When it comes to cyber security, the world of cybercrime has come into its own over the past decade. Today, it’s one of the world’s largest industries, worth hundreds of billions of dollars a year, and it has evolved in line with its earnings to a level of sophistication that has caught many individuals and companies unaware. Theft of card details, machine jacking for crypto-mining, and identity theft remain key challenges, but few areas have become as lucrative for the criminals, or as prodigious, as ransomware.
As with any market-driven business, ransomware hackers have continued to develop their approaches to a level previously unconsidered. Social-engineering methodologies have stepped up a gear, and a world filled with misinformation and fear around COVID-19 has opened up a wealth of opportunities for cybercriminals to abuse.
Most recently, ransomware hackers have introduced new types of threats as well. Across the globe, companies are increasingly subject to data protection laws, like those initiated across the EU with the introduction of GDPR in 2018. Such steps mean that it’s not just the loss, but also the exposure of customer data, which has become a central area of concern to IT departments and board members. This was demonstrated by the Veritas 2020 UK Databerg report, which showed fear of data loss and compliance breaches as being top concerns relating to cloud computing at the moment (55% and 54% respectively).
Legal non-compliance, combined with the additional fear of financial and brand damage, has become a central lever in cybercrime attacks when looking to extort money from companies. In addition to ransomware attacks making critical data unavailable through encryption, it’s now becoming increasingly popular for criminals to exfiltrate data and threaten exposure online as a means of blackmailing companies. According to some reports, more than 11% of ransomware attacks in Q2 2020 involved the theft of data by criminals rather than just data encryption.
This isn’t the only way that ransomware has evolved either – the type of data that hackers are targeting is changing too. The EKANS virus that affected Honda in early June is a perfect example. Rather than targeting application data, which is more likely to be protected, EKANS specifically targets ICS data, which, historically, might not have been a part of a ransomware-protection strategy. As such, the question has to be asked: how many other types of data might become ransomware targets and how can these be successfully protected?
Other new trends include auctions on the dark web of data that’s been exfiltrated, possibly for use by competitors or simply to mine it for personal credentials. After-hours attacks have also become increasingly popular, to ensure minimal security personnel presence to help combat the situation effectively. Quite possibly the worst end of this evolution is an increase in the trend towards state-sponsored attacks being created to undermine the very business infrastructure of a country.
Prevention is not enough
Protection against ransomware comes in various forms but at its simplest is split between stopping malware from making a home on the network in the first place, (anti-virus software, data monitoring and employee education through cybersecurity courses) and then being able to respond cleanly and swiftly when an attack is successful.
For the longest time, companies and individuals have focused most of their time and energy on the former of these, with some level of success. Unfortunately, the evolution of ransomware, including increasingly sophisticated social engineering methodologies, means businesses can’t rely on prevention alone. IT security is always going to be vital but, mostly, it’s the human aspect of the equation that opens-up the risks. This could be miscalculating either what data needs to be backed-up or what data ought to be encrypted; or simply human error in being taken in by a phishing attack and allowing the malware into the network in the first place. Companies must assume attacks will be successful and be prepared for that. Data protection in the form of trustworthy and tested backup is the obvious answer, but even this doesn’t protect against data being exfiltrated and abused. For that, the only answer is encryption.
The use of encryption at rest as a defense against malware is something that should never have gone out of fashion when data is in transit encryption is still best practice. However, there is a strong case suggesting data is not being encrypted at rest, with one report suggesting that less than 10% of cloud service providers encrypt data once it’s on their servers. It may seem obvious, but this means that it’s open season on over 90% of the data stored in the cloud should it be hacked.
The data challenge
There’s still a challenge of course. An overwhelming number of businesses don’t know what data they have. The 2020 Veritas UK Databerg study shows that 80% of data is either dark, or ROT (redundant, obsolete or trivial). This makes it almost impossible to know what to back-up, where and how, let alone what data ought to be considered sensitive or risk-worthy enough to encrypt as part of the storage and back-up process. This is clearly reflected in a 2019 study by the Ponemon Institute in which 69% of companies said that just figuring out where sensitive data resides in the organization was the biggest challenge to implementing encryption.
A combination of data insights, (incorporating identifying, tagging and classification) data encryption and reliable back-up seems to be the only sensible way forward to protect against ransomware attacks. Companies need to know what data they have, and they need to actively protect it in the right way without omitting any risk-associated workloads. Then, when all that hard work is done, they need to test their systems to find any unexpected gaps or weak points.
What more can companies do?
Beyond this, there are still precautions that companies must take. Ransomware attacks are also becoming increasingly targeted in their methodologies as shown by the increase in spear-phishing or business email compromise attacks over basic spray and prey phishing attacks. When the payoff could be multiple millions of tax-free dollars, the additional research needed for the attack is well worth the effort. Employee education at every single level is vital. Can you be sure that all your employees from C-level to entry-level know the difference how to recognize an attempt at ransomware related scam?
The management and storage of encryption keys themselves is also critical. It may seem obvious, but all too often encryption keys are stored in the same place as the encrypted data itself. This is something akin to leaving the spare house key under the front door plant pot. It may not be visible to the naked eye, but the most cursory of searches will uncover it.
The history of ransomware is a constant game of cat and mouse where attack and protection tools are constantly evolving in a battle to best each other. The first half of 2020 has already been a period of opportunity for hackers, where forced changes in enterprise architectures have opened up a rich seam of new vulnerabilities to target. It’s imperative that businesses now leapfrog the hackers in their own capabilities, coming back with immutable and protected data strategies that keep their businesses safe.
- Ian Wood, Senior Director, Head of Technology UK&I, Veritas.