Ransomware and cyberattacks had quite the year in 2020. While we were busy enabling suddenly remote workers, the FBI reported a sudden 400 percent increase in cyberattacks. The more alarming part is that the ransomware attacks also got more precise, thorough, and methodical, which was something previously less common, with criminals favoring softer, less secure targets. Sadly, it’s no longer a surprise when a ransomware attack hits the headlines: if everything up until 2019 marks its infancy, 2020 onwards marks the maturity of ransomware.
But how, and when, did ransomware evolve from the random, spray and pray nuisance of yesteryear to the destructive behemoth it is today? How has it been allowed to grow to its current state, and how can organizations shift their focus to become resilient in the face of future attacks?
The criminal underground
Today’s ransomware is only possible because of a convergence of underground ecosystems. There were plenty of missed steps and things we ignored that allowed this convergence to happen. This resulted in a mix of criminal ideas and a forum for them to be exchanged, be it for credit card thieves, banking trojan crime packs, spam services, exploit kits, malware detection testing services, or anything else an underground community of successful and aspiring thieves needs. These criminals came together in the shady areas of the darknet and grew from there, allowing the maturation of malware from a pest to a mechanism for monetization.
The global underground criminal network blossomed in parallel with the profitability of cyber-attacks and its underground economy, the dark web, has been left to its own devices long enough for it to become unstoppable. Like a hydra, whenever a government or body tries to chop off its head, two more take its place. Our resolve and actions in the policing sense mean we only have ourselves to blame: the multi-jurisdictional complications, focus on “higher priority” crime, and lack of cooperation from certain governments has given the criminal underground a good 15 years to evolve, grow, and refine their tactics and reach.
The ascension of malware to profit
From here, the early 2000s saw the creation of the Zeus, and later, SpyEye, crime packs that evolved from the Zeus codeline. Both were, and still are, powerful banking trojans used to steal sensitive information. Zeus introduced single click polymorphism that meant users of these crime packs could recompile their malware as often as they wanted to help them evade signature-based detection. Zeus and SpyEye are some of the oldest banking Trojans: there have been countless iterations since, and I dare say we will see more yet. Both are still making headlines in 2021.
The early days of ransomware
Polymorphism proved critical in the 2015/16 ascent of ransomware, and still means that any attack today will almost certainly use a previously unknown hash signature. During those years ransomware threat actors generated new varieties in assembly line style along with hundreds of command and control (C2) servers per day. As soon as a domain or URL was IDd and blocked more were waiting to take their place. This malware and infrastructure combination was literally disposable, and the whole thing was repeated the next day. To distribute the malware, spam for hire and exploit kit services would be rented or auctioned on the dark web to spray and infect randomly, with most of the infected targets being individuals, and therefore commensurately lower value ransoms. The main limitation at that point was that malware was only automated in a wormlike fashion and the extent of spread was dependent on the user’s network rights and visibility of mapped drives. The other limitation was that a widespread threat turned countermeasures into marketing, proving the current mode of operation less viable. This was an existential economic moment for ransomware threat actors.
The first steps in rudimentary targeting tactics turned ransomware campaigns into what we know and fear today. It started with criminals using poorly secured RDP as an entry point, but this breach and spread model was economically self-validating in part because it was targeting poorly secured organizations with flat, unsegmented network topology, and it grew from there.
Ransomware grows up
Today, as the news will tell you, criminals have refined the art of ransomware. Spray and pray tactics are no more, as the modern attacker prefers a ‘big game hunting’ approach: identifying the perfect target and hunting them for as long as it takes to claim their victory trophy. And who can blame them? One targeted, meticulous attack, if successful, is worth more than they could have ever dreamed of when they were favoring the scattergun approach.
This of course is coupled with a rise in resiliency and general security hygiene. An attack that stems from a wide net approach is somewhat easier to identify today, and can quickly be shut down. A thorough, considered attack using reconnaissance, social engineering, and spear phishing on the other hand is built to slip through a very specific perimeter of a company and is therefore extremely effective.
Ransomware is here to stay, and will only become more and more nefarious in 2021 and beyond. For IT leaders and c-suite decision makers looking to bolster their defenses against this putrid tide, one of the most important methods beyond prevention lies in greatly improving resilience.
Data is one of the most valuable assets an organization has and it should be protected with backups that are simple to search, identify and restore to the untouched, most recent version – be it stored on-premises or in the cloud. Doing so will allow targeted organizations to restore their data to a known-good, clean state, and minimize downtime without paying a hefty ransom. Storing these backups in an immutable format is essential to prevent threat actors from accessing and encrypting backed up data as part of their attack.
In addition to immutable backups, point-in-time recovery, staging, and restore options are required, to facilitate not only forensics but also any necessary cleansing. Getting servers up instantly allows for bootstrapping application dependency chains. In the case of an attack, rapid and automated identification of affected systems and a roadmap to recovery should make the mop up a swift and easy process. Getting pinpoint visibility and further insights throughout the recovery process turns an error-prone, protracted effort into efficient remediation.
The past 12 months have proven that ransomware attacks are only going to become more determined, more targeted, and more devastating. If organizations the world over are to weather this storm, a data protection oriented backup and recovery architecture, bolstered by an intuitive, ML powered remediation, must move from ‘nice to have’ to ‘essential component of a security strategy’, and it must happen now.
Robert Rhame, Director of Market Intelligence, Rubrik