Ransomware dominated the headlines in the biggest cyber security attacks of the last 12 months. In fact, according to the investigative analytics firm Cognyte, the number of ransomware attacks nearly doubled in the first half of last year, continuing a trend that has drastically accelerated over the past two years. This article explains why ransomware is on the rise, and what can be done to mitigate the risk of falling victim.
One factor in this upward trend is the ransomware-as-a-service development among cybercriminal groups, where larger entities provide malware and training to smaller affiliates in exchange for a percentage of any ransoms that are successfully extorted from organisations.
This practice is resulting in the barrier to entry for ransomware attackers being significantly lowered, as far less technical ability is now required to carry one out. Simply put, more attackers means more attacks, and with large, sophisticated groups offering their most effective tools, attacks are also increasingly successful.
One of the problems cybercriminals faced with ransomware attacks was the difficulty in receiving the ransom. The emergence of digital currencies such as Bitcoin has largely solved this problem.
A Bitcoin transaction cannot be as easily prevented or seized by banks or law enforcement, is extremely fast compared to conventional methods for transferring large amounts of money, and is largely anonymous. This anonymity aids attackers, but the same anonymity could also be considered favourable by organisations who may choose to pay but wish that to remain undisclosed.
While digital currency transactions can be traced, and in rare cases seized, as was the case with the 2021 Colonial Pipeline attack, many attacks originate from countries which have limited co-operation with other countries’ law enforcement authorities. As a result, cybercriminals have found ransomware attacks far easier, attracting more people to the practice.
The UK Home Office, in line with most other governments, strongly recommends against paying ransoms, stating that it encourages further attacks. However, according to research by the Neustar International Security Council, six in ten organisations would be willing to pay to regain access to their systems and data if attacked.
The recent spate of high-profile ransomware attacks that have succeeded and resulted in large payoffs have both emboldened existing attackers and encouraged new ones. While the business impact of a ransomware attack is severe enough, attackers have also frequently targeted local governments, health organisations, and critical infrastructure, all of which have responsibilities beyond merely financial ones to maintain access to their services, increasing their willingness to end the attack at all costs.
A further reason behind the growth in ransomware attacks is the increasing number of targets available to attackers. With the COVID-19 pandemic and remote working accelerating the already fast-paced growth of cloud migration, attackers have more prospective victims to target, many of whom neglected security in the race to the cloud that the pandemic necessitated.
One particular danger has been the increase in the number of open ports for Windows Remote Desktop Protocol (RDP), a tool which allows employees working from home to access office devices remotely. These ports are frequently protected by weak passwords, allowing cybercriminals a relatively easy way to gain access.
To mitigate the threat of ransomware attacks, organisations are adopting a raft of measures, including robust backup processes, malware protection and investment in access management solutions to prevent unauthorised access to systems and applications. The UK’s National Cyber Security Centre (NCSC) recommends deploying a “'defence-in-depth' approach,” by “using layers of defence with several mitigations at each layer.”
With over half of data breaches caused by exploiting credentials, addressing the issue of weak and reused passwords is paramount to preventing unauthorised access. Accordingly, the NCSC recommends that “Software as a Service or other services exposed to the internet should use Single Sign-On (SSO) where access policies can be defined.” Single Sign-On solutions enable organisations to ensure strong authentication is protecting their corporate applications and that the problem of passwords is taken out of the hands of users, helping protect against unauthorised access and account takeover.