If you have the impression that there have been more ransomware attacks in the past year, your instincts are right. McAfee Labs, one of the world’s leading sources for cybersecurity threat research and intelligence, reports that activity skyrocketed in late 2020, with the number of new ransomware attacks increasing by 69% from Q3 to Q4 2020.
Money is the primary driver. Ransomware has become big business, and attacks are now more likely perpetrated by organized groups and state-sponsored actors than a single hacker. In addition to paydays that can total in the millions from just one high-profile attack, ransomware groups can also use their attacks to wreak havoc. They can target strategic business operations and government agencies, disrupt vital supply chains, and even impact a country’s economy.
In May 2021, a ransomware group attacked the Colonial Pipeline, the largest refined products pipeline system in the U.S. When the company learned of the attack on May 7, it shut down the entire operation to prevent ransomware from spreading. However, this also disrupted the pipeline’s operation, stopping gasoline and jet fuel transport from Texas to locations in the Southeastern U.S. On May 8, Colonial Pipeline paid approximately $5 million in ransom. Later, the FBI was able to recover about $2.3 million of that amount, but the loss was still in excess of $2 million dollars.
Shortly after the Colonial Pipeline attack, JBS Holdings, the largest beef supplier in the world, was attacked and paid $11 million after ransomware forced its operations to shut down.
Although ransomware attacks on large enterprises make headlines, it’s vital to recognize that any business can be a target. U.S. Department of Homeland Security Secretary Alejandro Mayorkas recently warned organizations of all sizes of the growing ransomware threat, pointing out that one-half to three-quarters of all ransomware attacks are on small businesses.
When ransomware first made its appearance in the cyberthreat landscape, it simply encrypted files or locked a device and demanded a ransom for the decryption key. It typically deployed on a business’ network immediately after an employee opened a malicious attachment or clicked a link and set a time limit for payment, threatening to lock or destroy data permanently.
Since those early days, ransomware has become much more sophisticated. Groups have found ways to deploy ransomware undetected, giving it time to spread laterally through the user’s network. Additionally, ransomware groups aren’t only threatening data with encryption. They are also demanding ransom so they won’t release the information on the internet - known as Double-extortion ransomware - as bad actors did after the ransomware attack on the Washington, D.C. Metropolitan Police Department.
Ransomware definitely hurts financially, even beyond having to pay the ransom itself. Costs include downtime, IT systems repair, and possibly customer make-goods if the attack prevented the business from meeting contractual obligations. Sophos reports that the average cost of a ransomware attack in 2020 was $1.5 million for companies that paid ransom, and about $732,000 for companies that didn’t.
A 2021 study by Censuswide on behalf of cybersecurity company Cybereason also found that in addition to resulting in significant revenue loss, a ransomware attack hurt companies in other ways:
Ransomware groups are looking for targets that will result in lucrative paydays, such as healthcare information, personal data of government employees or taxpayers, and financial and credit card account information. With more of that data stored in the cloud, that’s where groups will target their efforts.
Businesses can develop a false sense of security when using cloud file collaboration suites, such as Microsoft 365 and Google Workspace. Although these cloud services use some of the best possible security measures in the industry, bad actors may still find a way to access your accounts and lock them or encrypt data.
There are several attack vectors that ransomware groups can use to deny you access to your data in the cloud:
Open authorization (Oauth) apps offer features that can save employees time and streamline tasks, such as converting a PDF document to another format or visualizing data. However, ransomware groups are creating malicious OAuth apps that deliver malware. Because OAuth apps work over HTTPS using access tokens rather than login credentials and can be used throughout a network, bad actors can easily exploit them to take over cloud accounts.
In 2020, cybersecurity company Proofpoint detected more than 180 different Oauth apps attacking 55% of customers and chalking up a 22% success rate, underscoring the need to be careful with apps and plug-ins that your team may want to use.
If your organization has computers on its network set to sync with data in the cloud automatically, beware. If a computer is infected with ransomware, syncing can create a path for ransomware to lock cloud files. Furthermore, once the malware spreads to the cloud, it can impact your entire network, especially if the ransomware isn’t detected and stopped before it spreads to other users’ machines.
Some ransomware is specifically designed to target cloud-based services such as Microsoft 365. In these attacks, bad actors use phishing emails that look legitimate to trick an employee into clicking a link or opening a file to deploy ransomware.
If you use a cloud services provider for backup and disaster recovery (BDR), Desktop as a Service (DaaS), or other cloud solutions, that business may be in the crosshairs. Ransomware groups know these professionals manage IT environments for multiple companies, so successfully infecting their systems can give them access to many networks – and multiply the amount of ransom they can collect.
The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity advises organizing cybersecurity into five levels:
The first step in protecting your business from ransomware is identifying the data and assets you need to protect. Conduct a risk assessment, considering all types of data and functionality you need to operate and how ransomware would impact them. For a business that relies on cloud collaboration, this would include continued access to cloud data and protecting files from encryption and corruption.
Once you have identified mission-critical and sensitive databases and processes, you need to devise a plan to protect access to them. Measures you can take to help stop ransomware from infecting your IT environment include:
Ensure unauthorized people cannot access files or make changes. In addition to using tools such as multi-factor authentication, also remember to disable “orphan accounts” of former employees or those that are no longer in use.
This blocks potential entry points that a ransomware group could exploit -- an oversight that may have been the entry point that cybercriminals used in the Colonial Pipeline attack. Their CEO reported that the company suspects the ransomware group used a legacy VPN account to access their system.
Train employees on security best practices, such as only granting the necessary level of permission for collaborators in the cloud. Assigning all collaborators “editor” or “administrator” permissions can quickly spiral into loss of control over who has access to your data and your cloud accounts.
When an employee installs a third-party application, they should only give it access to necessary cloud applications and services. Otherwise, you lose control of where your data is going and who can interact with your IT environment.
Research from Two Six Labs in 2020 found that many apps listed on the G Workspace Marketplace communicate with external services that the user may not be aware of, providing an opportunity for data exfiltration. Of the 889 apps they tested that required access to user data via Google APIs, almost half requested permission to communicate with external services – in most cases for unclear reasons.
Furthermore, even legitimate apps could be compromised by a ransomware group. Therefore, if your organization has given that app the ability to access your cloud applications and data, you may have created an open door for cybercriminals as well.
NIST also advises maintaining systems and using protective technology.
Another factor in mitigating risks from ransomware is to continuously monitor access to your files in the cloud. If you are only reviewing reports weekly – or even monthly – to oversee activity in Google Workspace or Microsoft OneDrive, you are creating a large period in which non-compliant employee behaviors, unauthorized access, and risks to data can occur.
In a dynamic threat landscape and an era of continual cyberattacks, you need to monitor your team’s activity continuously, using intelligent security and data loss protection technology. This empowers you to ensure your employees are following policies at all times that limit access to your files and data in the cloud. The technology can even provide alerts in real time so that if an employee doesn’t follow data loss prevention policies, you can intervene, mitigate risks, and retrain employees to protect cloud applications and data in the future.
It is also important to plan and practice how your organization will respond to a ransomware attack. Assign roles and responsibilities and run drills so that response is second nature, and your team can stop the progression of an attack as soon as possible, limiting the damage it does.
Your response plan should also include a current list of contacts, such as security solutions providers and law enforcement, that you can count on for guidance as you respond to an attack and initiate an investigation.
The final level of NIST’s Cybersecurity Framework is recovery. After a ransomware attack, how will you get your data back or unlock your files?
Faced with mission-critical files encrypted by ransomware, business leaders often concede and pay the ransom, but it may not guarantee that their data is restored. Research for the Cybereason Ransomware: The True Cost to Business study found that after ransom payment, 46% of victims found that some or all of their data was corrupted.
It’s smart to have a robust backup strategy to protect your data. Veeam, a backup, disaster recovery and data management software provider, recommends following the 3-2-1 Data Protection Rule:
3. Always keep three copies of data
2. Store backups on two different media
1. Keep one copy offline
This plan ensures that if ransomware encrypts your data, you still have at least one copy you can restore. Depending on the type of attack you experience, this plan may also enable you to restore data without paying ransom.
Furthermore, the Cybereason study found that 80% of businesses that paid a ransom were attacked a second time, and 46% believe the second attack came from the same group as the first. Paying ransom may signal attackers that you are a worthwhile target in the future.
Ransomware groups are continually changing their tactics to ensure they get the paydays they plan. They know that businesses are backing up data and could revert to a point in time before an attack. That’s why ransomware groups are expanding their malware’s capabilities to reside in a system undetected for longer periods or to threaten the release of sensitive data to the internet, which backups can’t mitigate.
The best way to defend against ransomware is to stop it before it infiltrates your system, and that begins with solid access control and data loss prevention policies and processes. Identify your organization’s points of exposure, protect them, then monitor for potentially malicious behavior.
Learn more about how Altitude Networks can provide you with the visibility and control over cloud solutions you need to keep your organization safe.