Ransomware Attacks: Strategies for Protection and Defense

The world of cyber threats is constantly evolving. Businesses face new and stronger threats every day. Ransomware attacks especially are targeting everyone, and they’re not slowing down. It’s essential to take proactive measures to protect your systems and guard against breaches and threats.

See Understanding Ransomware and Defense Strategies with Paul Reid for a complete transcript of the Easy Prey podcast episode.

Paul Reid is the Vice President of Adversary Research at AttackIQ. He has spent over twenty-five years in cybersecurity, including running a worldwide threat-hunting team that actively hunted nation-state threat actors, and currently works with the adversary research team to monitor and combat ongoing and emerging cyberthreats. His job is to identify the emerging cyberthreats people care about and help customers and the marketplace in general be more secure. The team’s goal is to think like a bad guy so they can do good things for customers. It’s only a matter of time before your organization is attacked or breached. Paul’s team aims to help customers prevent it where possible, identify it quickly, and respond appropriately.

It’s only a matter of time before you’re attacked or breached, but what you do when it takes place [is] really important.

Paul Reid

Personal Experiences with Cyber Incidents

Back in the early days of Paul’s career, when fake emails were still a new phenomenon, the Director of Finance at Paul’s company got an email from the CEO saying to transfer a lot of money to a particular supplier. At the time, the company was going to a lot of trade shows and paying a lot of money to a lot of vendors. So this didn’t raise any red flags.

But he happened to mention it to Paul in passing. Paul and the other people in the hall at the time all thought it was unusual because none of them had heard about this particular vendor. They went back and looked at the email, and it turned out one of the letters in the CEO’s real email address had been replaced with a Cyrillic character. This kind of thing can happen to anybody. Sometimes spotting a fake email just comes down to a single letter that’s not quite right, and it’s easy to read past.

The reason this didn’t become a major incident is because everyone felt comfortable saying it seemed weird. The company was a security startup, so everybody had a security mindset. Even people in non-technical roles knew a little bit about cybersecurity and what kind of threats they were facing. It’s also important to be able to ask for help. Paul has been in the industry over twenty-five years, and he still sometimes asks his team if something looks off to them. That’s how you learn and grow. If you’re always afraid to ask, that’s how you make mistakes and it prevents innovation.

One of the things we need to talk more about is that it’s okay to ask for help. It’s okay to admit you don’t know.

Paul Reid

How Ransomware Attacks Work

Ransomware is essentially economically-driven cybercrime. Ransomware attacks aren’t necessarily about targeting a particular type of business or standing up for a particular cause. They’re a business of taking something from you and holding it for ransom. In the old days, criminals would steal a painting, kidnap your children, or withhold a unique piece of information you needed until you paid. Now in our connected world, ransomware lets them hold your digital assets and systems hostage until you pay up. It’s truly just a business activity.

Ransomware attacks get into your systems through whatever method they can, whether that’s social engineering, brute force attacks, password stuffing, or anything else. Once they get in, they take control of your data. Often they encrypt it where it is, but sometimes they may steal it as well. The most common strategy is to demand a payment to decrypt your files and systems and give you access again. But sometimes they may do extortion-based ransomware, where they threaten to release or publicize sensitive data that they stole from you.

Ransomware is a growing trend. We’re seeing it more and more, and that’s because it pays. It’s the old adage from mass marketing, where if you mail out 1,000 things and 1% of recipients respond, that’s highly successful. If you do thousands of ransomware attacks and even 5% or 10% of them pay, that adds up quick.

Ransomware-as-a-Service

Ransomware technology has evolved, and it’s not just in the ways the attackers get in or the attacks work. Ransomware-as-a-Service (RaaS) has enabled ransomware to go from standalone one-use attacks to networks of affiliates. Large criminal organizations like Lockbit discovered that by creating the ransomware programs and then building an affiliate network of other criminals who actually use it, they can get more done.

Analysis of attack activity has shown that most ransomware attacks are similar to a 9-to-5 job. Attackers show up, clock in, do their thing, and go home. RaaS organizations discovered that by creating the malware and then taking a small cut of every ransom collected with it, they can make more money with less work. And this also brought ransomware to the masses. You no longer have to understand how the programs work or build them yourself in order to implement ransomware attacks. All you have to do is find one of these RaaS programs which make it really easy to deploy.

Creating ransomware-as-a-service and building out that affiliate network really brought ransomware to the masses.

Paul Reid

Ethics in Ransomware Attacks

In the recent release of chat logs around the Black Basta ransomware, there were some interesting conversations about being ethical about the lack of ethics in ransomware attacks. Obviously these attacks are unethical to do. But in the chat logs, there were comments about not targeting children’s hospitals or emergency services. There were also conversations about making sure you live up to your end of the bargain – if someone pays to have you decrypt their devices, you have to do it. They have to deliver some value for the money, because if victims don’t get their data back either way, they just won’t pay.

Some attackers build off of that twisted version of ethics, though. There are emails going around saying that they have compromising information about you, and if you pay, they won’t release it. They are banking on the fact that ransomware attacks have a reputation for doing what they promise. They hope that you will be afraid they actually will release it if you don’t pay. But in reality, very little of what they’re saying is true. Often all they have is some information revealed in a data breach or found on a people search site. It can look real if you’re not paying attention to data breaches. But it’s almost guaranteed to be entirely false. At worst, they used OSINT to find your social media profiles and gathered some data from there.

Detecting Ransomware Attacks

One of the things Paul and his team have seen with ransomware is that it has a good chance of persisting beyond the initial detection. That’s a big problem – if it sticks around, there’s a chance that it will come back. In some testing, the rate at which companies could detect malicious software stealing their data was as low as 25%. If ransomware can stay in the system even after the attack and still generate revenue, it will.

Sometimes, the attackers have been in the system for so long before they initiate the ransomware attack that restoring from backup doesn’t fix it because they’re in the backup. Whether or not this happens depends on the sophistication of the attackers. Lots of the RaaS affiliates are doing smash-and-grab operations. They get in, they launch their attack, they get their money, they move on. If they can’t get their money right away, the move onto something else.

Time to detect the initial movements of these attacks is important. Of course, time to fix the attack is also important. But most of these groups aren’t looking for other exploits, they just want to get in and get out. You can prevent a lot of damage with quick detection. And the ability to avoid detection is something these gangs rely on. Being able to detect them is essential to defending against them.

The ability to avoid detection is something that these [ransomware] gangs rely upon … detection is paramount.

Paul Reid

Ransomware Attacks Aren’t Going Away

Despite our best efforts, ransomware continues to survive. Some of this is because of the resilience of the RaaS setup. The risk is distributed across multiple affiliates. If any of them get taken down, the attacks still continue through different parts of the network. It’s evolving in ways that focus on the appearance and usability of the ransomware infrastructure now. You don’t need to be a hacker to do this stuff.

Despite our best efforts, ransomware is going to continue to thrive.

Paul Reid

Ransomware attacks will also continue to expand. RaaS is an easy model to expand to Malware-as-a-Service. And the increasing ability to exploit things like VPNs and routers means our attack surface is only getting bigger. No one is going to work thinking that they want to be attacked today. It’s just the nature of our connected and tech-focused world.

Our attack surface is not getting smaller. It’s only getting bigger.

Paul Reid

Dealing with it is challenging because nobody has unlimited people or resources. WE have to focus on the things that matter most. For Paul’s team, they start by providing visibility into where the biggest threats are coming from. They do a lot of work to incorporate proactive cyber threat intelligence and help customers identify their biggest risks. Then they can take steps to mitigate the risks, become more aware, and prioritize the issues.

The Biggest Mistakes People Make

The biggest thing that Paul and his team hear from customers is that their security tools are so dynamic. They’ll set up and configure these tools, but people add new things, a supplier changes a setting or how something works, and they may not know it happened. Having continuous testing and validation that can help you find out if something changed is really important.

Business happens. It’s not uncommon for someone in one area to implement something for a legitimate business need, but that breaks the company’s cybersecurity. And often there are situations where you have to poke a hole or make an exception to do something, but forget to close up the hole afterwards. Paul even had that happen in his own life – he set up a VPN server in his house for his parents to stream their shows while they were on vacation. He forgot about it, and when he discovered it a while later, it was fully compromised by the Heartbleed bug. It can happen to everybody, even with the best intent.

Do You Pay the Ransom?

When you get hit by a ransomware attack, it’s hard. In the moment, something bad is happening, and someone says the pain will go away if you pay. There’s also a moral and ethical conversation, as paying the ransom fuels the RaaS ecosystem. The best thing to do is avoid it. Do the basic things like patching, separation of duty, dual custodians, two-factor authentication, and reliable backups. Be prepared for when it happens. Nobody wants to go through it, but everybody is going to face this threat at some point. It’s just like fire drills in schools – we don’t do them because we want the school to burn down, but because we want to be prepared if the worst happens.

This is not if, but when. Every company at some point is going to face this [cyberattack] dilemma.

Paul Reid

Whether or not you should pay the ransom depends on the industry, the type of business, and what you do. And it’s never an easy decision for anyone. Some government agencies and industry bodies are bringing in regulations to help make that decision. But whatever choice you make, you’re the bad guy. If you don’t pay, you would have gotten your data back if you had; if you did pay, you’re enabling the attackers. There’s no winning. Paul’s biggest advice is to listen to the people around you and come to a conclusion everyone can support.

Learn more about AttackIQ at attackiq.com or on LinkedIn. You can also find Paul Reid on LinkedIn.