The evolving threat of ransomware: Beware of cyber extortion in 2021

2020 was characterized by change, and unfortunately cybersecurity threats have been a part of that as organizations everywhere face a constantly shifting set of risks. Take ransomware, where threat actors have widened their focus from merely encrypting data before demanding a ransom to far more sophisticated extortion campaigns.

By exfiltrating data during an attack and making a copy offsite, threat actors can leak sensitive data into the public domain or unleash smear campaigns to demand payment. In early 2020, Travelex, then the world’s largest currency dealer, found itself the subject of a very public cyber extortion campaign. Attackers took advantage of a vulnerability in its systems to extract data and then demanded $6 million for its release. When Travelex declined to pay, 5GB of data was released online, including financial and personally identifiable information.

As the company battled the technology and operational impact of the attack, its normal business functions were disrupted for a month, and eventually, Travelex reportedly paid $2.3 million to its attackers. The incident was later described as a contributing factor to major financial challenges that forced the business to restructure in August with the loss of 1,300 jobs.

And herein lies a crucial point that should continue to influence the cybersecurity strategy of every organization reliant on highly connected digital systems and infrastructure. Ransomware in its current form presents an existential threat that can throw healthy and effective agencies into turmoil without warning.

This type of extortion is not the only tactical shift at play. Whereas the activation of ransomware was once primarily an exercise in distribution to the widest possible audience, bad actors are now targeting their attacks against those whose data is considered more valuable, or for whom the reputational damage will be most severe and who are therefore more likely to pay the ransom --hospitals, for example.

This plays to the extortion model, and criminals will study potential victims individually and in great detail to understand the potential for mounting a successful attack and what they stand to gain. Ransomware is big business, and as such, criminal organizations are applying business principles to their “target” markets. The potential for ROI now plays a role in who gets attacked and when.

New threats require an intelligent response

For a security operations perspective, a big part of the challenge lies in detecting and investigating potential ransomware attacks using indicators of compromise, such as suspicious and/or blacklisted IP addresses, known phishing URLs and malicious file signatures. However, with new ransomware strains and techniques appearing all the time, security teams face a constantly moving target. The problem is, once an organization becomes a victim of ransomware, its security operation center (SOC) is unable to rely on IOCs alone to accurately identify the scope of the attack as it progresses throughout the network.

Instead, security teams need tools to identify key techniques used by ransomware attackers that will reveal a holistic picture of an attack. Remediation increasingly depends on an ability to quickly see if a user has been compromised by identifying never before seen files or executables or by unusual activity compared to normal behavior. By automatically assembling events mapped to MITRE tactics such as lateral movement, inhibiting system recovery, command and control, privilege escalation, credential switches and more, ransomware can be identified and blocked before any data is encrypted or exfiltrated.

The growing sophistication of ransomware attacks also means security teams must turn to automation to more effectively respond to and contain risk. While separate security tools such as intrusion detection systems, firewalls and endpoint security are helpful in preventing initial infection, once these defenses are penetrated, security teams are often left urgently managing different products while in the teeth of an attack. As a result, precious time is lost while the ransomware makes its way further down the attack chain.

For those in the firing line, orchestrating actions across a number of security products holds the key to moving rapidly from detection and investigation to response. Automating important actions such as isolating a host, blocking an IP address or other indicators to limit impact plays a huge role in reducing mean time to recovery in these critical scenarios where time is of the essence.

And unfortunately, that’s not all. The rapid pace of change in the IT landscape means there are often gaps in visibility between IT and SOC teams. For instance, security misconfigurations or vulnerabilities existing in IT environments leave organizations vulnerable to ransomware attacks.

In response, analytics -- one of the major growing trends across the IT industry as a whole -- is now enabling security teams to use active discovery in their IT environment, increasing visibility into IT assets that are not behaving as expected or have not been patched, exposing them to a potential attack. With this increased visibility, security leaders can bridge the gap across internal teams to ensure they remediate misconfigurations or vulnerabilities that ransomware exploits.

By employing more advanced detection, investigation and mitigation technologies and processes, agencies can present a much stronger defense against the enormous risk presented by cyber criminals intent on using ransomware as a route to extortion. In doing so, they can radically reduce their chances of becoming a victim of cyber extortion in 2021 and beyond.