In 2015, organized crime began to realize the potential profit of ransomware. Instead of targeting individual users, the attackers “shifted left” and refocused efforts to target corporate environments including local municipalities, healthcare, and other target rich environments where cybersecurity efforts have historically not received adequate funding or resources. Systems impacted have included patient care systems, core business applications, critical applications and services, and online backup systems, making successful recovery a challenge for most, and an absolute nightmare in some cases. The reality is that preparing for ransomware attack continues to be a game of cat and mouse. As security technologies continue to advance with heuristics and machine learning capabilities to protect against and detect advanced attacks, our adversaries respond with capabilities to evade detection mechanisms. This can be discouraging to IT professionals anxious to get ahead of an attack and protect their systems, as well as their organizations, from risk.
What happens if you are attacked?
You may be asking yourself, am I prepared? Has my organization implemented the necessary security controls to protect against and detect a ransomware attack? In the event of a worst case scenario–a successful ransomware attack, have we implemented the necessary security controls to respond and recover business operations? By incorporating a ransomware attack into potential scenarios for your annual Incident Response testing and exercises, you can determine if security controls are effective at reducing the blast radius (scope and extent of impact) and ensure recovery time from a successful ransomware attack meets Recovery Time Objective (RTO) to restore business operations.
The number of documented cyber-attacks continues to trend upward.
Since 2000, the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation, has been tracking the quantity and financial impact of cyber crimes reported to the IC3 and publishes annual Internet Crime Reports with cyber crime statistics calculated per state and nationwide.
Just over five years ago (2015) when ransomware attacks were first becoming commonplace, the IC3 received 2,453 complaints identified as ransomware with adjusted losses of over $1.6 million, with an average of $652 per complaint. Within just four years, that number had already spiked significantly. 2019, the IC3 received 2,047 complaints identified as ransomware with adjusted losses of over $8.9 million, and an average of $4,348 per complaint. While this may seem like a staggering increase, it likely far underrepresents the full extent of financial losses due to ransomware attacks. When it comes down to it, metrics to track the economic impact of ransomware can be very difficult to measure. First, not all ransomware attacks are reported to the IC3 and some organizations will pay the ransom to recover their data and business operations, resulting in the continued funding and proliferation of ransomware attacks. Second, as noted in the 2018 Internet Crime Report published by the IC3, it is difficult to quantify actual losses or residual adjusted losses. “Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim. In some cases victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.”
The cost of ransomware is only going up.
What the numbers do demonstrate is an increase in the average adjusted loss per ransomware complaint, from an average of $652 per ransomware complaint in 2015 to $4,348 per incident in 2019. While the numbers only reflect complaints for cyber crimes that are reported to the IC3, and may not reflect actual losses or residual adjusted losses, there is a clear upward trend in the financial impact of ransomware as attackers began targeting local government, school systems, hospitals, and corporate and enterprise environments.
All signs point to underreporting.
According to a recent report published by the blockchain analysis firm Chainanalysis, ransomware victim payments increased 311% in 2020 to over $350 million worth of cryptocurrency. An undisputable fact is that these metrics are difficult, if not impossible, to quantify. Many ransomware victims choose to pay the ransom to the attackers to recover data and business operations and are not reported to authorities.
Accounting for residual economic losses including recovery time and remediation, some experts estimate the economic losses from ransomware in 2020 are estimated to be $20 billion.
Ransomware activity during the COVID-19 global pandemic became so rampant in 2020 that on October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning that organizations making or facilitating ransomware payments can result in economic sanctions. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
It takes more than the latest tech.
It’s important to note here that many corporate organizations were implementing new security technologies during this time. So, what we can really learn from this upward trend is that while organizations look to the latest technology vendors for protection, attackers continue to target the weakest link in their security fabric, the human element.
Cat-ch Me If You Can!
Targeting the human capacity for security weaknesses, attackers began to target corporate end users with spear phishing campaigns. Needing only one entry point, one click, these campaigns are often so well designed that even executive employees may find themselves clicking on malicious links or malicious files. Sometimes this sets off a multi-stage attack, designed to evade detection by first executing a number of actions before finally unleashing the ransomware. Other times, a simple click in a successful attack can result in the rapid encryption of corporate systems and data within the internal corporate network, before security teams have a chance to react.
Moving targets are hard to hit.
The problem is that the attack tools and technology shifts, making it hard to stay on top of protecting any one potential entry point. Once IT teams feel they have a handle on one weak point and have appropriately mitigated risk, cyber criminals adjust their techniques by identifying a different weak point. How do they know where to strike? Attackers are using Open Source Investigation Tools (OSINT) and social engineering techniques to deliver targeted ransomware. OSINTs are essentially intelligence sources for attackers that are publicly available, often using artificial intelligence to mine data from the web about the desired target. When delivered in an intelligent way, based on real information about the target, this kind of ransomware attack has the capability to evade anti-virus solutions and disable endpoint security solutions, resulting in what seems like a constant game of cat and mouse, or a looping re-run of the classic Tom & Jerry Cartoon Cat-ch Me If You Can! You close one gap, and they identify another.
What can you do?
Effectively protecting yourself from and detecting a ransomware attack requires a defense-in-depth approach, employing multiple layers of defenses that are also reinforced with ongoing security awareness training for the entire workforce as a critical preventative measure.
How am I able to determine if I have implemented the right mix of security technologies and security awareness training for my organization?
Propagation of ransomware on the corporate network happens very quickly and is probably not the time to be asking yourself:
- Have I implemented appropriate security controls to protect my organization?
- Is my endpoint security solution effective at protecting against ransomware?
- Has my Incident Response Plan been updated to reflect the current threat landscape?
- Is my Incident Response team prepared to respond to this type of an incident?
- Ransomware was able to bypass my layered defenses and I think it is propagating through my network, how can I tell?
- The attack was successful and now my business is effectively shut down until I restore from backup. Will my backup strategy allow my business to restore operations?
The only way to know if your team and organization are prepared for a ransomware attack is either to experience an actual incident, or to test your Incident Response (IR) Plan and Procedures with a ransomware attack scenario Incident Response testing. IR testing allows you to simulate the following activities, evaluating the effectiveness of each step along the way.
- Assess your security controls and capabilities to protect against ransomware.
- Assess your security controls and capabilities to detect, respond to, and recover business operations in the event of a successful ransomware attack.
- Update your Incident Response Plan to include playbooks for scenarios that reflect the current landscape, including ransomware.
- Ensure that the Incident Response Plan identifies the roles and responsibilities for workforce members during an incident.
- Test the Incident Response Plan with a mock or simulated ransomware attack scenario to identify any weakness in the plan or procedures.
Test your plan to see how well it works.
Once you are sure you have a high-level plan in place and have closed any potential gaps in the process, you may also consider performing a Purple Team Incident Response test exercise by bringing the Blue Team and Red Team into a mock or simulated ransomware scenario to evaluate the effectiveness of current security controls. You can also minimize your risk of human exposure by ensuring all workforce members receive ongoing security awareness training to reinforce the methods to prevent a ransomware attack.
If you have any unknowns regarding your security controls or Incident Response capabilities, it’s time to assess controls and test the plan. You don’t want to be caught off guard. Among those attacked in recent years, organizations that were not prepared for ransomware have suffered significant financial losses, business interruption, and loss of reputation. Simply having cyber insurance just isn’t enough. What’s more, there are no indicators that ransomware activity slowed down in 2020, and there is no reason to believe 2021 will be any different. In fact, expectations are for the upward trend in average loss per incident to continue to rise in 2021 as ransomware attacks target corporate and enterprise networks, hospital systems, power and electric operational technology systems, municipalities, school systems. While many businesses are having to adjust their business models to scale back during a pandemic, cyber criminals are able to continue working– and their efforts could be even more effective this year due to remote or otherwise susceptible workforces.
In some cases, we are able to offer a complimentary Ransomware Readiness Assessment. If you would like to find out if your organization qualifies, you can request a consultation with one of our experts.