At Morphisec, we have analyzed average payments from ransomware victims through open console data. In doing so, we have found direct evidence of ransomware's unstoppable rise. Across industries, ransomware operators are extracting payments that are up to 10 percent of an organization's annual revenue.
This situation paints a pretty bleak picture for cybersecurity professionals and business leaders everywhere. Faced with a threat that shows no signs of stopping, it is natural to respond by taking a fatalistic attitude towards ransomware. After all, if ransomware attacks are so ubiquitous, surely it's better to treat them as an inevitable cost of business? Unfortunately, because paying a ransom provides little to no guarantee that access to data will be returned, giving into cybercriminals’ demands is not a sustainable strategy.
In this blog post, which recaps some of the points I covered in a SANS institute Webinar, I will explain why ransomware is booming, where defense is going wrong, and how we can turn the table on threat actors deploying ransomware.
Although ransomware, which has been around ever since the 1980s, is now undoubtedly a golden goose for cybercriminals, its rise to prominence is relatively recent. It's easy to forget that, before becoming this decade's most dangerous threat to overall business continuity, ransomware was not a major enterprise security concern. Rather than infecting entire networks and forcing businesses into bankruptcy, ransomware attacks from strains like CryptoWall or TeslaCrypt tended to stop at individual devices and, more often than not, end with ransom demands of $1,000 or less.
Towards the end of the 2010s, however, attackers changed their tactics. Instead of relying on a large number of victims downloading automated ransomware trojans, ransomware developers and distributors adopted a different business model: targeting specific victims with focused attacks. This change in cybercriminal strategy, coupled with the coming together of more powerful ransomware strains and eponymous gangs like REvil, sent ransom demands and attack success rates skyrocketing. Today, this trend has evolved to the point where a ransomware attack succeeds every 11 seconds.
As ransomware incidence and success rates rose, defense moved from detection to remediation. Many cybersecurity professionals fell back on "assume breach" strategies in the hopes that they could mitigate ransomware through adequate backups and remediation plans. However, ransomware quickly evolved even further. To bypass backups and remediation, strains like DoppelPaymer gave criminals exfiltration capabilities. This means that threat actors no longer have to rely on victims wanting to regain access to their systems. Instead, they can threaten to expose the victimized organization’s clients’ IP or private identifiable information — something that can have serious legal implications and threaten business continuity.
Even for nontechnical threat actors, ransomware as a service (RaaS) now brings advanced, human-operated ransomware strains capable of locking down an entire enterprise well within reach. And, regardless of advice from governmental agencies like the FBI or the DHS not to do so, today's dramatic escalation in extortion pressure means that victims often have no choice but to pay up when infected. As a result, the average ransom demand may soon be over $1 million, double last year's figure.
With countless states willing to host, or at least turn a blind eye to, increasingly corporatized criminal gangs, and a huge financial incentive for ransomware developers and distributors to carry on with their criminal activities, ransomware shows no sign of receding. As demonstrated by the resurgence of Emotet, which we covered in a recent blog post, no amount of law enforcement engagement or cooperation is likely to change this fact, either.
What can and must change, however, is the way organizations protect themselves against ransomware.
Organizations are now spending more money on security solutions and services than at any other point in history. Nevertheless, with 37% of businesses reporting that they have experienced at least one ransomware attack, for cybercriminals, actually infecting organizations does not appear to be getting any more difficult. The reason why is simple: how we defend against ransomware attacks is not making us any safer.
Imagine a threat actor armed with human-operated ransomware like the Conti strain (used to attack the Irish Health Service in spring 2021) targeting a modern enterprise with a typical detection-based security stack.
The first benefit a threat actor has is that their victim's attack surface is now more expansive than ever. With staff working from home or in a hybrid environment, their security awareness is also at an all-time low. This means that phishing individuals almost always guarantees that a determined threat actor will eventually find a way into a target network. Without even considering the likelihood that they have already been compromised through their supply chain, every organization needs to come to terms with the fact that an endpoint compromise is only a matter of time.
At this point, the signature-based EDR solutions that most organizations use should — in theory at least — help organizations spot and defeat whatever threat is downloaded onto an endpoint. Unfortunately, these solutions rely on patterns, and in modern human-operated ransomware attacks, there are often no discernible patterns. Instead, the malware that contains ransomware payloads is frequently hidden with multiple layers of obfuscation and can even deploy from device memory. As a result, EDR can’t deter modern threat actors.
Once a single endpoint is compromised, an entire enterprise is put at risk. To give just one example of how this happens, a threat actor can leverage even low privilege accounts to gather credentials for high privileged accounts. By pivoting from a compromised user account (which might have administrator privileges restricted), cybercriminals can move onto often out of patch legacy application servers using exploits such as EternalRomance, EternalBlue, or Bluekeep. From here, maneuvering onto critical servers is easy. By this point, the threat actor will have more than likely disabled whatever run-time scanning solutions the organization has in place — long before ransomware is deployed. Regrettably, because security vendors typically turn down the sensitivity of their solutions on servers to avoid false positives or operational disruption, at this level, few enterprises have any real defenses left.
By now, it is game over. A threat actor has exfiltrated data, making data recovery pointless, and deployed ransomware. In this scenario, a flexible threat actor has made even the most advanced reactive defenses useless. Because most attacks happen on weekends or holidays, even if the alarm is raised, there is usually no one at the organization to react to the hack anyway.
As outlined in the above example, cybersecurity's ultimate disadvantage against threats like human-operated ransomware is that defense is static, whereas attackers are highly dynamic. Determined threat actors can always find a way into a network and, once there, will systematically bypass whatever defensive controls they encounter.
Taking away this advantage means flipping the script on traditional defensive solutions. By making sure there is no distinct target available for an attacker, Morphisec's Moving Target Defense (MTD) does precisely this. Moving Target Defense hides application and operating system resources from threat actors, stopping ransomware, zero-days, and other advanced attacks. More specific definitions of Moving Target Defense include:
“Moving Target Defense prevents unknown and zero-day attacks by using system polymorphism to hide application and operating system targets from adversaries in an unpredictable manner leading to a dramatically reduced attack surface and lower security operational costs.”
“Moving target defense is a set of techniques whereby dynamic or static permutations, morphing, transformations, or obfuscations are used to deflect attacks.” [Gartner]
The US Department of Homeland Security defines Moving Target Defense as, “controlled change across multiple networks and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”
MTD stops attacks before malware deploys, and it does so without straining device resources, requiring any intervention from human analysts, or even necessitating a strong internet connection. Deployed on endpoints and servers, Morphisec’s breach prevention solution leverages the same kind of polymorphism used by advanced threats to avoid controls for the benefit of defenders. In doing so, we give organizations the ability to stop threats from unknown vectors, such as ransomware, new malware, and new variants of malware, even when they don't have recognizable signatures or deploy from device memory.
As part of a zero-trust approach to security, MTD compliments other proactive measures like device hardening and access controls. Critically, MTD does not put any extra strain on an organization's most valuable security resource — its personnel. By working alongside OS native Windows Defender, MTD is not only more affordable but it is also a much more effective alternative to traditional security controls. Against MTD, it is attackers, not defenders, that are at a disadvantage.
Watch a simulation of a ransomware attack that bypasses detection-based defenses in our on-demand SANS Webcast recording.