By Dr. Darren Williams, CEO and Founder of BlackFog
The average cost of ransomware attacks increased by 71% this year, reaching an all-time high of nearly $1 million per attack. To make matters worse, tactics like double extortion have also increased exponentially, with 80% of ransomware attacks last year involving data exfiltration. With a huge increase in attacks, and the average ransom demand continuing to rise, it’s safe to say that ransomware is still in its ‘golden age.”
As large enterprises are investing heavily in cybersecurity and building up resistance against ransomware attacks, threat actors are shifting their focus to more vulnerable targets. Our recent research at BlackFog shows an increase in attacks aimed at critical industries such as government, healthcare and utility providers. These industries are the very backbone of our economy and any disruption to services can have widespread catastrophic consequences. For example, the Colonial Pipeline attack last year left the whole of the US East Coast with a low fuel supply for days, which massively impacted the entire US economy.
Given the immeasurable impact ransomware attacks can have on critical infrastructure; it’s time to discuss new and more innovative ways organizations can approach ransomware threats.
Why do threat actors tend to target public systems?
The core concept of ransomware is to put enough pressure on the target company, so they have little option but to succumb to the ransom demands. The added threat of double extortion means that attackers are not only encrypting and locking critical systems, but they are also exfiltrating sensitive data to be leaked on public domains. In this sense, public sectors such as government, legal services and healthcare organizations are extremely desirable targets.
The services offered by these institutions are critical for society to function, meaning any downtime caused by ransomware can have a rippling impact across the economy. Moreover, these businesses tend to hold extensive amounts of sensitive data including personal information, financial records, medical records, social security numbers, insurance data and more. Leaking sensitive data can cause significant legal, financial and compliance challenges for public organizations, which forces their hand and makes them more likely to pay the ransom.
There’s also the fact that attackers often find it easier to successfully target such organizations. The public sector tends to suffer from outdated IT and security systems. In fact, a study conducted by Deloitte showed that 75% of UK government agencies agree that their digital capabilities fall well behind that of the private sector.
Legacy IT systems are often no match for the advanced mechanisms used in ransomware attacks. Outdated endpoint security solutions, traditional network firewalls and legacy authentication protocols provide an easy route for attackers to enter the network without being detected.
How threat actors exploit limited security resources
Budget and resource constraints are a key reason why the public sector lags behind in digital capabilities. These institutions function to provide critical services to the general population, not to make profits. As such, public organizations are on a tight financial leash.
Although public and critical national infrastructure (CNI) organizations have picked up the pace in recent years, there are still significant gaps in terms of resilience. Businesses often focus on building defenses around their network endpoints, but threat actors can potentially exploit the lack of employee awareness and gain access to important organizational assets.
The recent Verizon DBIR Report shows that 94% of malware enters the network through an employee’s inbox. In fact, more than half of all ransomware attacks are initiated through phishing. Regardless of which perimeter defenses are in place, it only takes one employee’s lapse in judgment to allow ransomware into the system.
It’s also important to understand that email attacks have evolved significantly in recent years, with a greater emphasis on targeted social engineering rather than directly attaching malicious payloads. More attackers now use the tactic of impersonating trusted figures such as executives or IT support, and more diligent threat actors will research their targets thoroughly, making even the most cyber-savvy employees susceptible to these attacks.
Earlier this year, the Maryland Department of Health experienced a ransomware attack where the attackers gained access to the servers through compromised employee credentials. This attack affected the organization’s ability to manage patients amidst the COVID-19 crisis as critical records and scheduling data were locked down, and it took over three months to fully recover the compromised assets.
The state’s Chief Security Officer also stated that the organization did not have enough IT resources to craft an immediate response plan. This incident effectively sums up why the public sector is such a hot target for ransomware gangs and why it’s time for a more proactive approach to the threat.
Defensive security is no longer the answer
The continuous influx of ransomware attacks makes it evident that building perimeter defenses isn’t enough to stop threat actors. Attackers will always find a way into the network, whether it’s through phishing, exposed credentials or exploiting third-party connections. There are also zero-day vulnerabilities that threat actors can exploit to compromise existing EDR solutions and access critical assets before security teams have a chance to react.
Businesses need a more holistic approach that not only provides visibility of emerging threats but also prevents critical data from leaving their system, preventing criminals from leveraging this through a double extortion attack. Anti-data exfiltration (ADX) tools that automatically detect and prevent attempts to remove data from the system will go a long way towards declawing this tactic.
When planning for the worst-case scenario of a breach, firms should also continue to strengthen their defenses against attacks gaining initial access. Email security tools and firewalls also play a part in preventing ransomware attacks that rely on phishing emails but must be coupled with effective personnel awareness training. It is also imperative to protect data with practices such as multifactor authentication, ensuring that attackers will not gain immediate access simply by acquiring user credential sets.
Ransomware has been proven to be an effective and reliable money-maker for criminal gangs, so the threat is unlikely to fade any time soon. Firms must ensure they plan for effective defenses as their infrastructure continues to evolve.
In high-risk sectors like CNI, there is even more at stake, due to the very tangible impact on individual lives and the wider economy.
With strong processes and great defensive and anti-data exfiltration solutions in place, businesses can mitigate the risk posed by this new generation of ransomware attacks.
Dr. Williams is a serial entrepreneur and founder of 3 technology startups over the last 20 years, two of which have been sold to public companies. He is currently the founder and CEO of BlackFog, Inc. a global cyber security company focusing on ransomware prevention and cyber warfare.
Dr. Williams is responsible for strategic direction and leads global expansion for BlackFog and has pioneered anti data exfiltration technology for the prevention of cyber attacks across the globe.
Dr. Williams holds a Ph.D. and Bachelor of Science with Honors from the University of Melbourne, authoring several scientific papers and software applications for auto-radiographic densitometry and analysis. He is a dual citizen of both Australia and the United States where he now resides.