Cat and mouse: why ransomware is an evolving organisational threat
When John Donovan joined the cybersecurity industry in 1995, the world of cybercrime looked very different. “Attacks were generally designed to bring down individual networks or systems,” he says. “It was more about the bragging rights of having successfully infiltrated an organisation.”
The picture now is far more frightening, as ransomware has emerged as a phenomenon used to extort money from organisations. Now Sophos’ managing director for Australia and New Zealand, Donovan spends his waking hours helping organisations respond to the aftermath of a cybercriminal successfully duping an employee into clicking on a link or opening an attachment that infects the whole network with malware.
Once the data has been encrypted, a demand for a ransom is issued to unlock the data. As organisations have learnt to regularly back up their data, ransomware attacks became double-pronged, with an additional threat to publish the data on the dark web.
Attacks are costlier and more common
The average ransom payment now stands at $1.04 million, according to Sophos research. Add on the recovery costs and that figure blows out to $2 million. Payments are usually required in cryptocurrency and many criminal outfits have call centres to walk victims through the payment process.
Ransomware has become more prevalent because of mass remote working prompted by the pandemic. Over the past 12 months, Australia has faced a 15% increase in ransomware attacks reported to the Australian Cyber Security Centre.
Not only are ransomware attacks more sophisticated and frequent, they’re becoming more targeted and personal. In the past, the approach was typically ‘spray and pray’. Now organisations are singled out for their weak defences and ability to pay.
“The cybercriminals will infiltrate the systems very quietly; they’ll just sit there in the background for a couple of weeks without setting off any alarms,” says Donovan. “They’ll find out how often backups are performed and other pressure points, such as those preparing for an IPO or a merger and acquisition.”
The ransom demand is often issued over email but the perpetrator may phone an employee, addressing them by name and sharing personal details obtained from the stolen information, such as a disciplinary action. The idea is to scare them into demanding their employer pay the ransom, according to Sophos.
Ransomware as a service
In 2021, the ransomware-as-a-service (or RaaS) model took off, with comparatively fewer attacks by single ransomware groups, according to the 2022 Sophos Threat Report. RaaS involves a specialist ransomware developer renting out malicious code and infrastructure to third-party affiliates.
Four specialist ransomware developer groups were responsible for almost half of all reported attacks over the past year – Conti, Ryuk, REvil and Ragnarok. Of these, Sophos research found Conti accounted for the most attacks. Earlier in the year, a disgruntled ex-affiliate of Conti leaked its Russian-language implementation guide, revealing step-by-step tools and techniques. Cybersecurity experts such as Donovan consider it a treasure trove, saying: “We use that information to teach our people how to better defend, prevent and respond to attacks.”
This year, RaaS was used against Colonial Pipeline in an attack considered the most disruptive in US history. Colonial Pipeline paid $6.9 million (US$5 million) to the hackers, but the payment was issued too late to prevent its petroleum pipeline network from being disrupted, causing nationwide fuel shortages. US investigators subsequently retrieved a large portion of the ransom paid in Bitcoin, but such success is rare.
Not a question of if, but when
Another alarming ransomware trend is attacking supply chains. This threat will extend into 2022 and beyond, says Garrett O’Hara, principal technical consultant at Mimecast. In July, REvil attacked US-based software provider Kaseya, affecting 1500 businesses on all five continents, from supermarkets in Sweden to kindergartens in New Zealand.
“This was an interesting case in which the cybercriminal was actually attacking organisations connected to Kaseya,” O’Hara says. “In this scenario, you may think you have a trusted third-party relationship with a supplier, but if they’re compromised, it can leech its way into your network as well.”
While there is no foolproof method of preventing a ransomware attack, a solid defence strategy and remediation plan can go a long way to minimise damage. Key tips include continually testing defence systems, running simulation exercises, using strong passwords and multi-factor authorisation and undertaking daily offsite backups.
A business continuity plan is also essential: “Make sure your data and services are assured,” O’Hara says. “What would you do if email broke? Can you maintain communication by phone?”
O’Hara says remote access tools are “massively insecure”. “Adopt a zero-trust network approach – assume you need to authenticate people once they’re inside the system and don’t assume the firewall is your protection. This mistaken assumption allows someone to do anything once they’re inside. We call it ‘the hard outer shell and the soft gooey centre’.”
Are current initiatives enough?
O’Hara has seen a shift in how Australian governments talk about ransomware, and notes a number of positive initiatives in play, such as the Ransomware Action Plan. “There has been an acknowledgement of how serious this problem is,” he says.
However, he believes there needs to be greater investment to effectively tackle the scourge of ransomware. “It’s a huge global problem and it needs an appropriate level of response,” O’Hara says. “We’re spending a fair chunk of coin on submarines, but in large part the war has shifted to digital – and there hasn’t been an analogous shift in spending.”
The Critical Infrastructure Bill is currently making its way through parliament that would confer an extraordinary power of government intervention in response to cyberattacks on critical infrastructure assets.
“It’s a good lever to raise overall standards and Australia would be in line with the approach of the US and UK, where there is also a recognition by governments that this is a very serious problem,” says Richard Bergman, lead partner for EY’s Oceania cybersecurity, privacy and trusted technology practice.
“Can you actually stop these attackers? Realistically, the answer is probably no,” concludes O’Hara. “But it can go a long way in protecting an organisation. Casual attackers, and those operating without government sponsorship, will have a difficult time in penetrating critical national infrastructure.”
There’s also a push to introduce mandatory reporting of a ransom being paid. This would involve a layer of abstraction to anonymise the data and thus avoid encouraging repeat attacks on organisations that are known to pay.
“The guidance from the Australian government is to not pay a ransom,” Bergman says. “But we know organisations are paying. We need to get a good feel for how many organisations are paying a ransom quietly, so that we know how big the problem is.”
The struggle to maintain Australia’s cybersecurity
- How well is Australia prepared for cyber threats in 2022 and beyond?
- Cat and mouse: why ransomware is an evolving organisational threat
- How we’re losing the arms race against deepfake technology
- Beware state-based actors looking to kick down digital doors
- Cybercrime’s shifting sands: which industries are most vulnerable?
- Digital tools allowing extremism to flourish around the world
- What skills do we need on the cybersecurity front line?
- Clear and present dangers: understanding and preparing for cyber threats
- Time for government to put its foot on the cloud accelerator
- Two common tech myths holding back public sector innovation