentation is Safer
Make it harder for attackers to move around inside of your organization once they have gained a foothold.
Segmentation can help keep data safe, even if other parts of your network have been compromised. This is also an opportunity for threat modeling and understanding how hackers can move laterally within your network.
For example, chances are that a ransomware attack is likely to come in through a malicious email. Probably to one of the public facing departments like Billing that is used to opening all kinds of attachments and links.
Why not set them up on their own smaller network that is detached from patient records so that even if they are breached, that the more vital data are left unaffected?
Disincentivize the Attackers
In the early days of ransomware, the amounts being requested were so low that it wasn’t worth it for bigger organizations to bother with work arounds. It was just cheaper to pay and move on, chalking the attack up to an operational expense.
But in more recent years, we have witnessed a growth of a hacking industry that has skyrocketed into the millions of dollars for some of their larger targets. maybe reconsidering whether or not it is right to continue to pay for our data’s safe return.
Yes this might be painful for organizations to lose their data or face their customers after such an event. But perhaps what is most needed here are legal and cultural shifts where we make it easier for organizations to say no to hackers. This is not to let them off the hook for bad security practices if they were negligent.
Think of it more as a de-escalation in an arms race that is spiraling out of control, and by the looks of it, about to enter a much scarier phase if we do not push for a change now.
This article was originally published on the author’s blog and reprinted with permission.
