There’s no doubt that year has seen an unprecedented number of cybersecurity attacks on businesses, and ransomware attacks in particular. With that in mind, the EM360 team sat down with Keith Glancey, Head of Solutions Architects at Infoblox, to find out more about what has caused this boom in attacks, why Ransomware-as-a-Service is quickly gaining popularity, and what simple steps companies can take to boost their defences and protect their data from malicious actors.
EM360: Ransomware attacks have continued to grow this year, why is the number rising so rapidly across sectors?
Keith: Ransomware is once again hitting the headlines and this year has truly turned out to be one of the worst ones yet, with companies across all sectors feeling the impact. Whether it's the UK arm of Salvation Army or Ireland's Health Service Executive, it’s clear that no one is safe.
This style of attack remains popular because there is a large potential return on investment. Hackers can earn huge sums for minimal effort. It’s no wonder that the numbers are so alarming. Verizon’s 2021 Data Breach Investigations Report shows that 10 percent of all data breaches now involve ransomware, while Cybereason’s recent study revealed that more than 50 percent of organisations have fallen victim to ransomware attacks.
Bad actors continue to be so successful simply because many companies aren’t well-prepared and end up paying the ransom. In many cases this is to no avail; in fact, Cybereason’s study tells us that 80 percent of businesses that have paid ransoms have suffered second ransomware attacks, often from the same threat actors.
Ransomware can significantly impact businesses. According to Cybereason, two thirds of organisations report significant loss of revenue after a ransomware attack and half of organisations indicate that their brand and reputation were damaged as a result. The stakes are very high and organisations need to implement sound cybersecurity strategies if they want to protect themselves from these attacks as they won’t go away any time soon.
EM360: Ransomware as a Service (RaaS) is also becoming popular among cyber criminals, what is causing this?
Keith: Research shows that nearly two-thirds of ransomware attacks which took place during 2020 came from RaaS-based platforms. This includes the recent attacks on JBS and the Colonial Pipeline.
RaaS gives everyone the power to become a hacker. A subscription-based model that enables affiliates to use already-developed ransomware tools to execute attacks, there’s no technical knowledge required; all individuals need to do is sign up for the service. Platforms are closely modelled after legitimate SaaS products. They include support, community forums, documentation, updates, and more. Some even offer supporting marketing literature and user testimonials.
RaaS attacks can also be carried out at a relatively low cost. In most cases, the user is in charge of how much they spend and can sign up for a one-time fee or for a monthly subscription. Some RaaS platforms are set up without any initial fees, but deduct a sum from a successful attack. Other platforms might have charges for special features, such as the view of a status update of active ransom infections, the number of files encrypted and payment information.
Finally, RaaS enables threat actors to develop highly targeted attacks on large organisations, where they can ask for large ransoms. In these highly targeted cases, threat actors use carefully researched social-engineering tactics, such as well-crafted emails to entice targets to click dangerous URLs or open malicious attachments. In other cases, threat actors may target a vulnerability that is particular to or commonly used by their target victim group.
EM360: What are the most common distribution methods when it comes to ransomware?
Keith: Email is one of the most common methods that threat actors use to employ social engineering tactics and distribute malware and malicious links to unsuspecting individuals. These attacks are versatile and can be highly targeted for an individual or company, known as spear-phishing, or they can also be part of bigger ransomware campaigns.
Malicious websites distribute harmful downloads to users through socially engineered links to that site. In addition to setting up their own spoofed site, threat actors can find and exploit vulnerabilities in a legitimate website and implant malicious code on it. Alternatively, they may use these vulnerabilities to redirect the target to another website under their control.
Remote desktop protocol (RDP) is another highly effective and dangerous attack vector. Threat actors use search engines to locate devices configured with an open port and gain access to RDP servers by using default passwords on servers that have not been updated. Alternatively, the actors can use brute-force techniques to break in, or they can use open-source password crackers.
A distribution method we hear less about, but that is just as dangerous is USB memory sticks. Cyber criminals plant USBs in coffee shops, airports, mailboxes and corporate lounges for unsuspecting targets to pick them up and use. Once an infected USB drive is inserted into a computer, the ransomware encrypts files and the device and propagates it within the whole network.
EM360: What are the key steps that companies need to take to protect themselves from ransomware attacks?
Keith: Detection and prevention are key elements in protecting organisations from ransomware attacks, both of which can be effectively supported with increased visibility. By seeing what devices are connecting to a network and where network traffic is being sent, IT teams gain a valuable upper-hand in the fight against ransomware. This is where DNS (Domain Name System) tracking comes into play.
DNS is a core network service which means that it touches every device that connects to a company’s network and the wider Internet. Almost 90% of malware, including ransomware, touches DNS when entering and exiting the network, making it a powerful tool in the cyber defence toolkit. When applied to security, DNS can help protect against ransomware attacks by detecting and blocking communication with known Command and Control (C&C) servers that distribute malware, helping to stop an attack before it even starts.
For companies who want to take DNS-based security to the next level, they can merge DNS with DHCP (Dynamic Host Configuration Protocol) and IPAM (IP Address Management). This combination of modern technologies – known as DDI – can pinpoint threats at the earliest stages, and paired with DNS security can identify compromised machines and correlate disparate events related to the same device – containing an attack’s damage or preventing one from taking place entirely.