Ransomware is incredibly popular because it works, and it is very profitable for the attackers
Every few years a major threat emerges that dominates the attention of security vendors, start-ups, media and board meetings. APTs, IoT Security and Cloud Security are among such threats. Today, it is safe to say that Ransomware is dominating the conversation, especially after so many high profile incidents have been part of the news cycle, such as Colonial Pipeline, CD Projekt Red, JBS, the Kaseya supply chain attack, as well as many stories on healthcare providers being victimized by such attacks.
What makes Ransomware different than the previous threats that were in the spotlight is that it doesn’t represent a capable new threat actor such APTs or a jump in the attacks’ sophistication like in IoT security. Ransomware isn’t new, its delivery methods aren’t new, even demanding ransom isn’t new. The technical innovation presented in Ransomware incidents, encrypting files on a hard drive, can’t be considered very sophisticated. Yet, despite dealing with a threat that we had many years to prepare for and protect ourselves from, Ransomware is incredibly popular because it works, and it is very profitable for the attackers.
In previous threats, the security industry has faced challenges of new technical capabilities emerging from threat actors, which required the vendors to catch up. In the heyday of banking malware, new innovative features such as HTML injections and Man-In-The-Browser were introduced by their developers, causing vendors to struggle in identifying fraudulent activities. APTs proved to be a major threat because they were able to circumvent traditional cyber defence doctrines, which focused on the perimeter and had no “strategic depth” of detecting attackers after they were already in the systems. IoT and Cloud security required new approaches as the environments that they aimed to protect were quite different than the environments that security solutions were designed for. Ransomware, on the other hand, has none of these challenges.
The term Ransomware was originally used to describe a specific type of malware that encrypted the victim’s hard drive and demanded a ransom to decrypt the affected files. Once organizations began to mitigate the threat by implementing more rigorous backup policies, the attack shifted and began to include data exfiltration as well. “You were able to get your files back? Great, but so did we and if you don’t pay up we’ll publish them”. Whether a ransom is demanded for data decryption or the prevention of the data’s publication, there are similar technical challenges of delivering a successful attack, as well as preventing it.
The main delivery method of Ransomware is through Spear Phishing. A malware-infected document is sent as attachment to one of the company’s employees, which is activated once the document is opened. This type of delivery method has been part of the default modus operandi of most APT groups since they came into the spotlight circa 2010. While the industry has mostly focused on the paradigm shift that it had to undergo in order to mitigate APTs, shifting from securing the organization’s perimeters to securing the organization’s internal networks as well, many vendors specifically tackled Spear Phishing as well. Despite directly tackling these threats as well as the ample time that has passed since they were first observed – Ransomware prove that this issue has not been solved in many organizations. Attack vectors from over a decade ago are still extremely successful, even when they are carried out by cybercriminal groups and not advanced nation-states (which are also still operating in cyberspace to this day).
The attack vector is not the only element of the attack. When data exfiltration is used to hold the organization for ransom, we again encounter a modus operandi that has been popularized by APTs. While APTs may invest more heavily in borrowing into an organization’s network, the act of exfiltration is an important part of these decade old threats and should theoretically be detected by the solutions aimed to mitigate it. The fact that many Ransomware incidents include the publication of internal data from files and documents shows that even after over a decade, the security industry fails to protect many organizations. Both Spear Phishing and data exfiltration predate APT threats, giving the security industry more time to prepare.
My claim isn’t that the industry fails to stop attacks on a technical level. We only hear about the successful attacks and potentially many more attacks are stopped compared to those that were successful. However, the fact that so many large and high-profile enterprises fall prey to an attack that in many cases does not pose any new technical challenge suggests that there are still many gaps that needs to be closed. The failure is not technical in nature, but a business one.
One of the major challenges of cybersecurity is the fact that attacks can come in many forms and vectors. Many bases need to be covered in order to be protected. Cybersecurity has become very complex, in terms of applying solutions to protect one own’s organization that we have certifications now to ensure everything is applied correctly. Yet, we still see large enterprise fail not only due to the bleeding edge, but the decade old threats.
If we truly want to protect organizations as a whole, not just specific customers, to ensure a safe cyberspace for all, the security industry needs to stop focusing on the trending topics and start working on solving the real issues – the complexity of protecting an organization from cyberattacks and making it affordable for everyone. Until these issues are solved, attacks that are far from being a technical challenge, such as Ransomware and BEC fraud, will continue to cause damage and exemplify just how bad the overall state of cy really is.