Morphisec Cybersecurity Blog

It’s Time to Re-Evaluate Your Ransomware Prevention Strategy

Written by Matthew Delman | October 1, 2020 at 3:00 PM

Increasing numbers of headline-grabbing ransomware attacks are a concerning trend. They also point to a strong possibility that many organizations are falling behind threat actors in the cybersecurity arms race. As they fail to reassess their approaches to cybersecurity, organizations open themselves up to attacks that can be devastating and, in some cases, life-threatening.

On the 17th of September, a patient in Dusseldorf, Germany, died after a ransomware attack crippled the hospital she had traveled to for emergency medical treatment. She was forced to go to a different hospital and died on the way. This is the first death that has been directly attributed to ransomware, even though ransomware has been around for more than 20 years.

While most ransomware attacks don't cost lives, they still create massive disruption for companies that experience them. On the 23rd of July, Garmin suffered a WastedLocker attack that disabled its cloud-based services for several days. One week later, the Maze malware group reportedly stole over 10TB of data from Canon after a successful infiltration. It now appears that a successful ransomware attack also hit Carnival Cruise Lines in mid-August, which accessed customer and employee data.

The increase in ransomware attacks isn't a coincidence. After trending downwards in the mid-2000s, the number of ransomware attacks has dramatically escalated in recent years. Between 2018 and 2019 alone, the frequency of ransom-seeking malware attacks increased by over 140%.

Ransomware attacks are also increasingly likely to result in a paid ransom. While it's unclear whether Garmin, Canon, or Carnival paid a ransom to their attackers, 58% of all ransomware victims do end up paying — an increase from 39% in 2017. Further, the average ransomware payment jumped 60% vs last quarter to $178,000, and for large enterprises exceed multi-million dollars.

However, the extent of the damage caused by a successful attack is rarely limited to paying a ransom. Ransomware infiltrations can cause extensive system downtime, data loss, and reputational damage. The average total cost of damage done by a ransomware attack last year was $141,000.

Lucrative, increasingly likely to succeed, and difficult to remediate, ransomware attacks are now an immensely profitable enterprise for organized cybercriminals. Globally, ransomware caused over $115 billion worth of damage in 2019. Faced with this worryingly potent threat, re-evaluating precisely how you protect critical infrastructure from ransomware needs to be near the top of your to-do list.

The Flaw in Traditional Ransomware Prevention

Galvanizing the rise in successful ransomware attacks is the attackers' ability to bypass standard cybersecurity tactics. To protect their critical systems from ransomware attacks, companies have generally relied on security techniques such as backing up necessary files, training users to avoid scams, and scanning email content for potential attacks.

Unfortunately, many of these kinds of steps offer organizations little more than a false sense of security against increasingly sophisticated ransomware attacks. Fileless malware can easily bypass anti-malware platforms, even purportedly "next-gen" solutions.

At the same time, content scanning can miss threats that are not part of an email attachment. Backing up files and relying on remediation is often made redundant by criminals who exfiltrate data and post it online to shame their victims, thus causing irreparable reputational damage and exposure to regulatory penalties. With well-resourced cyber criminals targeting their systems, it's no longer enough for an organization to rely on a reactive approach to cybersecurity.

Consider a Proactive Approach to Ransomware Prevention

Faced with a threat that exploits the vulnerabilities within standard security procedures, a proactive approach to cybersecurity is a lifeline for protecting corporate networks against ransomware. Instead of relying on a traditional detection and response methodology, this kind of approach increases security by stopping threats from gaining a foothold in the first place.

Looking at cybersecurity as a proactive task is becoming increasingly necessary. Technologically advanced and organizationally aware, modern ransomware threats often circumvent many of the core pillars of traditional cybersecurity, such as security awareness training and deploying antivirus software.

The comprehensive failures of these kinds of security solutions' are partly responsible for the recent rise in successful ransomware attacks. Spread laterally from compromised network endpoints, by the time a modern ransomware attack is detected, it's highly likely that the attack has already exfiltrated and encrypted an organization's files.

In practice, a proactive approach involves combining classic cybersecurity techniques with solutions that can defeat present and future threats. This entails keeping applications patched and up to date, using application allowlisting, and running regular security awareness training and testing. However, it also means deploying effective moving target defense solutions to blind hackers looking to target vulnerable applications.

Moving target defense protects against ransomware by hiding the memory resources of a network's endpoints, servers, and cloud workloads from malicious actors. This kind of approach works to shrink an organization's attack surface and proactively stop ransomware from executing. By turning applications into evasive dynamic shells, moving target defense deprives attackers of vulnerable static targets.

Final Thoughts

With a seven-fold increase in ransomware campaigns in the first eight months of 2020, the danger posed by ransomware is still growing. Faced with this increasingly virulent and significant threat, the static nature of applications themselves continue to provide an easy target for cybercriminals.

Not accounting for these kinds of inherent vulnerabilities, modern cybersecurity methods generally fail to deliver adequate protection. For effective security, a proactive approach combining cybersecurity hygiene with moving target defense is necessary.

A moving target defense solution obscures applications from threat actors and ensures additional hardening on the endpoint, severs, and cloud workloads. Doing so removes the attacker's most significant advantage, visibility. Threat actors can't attack what they can't see.