The evolution of ransomware

In the first of a series of blog posts CERT NZ traces the history of ransomware and offers some advice.

19 August 2021

Like most cyber security attacks, ransomware has been evolving at pace.

These attacks began life as a semi-automated operation. When someone opened a malicious email the horse would bolt, and ransomware would run riot across their device. It was a one-size-fits-all, haphazard approach, where an attacker would throw something out into the ether and see what came back.

Because the approach was “spray and pray”, the demand was set at a fixed price and usually ranged between $500 to $1,000.

Fast forward to today, and ransomware has grown up. It’s a hands-on, targeted, big dollar business. Attackers have created a successful business model, taking a planned approach to doing due diligence to fully understand what can be gained.

This hands-on approach means attackers are taking on large-scale operations for large-scale gains. Ransom demands are calculated based on what attackers think a company might pay, often in the hundreds of thousands to millions of dollars.

Attackers also add more tricks to their arsenal, copying sensitive data and demanding additional payment, or else they will leak or sell that information.

Some attackers are even threatening distributed denial-of-service (DDoS) attacks to put additional pressure on an organisation to pay up.

Supply chain attacks, such as those we have recently seen with Kaseya, highlight the need to be prepared to deal with an attacker who has gained access to your network.

From a business perspective there are several things to consider, but let’s look at when you’re taking on a managed service provider (MSP). Like anything else, there are risks which need to be weighed up and managed.

Whether your MSP is around the corner, or on the other side of the world, you need to be aware of the security risks – because their risks impact your systems. If they can access your systems from their network, then a compromise of their network becomes a compromise of your network.

The right combination of defences don’t just make it difficult for an attacker to get into your network, but also difficult for an attacker who has gained access, so it’s important not to rely on a single defensive layer. By making sure that an attacker can’t easily move from one device to other devices in your network, or preventing them from getting administrative access to those devices, it limits the damage they can do.

We know attackers are always evolving and so we, as defenders, need to learn to also evolve with our defences. Kaseya and other similar incidents are just examples of attackers changing up their tactics. We’ve seen them getting creative and that is why defence in depth is important.

Data exfiltration, stealing sensitive data from your organisation, means it’s especially important to stop an attack as early as possible.

Having backups to prepare for the worst is one thing, but you can’t really afford to say “well, we can recover from backups, so we don’t need security.”

If data is stolen this has a massive impact in more ways than one.

CERT NZ’s critical controls are the best place to start to help prevent an attacker from gaining access to your entire network. It’s about how you configure and maintain the systems you have, not about buying the latest ‘silver bullet’ piece of technology.

Remember, well-designed systems fail safely, like a well-designed bridge or building. Poorly designed systems fail badly.

This post first ran on CERT NZ’s LinkedIn page which you can follow here External Link