Ransomware made mainstream news when cybercriminal group, DarkSide, launched an attack on US fuel company Colonial Pipeline, which carries nearly half the fuel consumed along the US East Coast. The disruption of critical infrastructure and the impact on our daily lives was a sobering reminder of the havoc that a successful cyberattack can wreak.
While its scale and impact grabbed headlines, this attack is only symptomatic of a dramatic resurgence in ransomware campaigns over the past year. Alongside increasing numbers of attacks, VMware found ransomware groups are becoming even more organized and sophisticated. Simultaneously, the rise of ransomware-as-a-service is enabling a much broader cybercriminal base to execute attacks using existing tools.
Understandably, this adds to the pressure already felt by CISOs, who are defending a more distributed environment than ever before.
Ransomware is a leading cause of security breaches worldwide
VMware surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report. It found that ransomware attacks were the dominant cause of breaches for organizations. The average number of ransomware attacks organizations experienced have doubled over the past year. Additionally, the VMware Threat Analysis Unit identified a 900% increase in ransomware over the first half of 2020.
Malicious actors have spent the pandemic capitalizing on the rapid adoption of an anywhere workforce and the use of personal devices and networks by remote workers. Attackers now have an unprecedented opportunity to launch social engineering attacks, such as phishing, on unsuspecting employees.
No industry was off-limits to attackers, either. The healthcare sector was already in the grip of pandemic response and was disproportionately targeted with ransomware in 2020. One in five breaches reported by the healthcare CISOs we surveyed were caused by ransomware. In the same way that DarkSide targeted critical national infrastructure, ransomware groups have looked to cash in on the healthcare sector. It is an industry more likely to pay due to the critical nature of its business.
Double extortion tactics pile pressure on victims
New tactics are making ransomware a much more nuanced threat, too. Instead of locking up systems immediately, attackers are aiming to infiltrate systems undetected. They are also establishing persistence on the target network. It allows them to move laterally and extract data that can be monetized even if no ransom is ultimately paid. A system encryption and ransom demand will not be made until the perpetrator has covered their tracks and established a route back into the target network.
This gives cybercriminals greater hold over victims. Victims are having to worry about more than decrypting their systems. Now, organizations also face the possibility that critical assets such as customer data or trade secrets will be released for sale to the dark web, and the breach will be made public. The reputational and regulatory risk tied to ransomware means the pressure to pay a ransom is often significant. However, unless the attacker’s presence in an organization’s network is fully removed, they are likely to return for another strike on a target that has shown willingness to pay.
The cybercriminal community has capitalized on the growing profitability of this approach. Nearly 40% of security professionals say double-extortion ransomware was the most observed new ransomware attack technique in 2020.
Strengthening defenses against ransomware
Businesses are adapting to supporting the anywhere workforce while malicious actors continue to target the expanded threat landscape. It gives CISOs a once-in-a-generation opportunity to strengthen defenses against ransomware and protect their organization by:
- Delivering security as a distributed service: To protect the anywhere workforce, regardless of the devices and networks workers are using, deliver endpoint and network controls as a distributed service that follows the assets being protected throughout the environment.
- Prioritizing visibility: Better visibility over endpoints and workloads delivers contextual insight and situational intelligence to help defenders prioritize and remediate risk with confidence.
- Conducting regular threat hunting: The first step of a multistage ransomware campaign is gaining undetected access to networks. Regular threat hunting can detect silent incursions and the presence of adversaries in the environment by spotting anomalous behavior.
- Keeping monitoring “quiet” to avoid counter-incident response: Assume the adversary has multiple means of gaining access to the environment. Watch and wait before taking action. Don’t start blocking malware or terminating C2 systems until you understand all possible avenues of re-entry.
- Engaging with an incident response partner: It is not a matter of if, but when organizations will be targeted, so it is essential to be prepared. Engage with an IR partner to devise a response plan and retain them to put it into action when needed. It should include post-incident remediation and analysis to root out any remaining adversary presence and avoid repeat attacks.
As organizations rethink their approach to security, defending against ransomware should be a top priority as the impact and scope of attacks increases. The anywhere workforce must be supported by a security strategy that surrounds and protects employees to let them work safely and productively without putting the business’s infrastructure, reputation, and competitive position at risk.
VMware Carbon Black is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The VMware Carbon Black Cloud consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analysing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviours, enabling customers to detect, respond to and stop emerging attacks.
More than 6,000 global customers, including approximately one-third of the Fortune 100, trust VMware Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use VMware Carbon Black’s technology in more than 500 breach investigations per year.