May 12 marks the fourth anniversary of the infamous WannaCry attacks. The day has transformed into one of ransomware awareness, now dubbed as Anti-RansomwareDay by INTERPOL. Coincidentally, the recent Colonial Pipeline ransomware attack has brought even more attention to the need for ransomware preparedness and awareness.
Top cybersecurity experts provided their insights on ransomware and share why ransomware preparedness has never been more critical:
Ray Canzanese, Threat Research Director, Netskope
“Recent Netskope research shows that the majority of all malware is now delivered via cloud apps, underscoring how attackers increasingly abuse popular cloud services to evade legacy security defenses putting enterprise data at risk. Ransomware, specifically, has recently been delivered using malicious Office Documents, which we saw increase in volume by 58% in 2020. Malicious Office documents have also been used as Trojans to deliver other malware, including bankers and backdoors. Using cloud app delivery to evade legacy email and web defenses, malicious Office documents represent 27% of all malware downloads. Organizations need to consider a myriad of risks as they move to the cloud. A framework called Secure Access Service Edge (SASE) is emerging as a viable method to apply secure access and thwarts attacks, for example, by preventing malicious software from accessing the network. SASE architecture can help guide increasingly disperse organizations to realize the benefits of remote work and the cloud without compromising security."
Julian Zottl, Chief Technology Officer - Cyber Protection Solutions, Raytheon Technologies
“This year marks the 4th anniversary of WannaCry. It was one of the largest ransomware attacks in history, and one that reminds all cybersecurity professionals that we need to remain vigilant every day. Looking back at the recent cyberattacks that have compromised company data and overall safety, we need to detect these attacks faster, and remediate them quicker. The dwell time between attack and remediation has dropped dramatically in the last 10 years, however, it still is not quick enough. For instance, the 2021 hack on a Florida water plant emphasized the importance of improving our security posture for national infrastructure - while identifying where organizations fall behind when protecting sensitive information. This hack was not sophisticated, but it could have had deadly consequences.
The recent SolarWinds and Exchange hacks have enabled ransomware authors to more easily deploy ransomware, such as DoejoCrypt/DearCry, to vulnerable Exchange servers. This will also enable the deployment of web shells on infected machines. As a result, this could have dire consequences, since it allows attackers to execute arbitrary files on the system. Recovery from this type of attack will be difficult and very costly, but could be prevented with the right Computer Network Defense architecture and training.
Organizations need to start viewing cybersecurity as a central and essential service. As businesses and agencies are seeing their budgets cut, one of the places they target is their cyber defense budget. Combine this with more employees working from home because of the current pandemic, and you have a perfect opportunity for adversaries. Cyber defense groups are quickly trying to address these issues, however, with lower budgets, they are finding it difficult to act. Despite these challenges, they still must keep their information and networks protected.
These breaches not only require a complete overview of current security measures, but an expanded outlook on how to train future generations of cybersecurity professionals to prepare, and potentially prevent, a similar attack. United States government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) and groups such as the Multi-State Information Sharing and Analysis Center (MS-ISAC), are helping the nation to understand, and manage, cyber and physical risk to our critical infrastructure. Because of these growing threats, it’s more crucial than ever to invest in security training that will properly prepare for the new risks that will arise. In response, organizations should consider how they can become involved in a cyber graduate’s education from the onset - whether through guest lectures, sponsored events such as the National Collegiate Cyber Defense Competition (NCDDC), and/or internship opportunities that allow students to witness what a career in cybersecurity really requires - a constant vigilance against such data breaches that threaten the livelihood of so many.”
Theresa Lanowitz, director, AT&T Cybersecurity
“When a business is infected with ransomware, a pop-up window alerts the user to locked files, threatening release or deletion of their data if demands are not met, similar to what you see in a movie. This is a reality that plays out in business on a daily basis today, and we’re more reminded of the impact such threats have on the fourth anniversary of the ransomware WannaCry.
Cybercriminals use ransomware because they can disguise it in campaigns that play on emotions. The ROI on ransomware makes the attacks worthwhile, because unfortunately, many businesses do pay the ransomware to avoid a complete stoppage of work. With that said, once businesses face a complete stoppage from a ransomware attack, cybersecurity is usually taken more seriously - ransomware is an expensive lesson to learn.
Because ransomware disguises have become more advanced, a business cannot simply resume its analog methods of business. The digital age marches on, even with cybercriminals in our midst. While there are some simple protection methods that will deter an attacker, more businesses need to make these strategies a priority. Examples include email and patch management, the use of anti-malware tools, and using the 3-2-1 for backups: make three copies of data, use two different storage types for copies, and keep one copy offsite. Using these techniques will help make businesses less attractive to cybercriminals.”
Taree Reardon, Senior Threat Analyst, VMware
“The most important takeaway for organizations on Anti-RansomwareDay is the awareness and prioritization of patch management. Four years ago when WannaCry hit, there was a patch available that would have protected organizations from the attack, yet it wasn’t widely implemented. Whether it was lack of resources or awareness, or simply turning a blind eye to a major threat, a lesson was learned that still rings true today: patches need to be applied in a reasonable amount of time. As cyberattacks become more ubiquitous, severe and complex, no business is safe from becoming a victim. Organizations must put the correct security measures into place before it’s too late.”
Jim Doggett, CISO, Semperis
“Following on the heels of the Colonial Pipeline attack and with ransomware quickly ramping up across every industry worldwide, this Anti-Ransomware Day is a timely opportunity to continue the conversation around securing our businesses and economy. And while actions such as keeping systems updated and creating offline backups are fundamental to this effort, many organizations are still running into issues where malicious ransomware attacks compromise their Active Directory (AD) – the central identity management service that 90% of businesses use. Once an attacker gains access to AD, they can swiftly move across the rest of your network, making it a critical area to pay special attention to as part of your cybersecurity strategy.
In order to protect AD, organizations must be prepared to bring AD back online without reintroducing the malware if an attack infects a their domain controllers (DCs). That means not only ensuring you have backups to save the day in the event of a ransomware attack, but also saving those backups on a non-domain joined server or copying backup images to Azure or AWS blob storage. Given the lengthy dwell time for many sophisticated ransomware groups, recovery efforts likely won’t be as simple as ‘recover the domain to yesterday at noon.’ Organizations need a way to assess and rectify any changes made over time on a continuous basis. It’s important to assume that even if you put a defense in depth strategy in place just for AD, there will still be an attack someday that will get past the defenses, requiring you to be able to recover AD to its pre-attack state – whether a single modification, the entire forest, or something in between.”
Joe Partlow, CTO, ReliaQuest
“This Anti-Ransomware Day, it’s important to watch for an upcoming trend in ransomware operations, with more payments going underground than ever before. Ransomware payouts have increased significantly over the past year, as malware authors continue to innovate and cybercriminals outsource tasks to monetize operations more quickly. To compound this, the Treasury Department warned that firms that negotiate with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions. In response, we are seeing ransomware payments go underground -- and can expect more of this in the years to follow. Companies will take whatever measures necessary to regain access to critical systems and data to keep the business running, regardless of government regulations.”
Kev Breen, Director of Cyber Threat Research, Immersive Labs
“An alarming trend that organizations must be aware of is double extortion. As businesses become more prepared to face ransomware attacks and have backups and recovery plans in place, ransomware operators have had to find other ways to force them to pay. Their solution: take a copy of the data before encrypting it. With a copy of the data now in the hands of the bad guys, it doesn’t matter if you have good backups and can get back to BAU as quickly as possible. It seriously shifts the dynamic of power, because unless the ransom is paid, the attackers can simply make everything public. This can be hugely damaging to both the organization and its users and customers, as it could see the release of highly personal and sensitive information, including medical records, mental health records, and financial data. And ransomware operators don’t stay quiet: they run their own leak sites where they publicly name and shame the victims to add even more pressure to pay the ransom. With legislation like GDPR in the EU, even if the ransom is paid, there is still a chance organizations will be hit with large fines by the regulators.”
Chris Henderson, Director of Information Security, Datto
“The WannaCry ransomware attack in 2017 - arguably the most damaging cyberattack to date - changed the way organizations approach security on a global scale. For many, it was their first time witnessing the ramifications of a significant cyber security event and it sparked worldwide interest in hardening cyber defenses to ensure operational resilience. The WannaCry fallout also led to a massive uptick in ransomware insurance. Unfortunately, the insurance only proliferated the occurrence of ransomware attacks because it made it easier than ever for hackers to get paid.
As a result of the increase in ransomware payments to threat actors, data and application backups became a critical defense point in the security strategies of many organizations. Not surprisingly, backups soon became a major target of attackers. Even as the cyber security world pivoted to develop stronger security for backups, cyber criminals were always innovating. When a guaranteed payout was no longer certain due to strong and secure backups we started seeing a rise in double ransoms. According to Datto’s 2020 Global State of the Channel Ransomware Report, managed service providers (MSPs) reported ransomware is the biggest malware threat facing small and mid-sized businesses (SMBs) and 92% of MSPs predict that these attacks will continue at current, or worse rates. As such, it is more important than ever that organizations continually assess their security posture to defend against a ransomware attack and ensure planning does not stop at data recovery.
It’s no longer a matter of if, but when an attack occurs. MSPs and SMBs must prioritize a cyber resilience strategy that relies on an “assumed breached” mentality and the successful ability to protect, detect, respond and recover quickly from an adverse cyber event. This strategy prioritizes people and processes and combines cybersecurity, business continuity and incident response to keep up with the fast pace and unpredictability of ransomware threats. This is not an overnight endeavor, and Anti-Ransomware day is a great reminder to re-evaluate the security strategies you have in place, and consider how they need to evolve to keep pace with today’s threat landscape.”
###