Fundamental ransomware truths that must be acknowledged

Security analysts have been dealing with the threat for long enough that a rough playbook on the general flow of an attack is emerging.

Ransomware attacks have continued to wreak havoc among organisations and there is no indication of it slowing down in Asia. In Singapore alone, the majority of organisations have reported some sort of ransomware attack that disrupted their business operations. Even more alarming, ExtraHop found that 45% of organisations have paid a ransom, in spite of the majority believing that a payment of ransom would only result in further attacks.

The increasingly sophisticated nature of attacks have been deeply reflected in recent findings. This calls not only for an awareness of ransomware attacks, but an understanding of fundamental truths behind them that can enable businesses to secure their operations without compromise.

Truth: Basic errors leads to ransomware attacks

Every infection purportedly bears all the hallmarks of a sophisticated attack. It has become an almost boilerplate statement in every cyber incident disclosure; after all, no one wants to have to disclose that they were compromised by a basic error or oversight.

There is often a degree of scepticism that accompanies these sophistication claims, but little concrete evidence to prove or disprove them. However, given that many organisations still suffer from poor cybersecurity hygiene, like leveraging outdated protocols, we can assume that many cybercriminals don’t have to dig too hard to find an open door into an organisation.

This constant onslaught of attacks can also be attributed to the high turnover rate and workforce shortage of 1.42 million in the Asia-Pacific region. Network and IT systems are left misconfigured and best cybersecurity practices are forgotten due to the lack of required expertise or gaps in coverage.

This is further aggravated by the reality that ransomware is beyond just malware; it is an attack operated with hands on keyboards doing interactive reconnaissance and lateral movement within the network. The Singapore government has already taken steps to rectify this with its Singapore Cybersecurity Strategy in 2021, outlining intentions to groom and upskill cybersecurity talent, and companies should leverage these public policy initiatives to secure their digital architecture.

Truth: Ransomware remains a taboo conversation

To most people, an outsider only knows that a ransomware attack had taken place and nothing more. I say the most because many victims often try to hide even that much. Disclosing incidents regarding ransomware attacks continues to be unpopular in Asia-Pacific as only one in three organisations disclose an incident. The number of ransomware incidents in contrast to the number of disclosed incidents is likely to be much higher, given that 58% of organisations experienced up to five ransomware attacks over the past five years.

Knowing that an attack happened is only the tip of the iceberg for useful intelligence. The largest part of the attack — how it began and how it escalated to the point of extortion — is often completely unknown outside of the victim organisation and a few close confidants, such as their insurer and perhaps a specialist incident responder. It likely involved a range of techniques and exploits, with ever-increasing sophistication. But as so few organisations disclose attacks, and fewer still publish a post-incident report containing any detail, it’s often impossible to independently establish how sophisticated an attack was, or the exact workflow of the attackers.

Truth: Defenders must think beyond prevention

Approximately 75% of security budgets go to preventing intrusion, and yet, over 80% of organisations have experienced a ransomware incident in the past five years. Victims often put too much weight on their perimeter defences and when those are inevitably breached, accessing and securing backups is essential.

Concentrating protections around initial access falls afoul of “the defenders’ dilemma”. Attackers have the upper hand at the perimeter because they control what, when, and how they attack, tweaking as they go, whereas the defender has to have all the controls in place before the attack and be right 100% of the time to win. While any security team would prefer to stop an attacker at the beginning of the kill chain, it makes more practical sense to take on attackers where you, as the defender, have the advantage.

We need to shift our thinking around the midgame, when an attacker has made it into an organisation’s network. They often leave a trail of breadcrumbs — lateral movement, staging data, or escalating privileges — that can tip off a defender. Organisations need to think beyond prevention for both their incident playbooks and tool stack.

Truth: Just reducing the risk of initial intrusion is not effective

Organisations that persist with a security strategy only focused on reducing the risk of that initial intrusion end up with a vulnerable infrastructure, as they rely on tactics like phishing training for employees and penetration testing of systems in the hope these will keep them safe. While these are important check boxes for a security program, we all know that it is only a matter of when, not if, an attacker will gain entry.

Attackers have the luxury of time and first-mover advantage to go looking for the first hole, or the first user willing to click any link put in front of them. Organisations need to take back the initiative and have more proactive solutions, for instance, real-time analytics backed by machine learning.

This real-time monitoring is not just a typical security exercise but can be the difference in preventing ransomware attacks. Cybersecurity professionals need all the help they can get, which necessitates tracking both north-south and east-west movement within an environment. Having complete visibility into an environment and the actions taken on the network are critical for assessing and stopping threats.

Truth: Stop attacks in the midgame

The most successful defence against ransomware is in the post-compromise stage, otherwise known as the “midgame”. The midgame is where modern ransomware attacks do their damage and also where defenders hold an observable advantage if they are ready to fight on the inside.

In the midgame, the ransomware intruder lands blind into the victim’s infrastructure. The inside of the network looks like a wide-open field to maraud about or a gauntlet of tripwires if it is being observed, creating a dilemma for the intruder. Defenders, meanwhile, should have a home-field advantage, know the environment, understand what is expected, and have context about users, assets, and workloads if they are watching.

Attackers will typically try five types of moves: They will use network scanning tools to get a lay of the land, try to tap into the organisation’s Active Directory, use stolen credentials, or exploit hierarchy vulnerabilities or configuration errors for privilege escalation. They will then try to move laterally within the environment, often reusing tooling made available by IT operations for network-wide systems administration.

Once initial exploitation occurs, the command-and-control infrastructure (otherwise known as C2 or C&C) is leveraged to map the environment, enumerate assets, and mark data to compromise. This sets up the next phase of the attack for data staging of sensitive data that will eventually be exfiltrated from the victim.

Each step an attacker takes in the network opens up another opportunity for defenders to respond before destruction is done, and the ransom note delivered. For this reason, visibility and response inside the perimeter are really an organisation’s best options to prevent crippling damage from a ransomware attack.