Emmanuel Tzingakis, Technical Lead: Sub-Saharan Africa at Trend Micro, looks at where today’s modern ransomware attacks started, how they have changed over the years and what organisations can do to protect their data from these bad actors.
Ransomware incidents are the biggest threat to an organisation and its day-to-day operations. Protecting digital environments from these types of threats has become a lot more complicated and costly.
In fact, the Council for Scientific and Industrial Research (CSIR) estimates that cybercrime costs South Africa R2.2 billion a year. Cybercrime has become a sophisticated and organised business that can have financial, reputational and operational consequences for organisations. But how did we arrive here?
How has ransomware evolved?
One of the earliest forms of ransomware was fake antivirus software. Between 2005 and 2010, cybercriminals would create malicious software that posed as an antivirus programme. This software would alert users to a virus threat on their computer and invite the user to download its antivirus to combat the problem. Once downloaded to the system, the malware would hijack the computer’s data and persuade users to pay a fee to “remove” the virus from the system.
In time this tactic garnered too much attention in the media and attackers had to evolve their approach to extract money out of victims. As a result, there was a rise in cybercriminals posing as law enforcement online. They would scare users into thinking they’d been “fined”. If victims didn’t pay up, these bad actors posing as police would threaten to lock users out of their computers.
It was only in 2015 that we truly started to see the sophisticated methods of attack that we experience today. The rise of encryption malware made it possible for hackers to target and lock a device’s files until a payment was made. Coupled with this form of attack was the proliferation of Bitcoin, as it allowed transactions to go undetected from traditional financial systems and law enforcement.
During this time, hackers relied on a spray-and-pray approach to nab unsuspecting victims. Mass-mailed downloads or links attached to email messages were the main vectors. This method would often bypass spam filters in its attempt to spread malware indiscriminately. However, from about 2019, it became evident attackers had become more targeted in their attempts at nabbing unsuspecting victims. These bad actors were now infiltrating networks to assess the value of a person or organisation’s data before gaining administrative rights and encrypting files.
This has led to more sophisticated strategies in persuading victims to pay. Some of these tactics include publishing stolen data in stages, threats of distributed denial of service (DDoS) attacks as well as harassing clients and suppliers on social media.
Why does it evolve?
These highly organised and adaptable criminals are susceptible to changes in their environment much like any other business. If their victims are more combative and have better defences, they will make drastic changes. These deviations in modus operandi can happen as a result of the effectiveness of law enforcement organisations in preventing attacks, financial institutions tracking or preventing payments, changing regulations around cryptocurrencies, sanctions on ransomware and enabling services, organisations improving their cybersecurity posture, cloud migration and poor operational security within these criminal networks.
In 2022, there was a lull in ransomware activity. However, this is not a time to be complacent. These criminals will continue to evolve their tactics to ensure their success. In Trend Micro’s recent research report, The Near and Far Future of Ransomware Business Models, we expect new strategies to include the targeting of more zero-day vulnerabilities at the initial access phase, criminal networks to adopt better operational security, automating processes to optimise revenues, as well as an increased focus on Linux cloud servers and other exotic platforms.
What must organisations do?
Organisations need to take proactive steps to prevent and mitigate the impact of ransomware attacks. It’s not enough to only respond to the attack when it happens – instead companies should rather take steps to stop hackers from gaining access in the first place. In many cases, the last step in a ransomware attack is the demand for payment. This happens only after the bad actor has exfiltrated data, set up command and control structures, or created additional access points for future attempts.
To mitigate the impact of an attack, organisations and their security teams need a wholistic cyber security strategy which includes people, process, and technology. Often staff are the first line of defence, so regular security awareness training on what staff need to look out for and be aware of around cybersecurity is paramount.
In addition, clear visibility across the entire organisation’s network provides cybersecurity teams with a complete view of the attack surface and the assets that need to be protected. From there, organisations need to create a threat model that identifies what risks those assets are facing and the controls needed to protect company devices. Adopting the right solutions, such as attack surface risk management and extended detection and response (XDR), can help to meet an organisation’s unique cybersecurity needs. This approach supported by a Zero Trust strategy establishes the right foundations in reducing the risk within any organisation against ransomware attacks.
Even with the best security, cyberattacks happen. To mitigate the impact of such an event, it’s important to have an incident response plan in place to ensure there is no disruption to the business. Check that redundant systems are secure, and backups are well-maintained in the event that they need to help a compromised system bounce back.
Cybersecurity professionals are constantly adapting with the latest changes in threat tactics. At the same time, organisations need to recognise the importance of a robust security posture to stay protected. Cybersecurity is a necessity that will go a long way to protecting businesses against the next evolution in ransomware.
