The FBI has reported a 400 percent increase in cyber-attacks in 2020 – and, according to some reports, Ransomware makes up about 85 percent of those attacks.

Ransomware is one of the most potentially damaging types of malware, and the hackers are becoming more sophisticated each day. For example, it is increasingly common to leverage the now-booming “Ransomware-as-a-service” (RaaS) by purchasing access from other threat actors, who sell it as a commodity.

Traditionally, when Ransomware infected a system, files would be encrypted, users locked out, and payment demanded in return for a decryption key. More recently, however, the threat actors are gathering sensitive information for espionage purposes as well as traditional ransom payments. The fact that your systems are backed up – while still essential – may not be much help if your information is disclosed or sold on the dark web.

According to leading cybersecurity company FireEye,

Spear-phishing emails work because they’re believable. People open 3% of their spam and 70% of spear-phishing attempts. And 50% of those who open the spear-phishing emails click on the links within the email—compared to 5% for mass mailings—and they click on those links within an hour of receipt. A campaign of 10 emails has a 90% chance of snaring its target.

The target often includes password lists, bank account information, and other financial data, enabling the attacker to make fraudulent transfers. So even if your system is backed up, you are still exposed.

The most notorious hackers in the Ransomware “business” include REvil, Conti, NOBELIUM, Maze, Nefilim, Clop, and DarkSide, the latter being famous for extorting Colonial Pipeline out of 75 Bitcoin (worth $4.4M at the time) after a large scale attack that disrupted fuel supplies across the United States. Cybersecurity Ventures, a Menlo Park cybersecurity agency, predicts that the worldwide damage caused by Ransomware could cost $265 billion by 2031, based on this type of cybercrime attacking both enterprises and consumers at a rate of one attack every few seconds. Currently, the agency estimates that Ransomware will cost approximately $20 billion this year, a 57-fold jump from 2015. Indeed, Palo Alto Networks, another leading cybersecurity company, says that average Ransomware payouts alone have surged from $115,123 in 2019 to $312,493 in 2020, a 171 percent increase. The largest demand recorded in recent years was $30 million. This is a far cry from the 1989 “AIDS Trojan,” which was distributed by floppy disk and demanded $189 for the decryption key. Do you remember that?

Unfortunately, despite authorities’ recent success in busting several Ransomware gangs, this particular breed of malware has proven to be very hard to eliminate.

Coronavirus: An attractive lure

COVID-19 is a popular artifice for malicious government actors and the common criminal enterprise to gain access to your system. And the work from home environment is certainly not helping. Last year, I wrote about the dangers of working from home, which you can find here.

Coronavirus phishing started as soon as the pandemic hit last year. Fraudulent emails and texts claiming to be from the Centers for Disease Control and Prevention, the World Health Organization, or other government entities, began cropping up. Other phishing emails or social media posts asked the recipient to verify personal information to receive economic stimulus money from the government, while still more asked for charitable contributions or promoted fake cures, vaccines, or testing kits. These have continued – and multiplied. For example, the subject, “WELCOME TO UNCLAIMED STIMULUS CHECK INFO,” and “COVID-19 AWARENESS AND IMPLEMENTATION FROM THE WORLD HEALTH ORGANIZATION,” are typical of current phishing lures. Scammers are now even using telemarketing calls, text messages, and door-to-door visits to perpetrate coronavirus-related scams.

The pandemic fits well into the hacker’s modus operandi, which is to take advantage of world events in an effort to get victims to click on malware. The hackers prey on human emotions and behavior, and exploit our greed, fear, curiosity, and desire to help.

Managed Service Providers: A force multiplier for the bad guys

A managed service provider, according to the Gartner Glossary of Information Technology terms, “delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.” In other words, they’re the good guys who keep your systems running.

But the bad guys are exploiting the good guys to make cyberattacks even more devastating. In its 2020 Global Threat Report, CrowdStrike opined that “[a]n alarming trend in targeted Ransomware operations is the compromise of managed service providers ... [which] can enable the spread of Ransomware to many companies from a single point of entry ... [affecting] cloud service providers.”

We all know about Solar Winds, whose compromised software was used by NOBELIUM to push a malicious update to thousands of customers, including many government agencies. That’s only the tip of the iceberg. A similar attack just happened to Kaseya, an IT solutions developer whose customers include managed service providers, some of whom provided cybersecurity. Kaseya recently disclosed that its VSA product was the victim of a “sophisticated cyberattack” and that it had notified the FBI. Though Kaseya’s Chief Executive Officer has indicated that less than 0.1 percent of the company’s customers were affected, some of these were managed service providers. Accordingly, estimates suggest that up to 1,500 small to medium-sized companies may have experienced a Ransomware compromise through their managed service providers. The U.S. Cybersecurity and Infrastructure Security Agency is continuing to respond to the recent attack.

Sens. Sheldon Whitehouse (D-Ohio) and Lindsey Graham (R-S.C.) have introduced legislation that would create cybersecurity and breach reporting requirements for certain companies falling within the definition of “critical infrastructure.” Sen. Whitehouse, who previously referred to the Colonial Pipeline breach as a “total face-plant failure,” has called on the Biden Administration to promptly work with lawmakers to prepare the legislation.

What you can do now

Here are some steps you can take to make Ransomware attacks less likely.

• Analyze systems for Ransomware vulnerability. The CISA has released the Ransomware Readiness Assessment tool to help organizations gauge their readiness and ability to defend against and recover from a Ransomware attack. The module, which is part of the Cyber Security Evaluation Tool first introduced in 2006 by the Department of Homeland Security and incrementally updated since then, covers two areas: 1) information technology, and 2) industrial control system assets. Many private cybersecurity companies also offer Ransomware assessment tools.

• Secure systems. Install firewalls, use database segregation and layering, and incorporate White Hat hacking, endpoint protection, multi-factor authentication, and a good antivirus program. It is also imperative to update systems whenever an update is released. See “How GCs Should Respond to Worsening Threat of Ransomware Attacks,” in Corporate Counsel magazine, and “So What Does a GC Have to do with Cybersecurity, Anyway,” in CIOReview.

• Encrypt data. This should be done to the greatest extent reasonably possible, for both stored data and data in transit. Yes, it tends to slow things down. However, it will protect you in the long run, both from Ransomware demands (as encrypted data is less valuable) and from legal liability because state data breach laws generally do not apply to data that is encrypted.

• Train employees. This is as important, if not more important, than any other measure you can take. First, employees should not be using their work computers for personal reasons. Second, employees must learn how to identify and report phishing emails. They should not be opening emails or attachments from unknown senders. Even if an email appears to be from a known sender, employees should contact the person by phone or Slack, or in a separate email thread. They should never click links or download attachments. This critical education must start at onboarding and continue through a customized cyber-hygiene manual, followed by routine precautionary reminders and in-house exercises to see who bites.

• Monitor networks. File access and network traffic should be monitored at all times to ensure that unauthorized users are not accessing sensitive data.

• Back up data. This allows systems to be restored in the event of a breach. If your data is backed up, that will be one less thing that you have to worry about and just may enable you to ignore a Ransomware demand altogether, though every attack must be evaluated on a case-by-case basis.

• Additional protection. Your IT staff should install safeguards to filter out suspicious sites and block harmful emails. At my prior company, we installed software that provided notification when an email was external, even though it seemed to have come from a trusted internal source, like the CEO.

Conclusion

Ransomware has indeed gone wild – and it’s scary. However, with the appropriate planning you can dramatically reduce the risk of an attack. If it nonetheless takes place, you have another set of actions to take to mitigate the damage. Those will be discussed in Part 2 of this series.