A closer look at ransomware: what is it, why is it so devastating, and why aren’t we doing a better job at preventing it? This blog also describes an innovative new cybersecurity solution and shows how it can automatically detect and stop ransomware attacks and other intrusions—before they can do damage.
The most recent ransomware statistics are quite alarming. It has become the fastest growing, most damaging, and the go-to method for cybercriminals according to the U.S. Cyberspace Solarium Commission (CSC). Also, a recent article in Cybercrime Magazine, predicted that in 2021 a ransomware attack will occur every 11 seconds.
A February 2020 article in the New York Times explained that in recent attacks, the hackers often spent months quietly scouting out the inner workings of potential victims’ computer networks to ensure that their attack successfully encrypted every important file. Then, once a ransomware attack is successful, the ransom fees can range from tens of thousands to hundreds of thousands, with the average payment clocking in at $220K. By the end of 2021, damages from ransomware attacks, worldwide, could reach $20 billion dollars.
In this blog, we’ll discuss what makes ransomware so hard to find and stop, as well as what steps can be taken to prevent ransomware attacks in the future.
What is ransomware?
As a refresher, ransomware is a form of malware that infects and locks down computers, networks, and mobile devices, so that cybercriminals can force victims to pay a ransom in order to get decryption keys and regain access to critical files and data.
Cybercriminals often take another step and weaponize ransomware by ensuring decryption upon payment, but then threaten to release the files unless an increased amount of ransom is not paid. Organizations that are victims of ransomware face an average of 23 days in downtime.
More specifically, there are two types of ransomware:
- Crypto-ransomware that encrypts valuable files on a computer so the victim can’t access them. Cybercriminals then demand that the victims pay a ransom to get their files back.
- Locker ransomware that locks users out of their device and prevents them from using it. Once they are locked out, the attackers demand payment to unlock the device.
Q1 of 2021 here are 10 of the highest-profile ransomware and other cyber attacks worldwide.
#1 Channel Nine
Australian broadcaster Channel Nine was hit by a cyber attack on March 28, 2021, which rendered the channel unable to air its Sunday news bulletin and several other shows. The attack also interrupted operations at the network’s publishing business since it also forced several of the publishing tools to go down, too. Although the channel first claimed that the inconvenience was just due to “technical difficulties,” it later confirmed the cyber attack.
#2. Harris Federation
In March 2021, the London-based Harris Federation suffered a ransomware attack and was forced to temporarily disable the devices and email systems of all the 50 secondary and primary academies it manages. This resulted in over 37,000 students being unable to access their coursework and correspondence.
#3 CNA Financial
One of the biggest cyber insurance firms in the U.S., CNA Financial suffered a ransomware attack on March 21, 2021. The cyber attack disrupted the organization’s customer and employee services for three days as CNA was forced to shut down to prevent further compromise. The cyber attack utilized a new version of the Phoenix CryptoLocker malware, which is a form of ransomware.
#4 Florida Water System
A cyber criminal attempted to poison the water supply in Florida and began to increase the amount of sodium hydroxide to a potentially dangerous level. The cyber criminal was able to breach Oldsmar’s computer system and briefly increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.
#5 Microsoft Exchange Mass Cyber Attack
A mass cyber attack affected millions of Microsoft clients around the globe, wherein threat actors actively exploited four zero-day vulnerabilities in Microsoft’s Exchange Server. It is believed that nine government agencies, as well as over 60,000 private companies in the U.S. alone, were affected by the attack.
A popular Canadian airplane manufacturer, Bombardier, suffered a data breach in February 2021. The breach resulted in the compromise of the confidential data of suppliers, customers, and around 130 employees located in Costa Rica. The investigation revealed that an unauthorized party had gained access to the data by exploiting a vulnerability in a third-party file transfer application. Also, the stolen data was leaked on the site operated by the Clop ransomware gang.
The globally renowned computer giant Acer suffered a ransomware attack and was asked to pay a ransom of $50 million, which set the record for the largest known ransom to date. It is believed that a cyber criminal group called REvil is responsible for the attack. The threat actors also announced the breach on their site and leaked some images of the stolen data.
#8 University of the Highlands and Islands
A cyber attack targeted the University of the Highlands and Islands (UHI), forcing the university to close all 13 colleges and research institutions to students for a day. Security professionals uncovered that the attack was launched using Cobalt Strike, a penetration testing toolkit commonly used by security researchers for legitimate purposes. This incident is just another in a series of cyber attacks targeting the education sector.
#9 Sierra Wireless
On March 20, 2021, the multinational IoT device manufacturer Sierra Wireless was hit by a ransomware attack against its internal IT systems and had to halt production at its manufacturing sites. Its customer-facing products weren’t affected, and the company was able to resume production in less than a week.
#10 Accellion Supply Chain Attack
Security software provider Accellion fell victim to a breach targeting its file transfer system, FTA. Many of its clients were affected by the breach. Some high-profile organizations that got caught in the crossfire include grocery giant Kroger, telecom industry leader Singtel, the University of Colorado, cyber security firm Qualys, and the Australian Securities and Investments Commission (ASIC). A lot of confidential and sensitive data stolen from various companies by exploiting the vulnerabilities in Accellion’s FTA tool was leaked online.
Why is ransomware such a threat?
What is it about ransomware that makes it an attractive tactic for hackers?
The goal with a ransomware attack, beyond monetary gains, is “land and expand.” What’s tough is that the path inside often appears to be innocuous.
Remote desktop ports (RDP) have become one of the most common ways of infection. However, another popular method is through an email phishing campaign or use of a trojan. With a lot of companies forced into a nearly entirely remote workforce model due to COVID, they became an easy avenue of attack. Unwitting recipients are tricked into downloading or opening an attached file. Once opened, the ransomware can take over the victim’s computer or begin to spread over the network. Even worse is that typical security measures don’t work well, if at all, in cloud instances, another popular avenue to get work done for remote workers. Another form exploits security holes to infect computers without the need to trick users, such as the SolarWinds attack, were able to infect a thought to be safe vendor provided software install.
Why can’t we stop ransomware?
You can’t stop what you can’t see. Once inside the network, the virus moves freely, unseen, seeking out, exfiltrating data, and ultimately locking out organizations from their own infrastructure.
This happens because the majority of cybersecurity tools, such as network perimeter monitoring, provide protection for approximately 20% of the total traffic. Most companies don’t have real-time visibility into east-west network traffic (the other 80%), and as a result, are ill-equipped to detect malware, ransomware, and other intrusions before they have a chance to do real damage.
For example, traditional IT security tools tend to be siloed, with no simple way to aggregate or prioritize the results leading to many false alerts. Research reports that many companies receive more than 5,000 alerts a day. This falls on highly trained, and costly SOC analysts who must be available 24x7 to analyze results and attempt to take the right action to remediate potential cyber threats. It’s clear that even highly staffed SOC teams can’t investigate all of these alerts effectively.
The five keys to complete cybersecurity protection
When evaluating cybersecurity solutions, organizations should rate them against five critical criteria. These steps will not only give them the upper hand against ransomware, but also all other forms of cyber threats.
- Complete network visibility: Insight into every corner of your network, where other solutions are limited or completely blind, especially east-west traffic, which is where land and expand tactics usually happen.
- Enterprise-wide analytics: To find cyber threats quickly and accurately, leverage untapped analytics generated from alerts, logs, threat intelligence.
- Intelligent threat modeling: Take the burden off analysts by utilizing artificial intelligence (AI) to feed it through machine learning (ML) based predefined threat models that understand how each threat behaves.
- Automated and surgical threat containment: Not only should AI capabilities be incredibly accurate, but they should allow for the automatic containment of security threats before they can spread to other devices. Another important note is that production communications should carry on, only the affected devices should be brought offline.
- Auditable enforcement: Finally, for certain industries meeting industry compliance is no laughing matter. Solutions should be able to provide the reports needed to assure regulatory compliance and enforcing connectivity policies – preventing future violations.
Stopping ransomware got a whole lot easier
ARIA Cybersecurity Solutions has taken a different path when developing our threat detection and response solutions. Unlike other providers, we start inside the network to generate complete enterprise-wide traffic visibility and analytics. This helps our cyber security solutions assist in two important ways: improve the performance of your existing security stack or deploy full AI-driven SOC capabilities within a single platform.
Don’t let ransomware knock your business out of commission. Learn how our ARIA Advanced Detection and Response (ADR) solution can help you detect and automatically stop threats and attacks, all without the need for manual intervention.