Ransomware: Why These Attacks Continue to Cause Cyber Risk

Since taking office in January, the Biden administration has made cybersecurity one of its top priorities, with a specific focus on countering ransomware attacks that have targeted government agencies, private firms and the nation’s critical infrastructure—from oil and gas facilities to hospitals already overwhelmed by the COVID-19 pandemic.

And while the White House can point to some success in raising the issue of ransomware with Russia (where most of the criminal gangs are alleged to operate) and using executive action to compel federal agencies and some private businesses to improve their security, these types of attacks continue to cause damage, with millions of dollars flowing to cybercriminals.

Consider some recent reports from the U.S. government and security firms.

Two recent studies published by the U.S. Treasury Department’s Financial Crimes Enforcement Network and the Office of Foreign Assets Control found that approximately $5.2 billion in Bitcoin transactions have been traced to 10 of the world’s most notorious ransomware gangs. These reports are based on an analysis of suspicious activity reports (SARs) that banks and other financial institutions must file with the federal government.

Over the course of the first six months of 2021, the Treasury’s Financial Crimes Enforcement Network found that SARs related to ransomware totaled $590 million. (For all of 2020, ransomware-connected SARs totaled $416 million, according to the report.)

“If current trends continue, SARs filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined, which would represent a continuing trend of substantial increases

in reported year-over-year ransomware activity,” according to the report.

And while the amounts paid out to ransomware gangs continue to grow (along with advisories from the FBI and others to not pay these demands), many victimized organizations believe that there is no alternative but to pay a ransom. 

A study published by security firm ThycoticCentrify, based on responses from 300 IT decision-makers, found that about two-thirds of those who participated in the report were targeted by ransomware over the last 12 months, and that over 80 percent of those questioned paid a ransom demand following an attack.

“Ransom payments are a risk-based business decision. Businesses that elect to pay a ransom look at the potential for lost revenue and weigh those losses against the extortion amount the actor is demanding,” Rick Holland, CISO and vice president of strategy at security firm Digital Shadows, told Dice. “It is often a choice between the lesser of two evils. For critical infrastructure suppliers or companies that require high availability to be successful, the pressure to pay out a ransom can be even more intense.”

Moving Targets

While ransom payments to criminal gangs appear on the upswing over the course of 2021, there are signs the increased attention paid to these attacks has at least made a small dent in some of these cybercriminal operations.

In October, the Biden administration held a meeting at the White House with representatives of 30 other countries, which included a promise that ransomware attacks require governments to deploy a “shared response” to these types of cyber threats. Russia was excluded from that meeting. 

The meeting also resulted in pledges from participating countries to deploy better technologies, such as multifactor authentication and strong passwords, to help counter these threats, as well as promises to invest in backup systems that can help victimized organizations recover without having to pay a ransom.

Also in October, Reuters reported that the ransomware gang REvil, or Sodinokibi, had been the target of a multi-country operation that appears to have knocked the gang’s infrastructure offline. REvil and its affiliates are believed responsible for several high-profile ransomware attacks, including an $11 million extortion of JBS, the world’s largest meat processer.

Oliver Tavakoli, CTO at security company Vectra, notes that while the U.S. and other governments can play a significant role in helping to curb some of this cybercriminal activity, it’s really the responsibility of organizations to decide how to respond, including whether it’s best to pay the ransom or try to recover from backups.

“Whether and how much an organization pays is driven by the perceived operational cost of recovery and the reputational or legal costs related to a public leak of confidential data,” Tavakoli told Dice. “The federal government can influence the overall bias organizations will have on whether or not to pay a ransom and can mobilize them to think about that posture in advance of an actual attack so that paying the ransom is not just a panicked decision.”

Tavakoli also noted that even with the U.S. and other governments moving ransomware up the cybersecurity priority list, it’s only when organizations start shoring up their security posture and assess their risk that these types of attacks can be reduced.

“You must have the capability to detect attackers once they have gotten some foothold in your environment and to evict them with a sense of urgency. You need backups of your data and an ability to restore from those backups at speed and scale,” Tavakoli said. “You need to control access to the data you would never want to see leaked. And, finally, you need to test your capabilities across all these areas to convince yourself that they will actually measure up to real attacks. The problem is how to do all this on a budget and in the face of a significant shortage of cybersecurity talent.”

New Skills

Digital Shadows’ Holland says that one way to counter ransomware is to build more resilient systems that can either withstand an attack or allow organizations to return their infrastructure and networks to functional states following an incident. 

The U.S. National Institute of Standards and Technology has also made resiliency a cornerstone of its best cybersecurity practices.

“The government isn’t focusing on what matters the most, improving our resiliency. The government is treating ransomware symptoms by prioritizing international cooperation and cryptocurrency payments,” Holland said. “The current state of enterprise networks is analogous to patients with chronic illnesses like heart disease; it has taken years to get to this state. There isn’t a magical intervention that will mitigate the risk overnight. We have to address the root causes of the illness, not just the symptoms. If we want to minimize the threat of ransomware—and other attacks—we need to invest in people and provide the funding to build resilient networks.”

Part of building this type of resiliency into networks and infrastructure starts with training current security staff and bringing security pros into the organization who have the skills to help build this vision. As Holland noted: “Defenders need to be trained to deploy security software and services successfully. We need to support continuing education and personal development, so defenders expand their skillsets and capabilities.”

John Bambenek, principal threat hunter with Netenrich, noted that security professionals who want to reduce the risk of ransomware and build resilient systems must also change their mindsets.

“As much as professionals rightly bag on the CISSP certification, this all comes down to availability and resiliency,” Bambenek told Dice. “Data centers don’t often catch fire, but a ransomware infection can have the same impact. If an organization doesn’t want to pay the ransom, then the cost and speed of recovery have to become less than the cost of ransom. It’s a math problem, treat it as such.”

Taylor Gulley, a senior application security consultant at nVisium, added that the federal government’s emphasis on backups and having a strong disaster recovery plan should also mean that organizations hire those who understand these essentials and start integrating these steps into the overall cybersecurity program.

“It’s important to ensure that only accounts that need administrator access have such access, as well as having separate accounts for day-to-day and administrative tasks. Also, ensure proper backups are taking place—and that those backups cannot be altered easily,” Gulley told Dice. “Offsite backups are an important part of your security strategy should your local backups get encrypted, as well. Lastly, ensure a proper disaster recovery plan is in place and test it to ensure that it functions as necessary.”