As October’s annual Cybersecurity Awareness Month draws to a close with a hack on Tesco’s systems and a warning from GCHQ’s director over a doubling UK ransomware attacks, it’s clear that that 2022 cyber-wise will be just as difficult as 2021.
Although some believe that organizations are getting better at preparing for and responding to attacks, the evidence from some recent reports is thin on the ground.
ThycoticCentrify’s “2021 State of Ransomware” survey, based on responses from 300 US-based IT decision-makers, found that 64% of respondents had experienced a ransomware attack in the last 12 months, with 83% of victims saying they had no choice but to pay a ransom to their attackers to restore encrypted data. The suggestion in the report’s headline is that it is not a matter of if, but when a ransomware attack will happen, is sadly all too true.
Another report, from the US Treasury Department’s financial crimes enforcement network (FinCEN), noted a significant increase in the number of ransomware-related suspicious activity reports (SARs) from US financial institutions between January and June 2021. Over the six months, financial institutions submitted 635 SARs, against 458 similar reports in all of 2020.
A third report, from Corvus, a cyber insurance firm, showed the cost of ransom payments is rising as a share of the overall cost of a ransomware attack. The average ransom for 2021 is now over $142,000.
The fact that UK ransomware attacks have increased is really no surprise. Ransomware is a global problem: the security challenge of our age. And organizations are still falling victim to it.
Why ransomware isn’t going away
Various reasons have been suggested for ransomware’s continuing prevalence. One suggestion is that two-factor authentication needs to be fully implemented by organizations. Anything that requires a username and password for access should have two-factor authentication enabled.
Another reason is that ransomware attackers have never had it better in terms of freely available tooling. Attackers need phishing toolsets, obfuscation frameworks, initial access tools, command-and-control infrastructure, credential-abuse tools, and open-source ransomware payloads, and most of them can be found on GitHub.
Ransomware groups also seem to collaborate better than the infosecurity industry. ‘Work’ can be spread across multiple criminal groups, meaning it’s harder to attribute tactics, techniques and procedures to any single actor.
What is clear is that authorities should be offering better advice on how to prepare for ransomware attacks, which are themselves constantly evolving. High level talk of links between criminal and state actors is of little practical use to UK organizations facing sophisticated ransomware threats.
The double extortion threat
There should be much more discussion of the growing threat of ‘double extortion’. Up to 40% of cyberattacks now involve a form of double extortion. Instead of just encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up, information can be leaked online or sold to the highest bidder.
Dell has described it as a ‘multi-modal attack campaign’ that also involves an attack on the brand reputation of the victim through naming and shaming. It typically includes select disclosure of exfiltrated data as a means of proof of attack. Such auctioning of exfiltrated data on the dark web provides attackers with a secondary means of monetization of the original attack.
The bottom line is that back-ups can no longer be relied upon to save the day, ransomware attacks are continually evolving, and well-meant, but seemingly ineffective cybersecurity awareness months are not enough to counter them.