Understanding the Root Cause of Opportunistic and Targeted Ransomware Attacks
By Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan at CyberArk
The critical infrastructure systems we rely on to deliver water, electricity, fuel and other essential services are under siege. With the rise in global and local incidents, ransomware is becoming cyber criminals’ attack method of choice. Threat actors understand that even short periods of downtime can cause far-reaching disruption and damage to businesses, and this puts extreme pressure on victim organisations to pay up in order to decrypt data and restore operations quickly.
While industrial systems may be top-of-mind today, the threat of ransomware knows no boundaries, and no individual or industry is safe from its reach — especially in the age of cloud, mobile and highly distributed workforces. In Singapore, the Cybersecurity Singapore Agency (CSA) recorded a near 75 percent increase in cases of ransomware incidents from January to October 2020, against the total number of reported incidents for the whole of 2019. Primary targets were small-medium enterprises (SMEs) from various sectors, which includes manufacturing, retail and healthcare. According to data from the ASEAN Cyberthreat Assessment 2021 report, the average ransomware payouts for all businesses have grown to more than USD178,000 per event by the end of the second quarter of 2020 from less than USD10,000 in the third quarter of 2018. Large enterprises are even making average ransomware payments of over USD1 million.
Why is ransomware so pervasive, and how do these attacks continue to be so successful? To answer these questions, it is important to understand how opportunistic and targeted ransomware attacks work.
What is an Opportunistic Ransomware Attack?
A whopping 86 percent of breaches are financially motivated, according to the 2020 Verizon Data Breach Investigations Report. Attackers know that ransomware is one of the quickest and easiest ways to turn a profit.
By distributing ransomware in bulk using common “spray and pray” tactics — such as phishing, social engineering and exploit kits — attackers can target many organisations and infect numerous desktops, laptops and servers in one fell swoop. Once deployed, the ransomware prevents users from interacting with their files, applications or systems until a ransom is paid, usually in the form of an untraceable currency like Bitcoin.
The 2017 WannaCry outbreak is perhaps the best example of an opportunistic ransomware attack. With the ability to self-replicate, this ransomware strain went viral, infecting more than 200,000 systems across 150 countries. The attack impacted organisations across many sectors, bringing business operations to a grinding halt.
Ransomware has become a preferred means of extortion by opportunistic attackers for two key reasons. First, many organisations fail to practice proper security hygiene when it comes to backup and recovery. Attacks targeting backups may be few and far between, but once data on endpoints and servers is encrypted and held for ransom, organisations are forced to choose between losing important data forever or forking over Bitcoin to (hopefully) get their data back.
Second, many organisations rely too heavily on traditional anti-virus solutions, which are often not effective in blocking ransomware. These solutions work by maintaining an inventory of known malware and blocking future executions of that malware. However, as ransomware files slightly morph with each new version — and new versions are created by the minute — these solutions have little chance of preventing infection.
What is a Targeted Ransomware Attack?
In recent years, more sophisticated attackers have shifted to targeted ransomware approaches in search of bigger payouts and target very specific organisations based on their ability (or need) to pay large ransoms, using customised tactics, techniques and procedures (TTPs).
Attackers seeking huge payouts are very creative, often going to great lengths to understand a victim’s technology stack so they can identify and exploit vulnerabilities, while pinpointing the most valuable data to encrypt and hold for ransom. They are also extremely patient, escalating privileges to circumvent security systems and evading detection for an extended period before deploying the ransomware payload. During this time, attackers often target data backups so the organisation cannot restore files after they have been encrypted.
Threat actors often follow a familiar attack path: steal valid credentials from a corporate identity and use these credentials to infiltrate the company via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN). Once inside, the attackers will escalate privileges and move laterally to establish persistence on the network. From this point, data will be exfiltrated and ransomware will be deployed to encrypt files and demand hefty ransoms. Moreover, endpoint defences, including Endpoint Detection and Response (EDR) tooling are disabled or bypassed using both custom tooling and hands on keys approaches.
Perhaps the most troubling thing about targeted ransomware attacks is that just because an organisation has been targeted once, it does not mean it will not happen again. To maintain persistence on target networks, attackers often construct backdoors that allow them to re-enter at will. Most companies cannot withstand the business impact of one ransomware attack, let alone two.
Opportunistic or Targeted, the Initial Attack Vector Remains the Same
Whether opportunistic or targeted, ransomware attacks start at the endpoint. Inadequately protected desktops, laptops and servers are pervasive — and each one provides a potential entry point for attackers to steal and encrypt data.
By examining numerous ransomware attacks, one thing is abundantly clear: relying on a single endpoint security solution — endpoint detection and response and anti-virus — is not sufficient to stop every threat. In fact, organisations are wise to adopt an assume-breach mindset to reduce the chances of ransomware encrypting files, even if it does enter their environments. Ultimately, a defence-in-depth approach is necessary, layering a variety of security controls to eliminate gaps, reduce exposure and strengthen overall security posture.
Privileged Access Management is a critical, yet often overlooked, component of an effective endpoint security strategy. If a malicious attacker or insider gains access to a privileged credential, he or she will appear to be a trusted user, which makes detecting risky activity more challenging.
In combination with endpoint detection and response, anti-virus/NGAV, application patching and OS patching, organisations can significantly reduce risk by managing and securing privileges on endpoint devices. By implementing restriction models that only trust specified applications run by specific accounts and under specific circumstances, security systems can detect ransomware quickly and with certainty. By taking this comprehensive approach to endpoint security, organisations can defend from every angle and block attacks before they cause harm.