David is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. He runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. He has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Back in 2012, ransomware was a primitive strain of malicious code that locked a victim’s screen with a scary-looking FBI warning and demanded Ukash or MoneyPak prepaid cards for regaining access to the system.
The Trojans behind this kind of foul play were ridiculously easy to remove and were not much of an issue. A year later, the menace took an evolutionary leap with the release of CryptoLocker, a predatory program that encrypted individuals’ data, held it hostage, and accepted bitcoins for decryption.
A lot has changed since those days. In 2018, cybercrooks repurposed their raids to haunt organisations rather than end-users. Today, ransomware is a global security concern. It poses an unprecedented risk to healthcare facilities, educational institutions, municipalities, huge corporations, and critical infrastructure. The recent attack fired at Colonial Pipeline, a U.S. fuel supply giant, demonstrated that extortionists are waging a cyberwar that has serious real-world implications for entire societies.
To top it off, ransomware operators have extended their assaults beyond unauthorised encryption. Now, they steal companies’ data and threaten to leak it as a way to pressure victims into paying the ransom. These folks are also increasingly using DDoS to step up their genre of extortion. All in all, the big picture is frightening, and it is high time governments, industries, and security experts teamed up to curb the peril proactively at an international level. This article will shed light on the ways to stop this cyber plague in its tracks.
Creating an internationally coordinated anti-ransomware strategy
With the threat escalating and when there is so much at stake, countries need to prioritise ransomware countermeasures and integrate them into their national security postures. Global collaboration through sharing knowledge about criminals’ tactics, techniques, and procedures (TTPs) is also a big void to fill.
Law enforcement agencies from around the world should focus on ransomware infrastructure takedowns. Prosecuting criminal ringleaders is one more effective way to deter extortionists from carrying on with their activities. The silver lining is that authorities have had some success in this area: a recent example is the arrest of a 20-year-old South Korean resident who allegedly distributed a ransomware program called GandCrab.
One more element of the systematic fight against cyber extortion is to put pressure on countries that serve as safe havens for such activities. The above-mentioned Colonial Pipeline incident, for instance, has been attributed to threat actors operating from Russia. International policy should play a greater role in discouraging some governments from turning a blind eye to the activities of local ransomware gangs.
Hampering the ransomware business model
Financial gain is the fundamental motive behind almost every ransomware incursion. To rake in illicit profits and stay at large, cybercriminals have masterminded a clever extortion scheme that revolves around cryptocurrencies.
In most cases, ransom notes dropped onto victims’ computers narrow down the payment options to Bitcoin, or less frequently, Ethereum. The use of decentralised, privacy-centric blockchain systems makes ransoms largely untraceable. To err on the side of caution and confuse the money trail further, crooks often resort to cryptocurrency mixing services that add another anonymisation layer to their nefarious modus operandi.
That said, establishing tighter control over the cryptocurrency ecosystem appears to be the silver bullet. Legislators could pass laws that require cryptocurrency exchanges and crypto kiosk proprietors to share information with law enforcement and comply with Know Your Customer (KYC) guidelines as well as anti-money laundering regulations. If Bitcoin transactions were theoretically possible to trace to specific threat actors, they would think twice before orchestrating another attack.
A move like that is a double-edged sword, though. While it would put a big a spanner in the works of the ransomware economy, additional regulation in this area would undermine the whole concept of cryptocurrency as a decentralised framework with privacy at its core. This is a delicate matter and think tanks are trying to come up with a trade-off that will satisfy all parties that play by the rules.
Boosting organisations’ preparedness
Because enterprise networks are the primary targets of ransomware operators, corporate decision-makers need to align their protection practices with these new challenges. As previously mentioned, most attacks now combine encryption and data leaks. Crooks use special sites where they publish stolen files to name and shame stubborn victims.
Therefore, data backups alone are no longer enough to fully recover from a ransomware raid. The consequences of a breach include serious reputational issues due to sensitive data disclosure on publicly accessible domains. Still, a backup strategy remains important, as it allows companies to resume their normal operation after being hit.
Another significant component of an effective plan B is to leverage a DDoS mitigation service. It will kick in if attackers try to knock the corporate network offline with a flood of rogue data packets for extra pressure. It’s also worth noting that even if an organisation has effective defenses in place, it may be still infiltrated through compromised devices, or the networks of a third-party contractor, such as a managed service provider (MSP). That means that the security hygiene of all business partners should be subject to audits as well.
No matter how vanilla it may sound, prevention is the best cure. Organisations should nurture the security awareness of their employees through regular training. Most ransomware attacks start with a phishing email that includes a booby-trapped link or attachment. Every team member must be able to identify such hoaxes to avoid getting hooked by scammers.
Furthermore, to minimise the impact of a ransomware attack, it is best to build enterprise networks according to the principle of least privilege. It means that every employee has access to corporate resources they need for their work, but not more than that.
A combination of reputable anti-malware tools and an intrusion prevention system (IPS) can further harden the protection of an organisation’s digital assets against file-encrypting threats and unauthorised remote access. Finally, penetration tests can help discover unpatched vulnerabilities and provide actionable insights into what areas could use improvement.
The bottom line
There is one more crucial thing: compromised companies must consider all alternatives before paying ransoms. Money is what propels the global ransomware economy, and provides adversaries with resources to write more sophisticated code, recruit “affiliates,” and create zero-day exploits to hack networks. Although restoring data from backups or even rebuilding network segments from the ground up could be tedious, it is well worth the effort as long as attackers get nothing. The more victims reject ransom demands, the sooner the ransomware plague will come to a halt.