Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Outsmarting Ransomware’s New Playbook

Encryption is a technological necessity and also a legal safeguard, with importance in both defending against and mitigating the consequences of cyberattacks.

Ransomware Report

The cybersecurity landscape of 2024 presents an evolving challenge for professionals, particularly in the realm of ransomware. The emerging threats demand not only a strategic realignment in defense mechanisms but also an understanding of the legal implications of these cyberattacks.

Ransomware operations continue to transform, beginning to move away from traditional encryption-based “denial of access” to a focus on the less complex approach of data theft and extortion, or “denial of confidentiality”. The rationale is straightforward: why bother with the complexities of key management, coding cryptographic modules, and avoiding decryption efforts by security experts and public/private initiatives such as nomoreransom.org when you can simply steal the data and demand a ransom to avoid publication? A “data out and cash out” approach negates the challenges of traditional ransomware operations and eliminates the Get Out of Jail Free card of recovery from backups, making data theft and extortion both more efficient and more appealing for cybercriminals.

Indeed, in 2023, even long-standing ransomware threat actor Cl0p made use of zero-day vulnerabilities in both MOVEit and GoAnywhere file transfer software to simply exfiltrate data, eschewing their prior modus operandi of data encryption. BlackCat/ALPHV conducted a “smash and grab” attack against Western Digital demanding a ransom for 10TB of stolen data and took the unusual step of reporting another of their victims, MeridianLink, to the SEC for a failure to disclose data theft. In both these cases, no encryption was deployed.  This trend may suggest a continuing interest in zero-day vulnerabilities that expose access to data and services, and there is little doubt that significant lessons will have already been learned in the cybercrime world, regarding the effective monetization of vast quantities of data and victims.

In this new landscape, ironically, encryption emerges as a key defense (of course, in conjunction with those mature backup and recovery procedures). By ensuring that all sensitive data is effectively encrypted, organizations render any exfiltrated data useless to the attackers. Such an approach requires comprehensive encryption of sensitive data at rest, in transit, and during processing. Additionally, regular updates and audits of encryption standards are crucial to stay ahead of potential vulnerabilities.

Encryption works, but deployment is way behind where it should be at this point. Reflecting on my experience from over two decades ago at PGP, it’s evident that encryption technology has made significant strides, but the fear of encryption persists. This fear, which stems from concerns about complexity, cost, and impact on system performance, continues to hinder widespread adoption of encryption and represents a critical vulnerability in today’s threat landscape.

Bonus: Is it a notifiable breach if the data is encrypted? In most cases, no. Are your customers, partners, and staff at risk if the data is encrypted? In most cases, no.

Legally, encrypted data is treated differently in the event of a breach. For instance, under the General Data Protection Regulation (GDPR) in the European Union, breaches of encrypted data do not always necessitate notification to supervisory authorities or affected individuals, provided the encryption renders the data unintelligible to unauthorized persons (Article 34). Similarly, in the United States, several state laws, like the California Consumer Privacy Act (CCPA), have provisions that consider encrypted data differently during breach notifications.

Over the course of the next year or so, I expect to see ransomware threat actors and affiliates becoming more selective. This selective approach will comprise actively seeking out victims known to have cyber incident insurance and the so-called “double-tap” retargeting of organizations already known to have paid a ransom (behavior that has already been noted with variants of AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal). I expect that a market for victim-profiling data will mature, probably as-a-service, similar to the tried and trusted “suckers list” for postal, romance and 419 scams.

Advertisement. Scroll to continue reading.

Encryption emerges not only as a technological necessity but also as a legal safeguard, highlighting its importance in both defending against and mitigating the consequences of cyberattacks. With the increasing sophistication of ransomware tactics, organizations must prioritize proactive holistic security posture management. This will allow them to address vulnerability discovery and mitigation, misconfiguration detection, and exposure management.

Recognizing the importance and exposure of digital assets is fundamental to security. The focus must be on understanding and enumerating your digital assets, both managed and unmanaged/unknown. This includes data, applications, systems (IT, OT, IoT, IoMT), and measuring your exposure to potential threats. Which services are running? Is the asset exposed to the internet? Can the asset be directly managed? Is the asset currently compliant? What are the consequences to the business if an asset is degraded, compromised, or unavailable? The higher the asset exposure and the greater the criticality, the greater the risk. This approach ensures that time poor vulnerability risk management teams can prioritize most effectively.

Written By

Rik Ferguson is the Vice President of Security Intelligence at Forescout. He is also a Special Advisor to Europol’s European Cyber Crime Centre (EC3), a multi-award-winning producer and writer, and a Fellow of the Royal Society of Arts. Prior to joining Forescout in 2022, Rik served as Vice President Security Research at Trend Micro for 15 years. He holds a Bachelor of Arts degree from the University of Wales and has qualified as a Certified Ethical Hacker (C|EH), Certified Information Systems Security Professional (CISSP) and an Information Systems Security Architecture Professional (ISSAP).

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.