Is ransomware dying, or merely hibernating?
In 2017, ransomware was a predator feared by many businesses across the globe, with Petya/Not Petya and Wannacry wreaking havoc. By the end of that year however, ransomware incidents had sharply declined, allowing some welcome respite. But has ransomware, like a bear, gone into hibernation, waiting to strike again?
2018 was the year of bitcoin, and so cryptojacking was all the rage. The sky-high price of bitcoin meant that cybercriminals could make more money by hijacking connected devices to mine bitcoin than from ransomware. More common smart devices were used for hiding this type of malware, leading to headlines such as “Your smart fridge could be mining bitcoin for criminals”. Cryptojacking was more profitable, and cyberthieves will follow the money.
In 2019 it seemed for a while that cybercriminals were shifting again and using other tactics. Headlines focused on other types of attacks, like Spectre and Meltdown, which were side-channel attacks aimed at vulnerabilities in computer chips.
Today, as data becomes an increasingly valuable commodity for businesses, ransomware is re-emerging to target those businesses that rely on data.
To defend against hackers, it’s vital to understand how their tools are changing. To do that, we must understand who they are and their motives.
Why is ransomware the weapon of choice?
Some cybercriminals are like the Joker, agents of chaos that just “want to watch the world burn”. Examples would be a nation-state hacker engaged in a disinformation campaign, or perhaps a disgruntled ex-employee with insider access seeking revenge. But most cybercriminals attack businesses with purely financial motive—hacking is a business.
Ransomware enables criminals to lock up data and demand payment, usually via a difficult-to-trace cryptocurrency, and walk away unscathed. Some victims might report the incident to the authorities, but cybercriminals have a low discovery risk. Ransomware can also appeal to criminals who are simply looking to inflict damage, as it can completely disrupt business operations. When the business in question is taking care of vulnerable people, like healthcare, or where time lost is extremely valuable, many might think the easiest way out is just to pay up.
Before ransomware was widespread, criminals often had to steal and resell data. These attacks, while profitable, did mean they had to risk being caught, whether due to an investigation by a bank or a law enforcement sting on the Dark Web.
As profitable as ransomware can be, the 2018 bitcoin prices surge led many criminals to switch to stealing processing power to mine for bitcoin. These attacks have a lower footprint than ransomware, allowing criminals to earn revenue with even less risk of getting caught. But bitcoin mining has diminishing returns and requires more and more processing power to turn a profit.
As time has passed, more opportunities for ransomware have emerged as it’s reasonable to expect a resurgence in 2020. Legacy machines remain connected, many businesses patching is inefficient, and a whole host of endpoint devices are viable targets.
Ransomware baring its teeth
Cybercriminals today have more sophisticated tools than ever and are smarter about how they deliver them. The focus is increasingly on industries and sectors that are likely to be more vulnerable. For example, criminals have increasingly targeted the healthcare sector and the IT services providers that manage them. Malwarebytes reported a 60% increase in reported infections in the healthcare sector in 2019 alone. It’s suggested that hackers are attracted by a higher return on investment, and the large number of connected devices available. In healthcare, cybersecurity is often treated as an afterthought, with legacy systems, poor patch management, staff with little security training, and a whole host of unprotected devices.
Another change involves the advancement in cyberattack delivery. Thanks to the sheer quantity of personal data freely available on the web, hackers can craft very convincing phishing and social engineering attacks that can even fool IT professionals.
As in any business, cybercriminals may attempt their own version of cross-selling. Paying the ransom may unlock the system, but other attacks may be left behind, such as a crypto miner, financial trojan, or keylogger. Scrubbing the machine of ransomware may not be the end of the attack.
Protect against the threat
Ransomware is like any other threat—the best strategy for protection lies not in a single solution, but multiple layers of security.
Email protection: Like many other attacks, the main delivery mechanism is email, fooling a user into a direct download or opening a malicious document launching a script. A good email security solution can help shut down these attacks.
Web protection: Someone can easily stumble across a malicious website and accidentally download ransomware. A web protection solution can help keep your business off known malicious sites.
Backup: The simplest way to defeat ransomware is to restore a backup taken before the attack took place—though some ransomware strains delete local backups to prevent this.
Endpoint protection: Cybercriminals will continue developing newer, sneakier forms of ransomware. Dealing with emerging threats needs more than just antivirus—a solid endpoint protection product will use AI and machine learning to help spot unusual behavior. For example, at the delivery phase, criminals may attempt to use internal system tools like remote desktop protocol (RDP) to land the ransomware on the system. A good endpoint protection system can spot suspicious activity, like an odd pattern on RDP, and flag it much more quickly.
Ultimately, as data has become more valuable ransomware has reawakened as a major threat. We have already seen a 74% increase in ransomware attacks in 2019 And it’s less hacker sophistication and more poor security hygiene that is creating opportunities. Like fashion, ransomware seems to be cyclical in nature, a staple that will reappear when other attacks fall out of favour. No business should expect it to go away as a threat—complacency will only make it more vulnerable when the bear reawakens.
By Tim Brown, VP of Security, SolarWinds MSP
SAS: Improving the British Army’s decision making with data
SAS’ long-standing relationship with the British Army is built on mutual respect and grounded by a reciprocal understanding of each others’ capabilities, strengths, and weaknesses. Roderick Crawford, VP and Country GM for SAS UKI, states that the company’s thorough grasp of the defence sector makes it an ideal partner for the Army as it undergoes its own digital transformation.
“Major General Jon Cole told us that he wanted to enable better, faster decision-making in order to improve operational efficiency,” he explains. Therefore, SAS’ task was to help the British Army realise the “significant potential” of data through the use of artificial intelligence (AI) to automate tasks and conduct complex analysis.
In 2020, the Army invested in the SAS ‘Viya platform’ as an overture to embarking on its new digital roadmap. The goal was to deliver a new way of working that enabled agility, flexibility, faster deployment, and reduced risk and cost: “SAS put a commercial framework in place to free the Army of limits in terms of their access to our tech capabilities.”
Doing so was important not just in terms of facilitating faster innovation but also, in Crawford’s words, to “connect the unconnected.” This means structuring data in a simultaneously secure and accessible manner for all skill levels, from analysts to data engineers and military commanders. The result is that analytics and decision-making that drives innovation and increases collaboration.
Crawford also highlights the importance of the SAS platform’s open nature, “General Cole was very clear that the Army wanted a way to work with other data and analytics tools such as Python. We allow them to do that, but with improved governance and faster delivery capabilities.”
SAS realises that collaboration is at the heart of a strong partnership and has been closely developing a long-term roadmap with the Army. “Although we're separate organisations, we come together to work effectively as one,” says Crawford. “Companies usually find it very easy to partner with SAS because we're a very open, honest, and people-based business by nature.”
With digital technology itself changing with great regularity, it’s safe to imagine that SAS’ own relationship with the Army will become even closer and more diverse. As SAS assists it in enhancing its operational readiness and providing its commanders with a secure view of key data points, Crawford is certain that the company will have a continually valuable role to play.
“As warfare moves into what we might call ‘the grey-zone’, the need to understand, decide, and act on complex information streams and diverse sources has never been more important. AI, computer vision and natural language processing are technologies that we hope to exploit over the next three to five years in conjunction with the Army.”
Fundamentally, data analytics is a tool for gaining valuable insights and expediting the delivery of outcomes. The goal of the two parties’ partnership, concludes Crawford, will be to reach the point where both access to data and decision-making can be performed qualitatively and in real-time.
“SAS is absolutely delighted to have this relationship with the British Army, and across the MOD. It’s a great privilege to be part of the armed forces covenant.”