Is ransomware really as bad as we think it is?

Turns out the ransomware problem might be even worse than we thought.The numbers related to ransomware are alarming, and for all of 2021, they're getting worse: A projected $20 billion in damages from ransomware this year, with estimates of costs hitting $265 billion in 10 years. A 55 percent increase in ransomware activity in the second quarter of the year. Hundreds of businesses impacted at once by a single coordinated attack. And reports of attacks that have brought supply chains to a halt, stolen terabytes worth of data, even shut down hospital services.

Why, it's all in a day's headlines for the "it" exploit of the 2020s. Ransomware, a nefarious form of computer fraud that has grown dramatically over the past decade, has arguably become the most talked about security issue in the industry. Based on news reports and government statistics, it's a problem of epidemic proportions, with no end in sight and bad news all around. For example, ransomware's status as the killer app for Bitcoin is one reason cryptocurrencies are on a government hit lists all over the world.

But is it really all that terrible?

A banner year—for criminals

"At the moment, things aren't getting better," says Nigel Edwards, a fellow and vice president at Hewlett Packard Enterprise. "Let's put it this way: I don't see the industry turning the tide on this at the moment."

Ransomware is proving difficult to effectively combat because it's increasingly being operated as a long-term attack. Attackers know that high-quality backups provide an easy defense against ransomware, so high-grade ransomware now lies in wait for a lengthy period of time before it is activated. Attackers take their time to learn the environment, disable security systems, and corrupt backups before launching their strike.

"They have to pollute the backup and infect a number of nodes," says Edwards. "This can take days or weeks." A decade ago, if you were infected with malware, you generally knew about it immediately. Today's attackers have learned that the longer you wait, the more impact you can have—and the bigger the ransom you can demand.

Evolving threats require evolving defences

As attacks grow more sophisticated, what should organizations do about them?

"Sadly, there's no silver bullet," says Edwards. "It requires a sophisticated defense in-depth strategy. When you look at ransomware attacks against the enterprise, an attacker is likely to be resident for some time. There is therefore a window of opportunity to detect them and prevent the attack from propagating further."

Please read: What makes 'critical software' critical?

The detection process is becoming increasingly difficult. "Unfortunately, even in technologically sophisticated organizations, the methods and tools being employed don't meet the security and control needs to combat today's threats," says Neil Jones, cybersecurity evangelist at Egnyte. "Senior executives and IT leaders should also be aware that no technological solution is 100 percent effective."

For Benny Czarny, founder and CEO of OPSWAT, managing ransomware is no different than managing any other cybersecurity threat: It's all about risk. "Embracing a risk-based mindset and initiating programs to help cyber teams to better detect and understand threats is key to avoiding ransomware in the coming year," he says. "The burden is on the organization to understand the attackers targeting their organization." That requires analyzing the way prior attacks have been initiated and understanding in detail the various tactics, techniques, and procedures that bad actors have used to create a defensible posture.

Another big part of the 2022 playback is going to be zero trust frameworks, which virtually every cybersecurity expert is betting heavily on as a key solution for turning the tide. "Solutions such as software-defined perimeter make application access secure regardless of where users are coming from," says Czarny. A wide range of zero trust initiatives are underway across the industry, including Project Aurora and several others at HPE. The ultimate goal: establish a new methodology for security that does away with traditional authentication techniques by eliminating the idea of a trusted user. Once implemented across the enterprise, zero trust could dramatically reduce the damage an intruder is able to inflict, even if login credentials are successfully stolen.

Please read: Enterprise security moves to the edge

Zero trust even needs to extend to your backup strategy, says Edwards. "Are you analyzing your backup strategy with respect to how resilient is it to ransomware?" he asks. "Do you have multifactor authentication in place for the backup service, for instance, so that if a system administrator's credentials are compromised, they can't just get onto the backup service and destroy all the backups? Do you have backups that are offline altogether?"

Holding out while the industry catches up
Unfortunately, all of that is going to take time, and until these strategies become commonplace, IT departments will need to double down on diligence. That means extra attention paid to installing patches and security updates, stronger investment in intrusion detection and vulnerability scanning tools, retirement of outdated hardware and software, and, critically, more intensive training for users and IT staff alike.

Please read: Risky business: The tradeoff between security and convenience

As another potential fix, Karanasios points to managed security services that can be tailored with security monitoring and vulnerability management tools designed to fit each customer's needs. Edwards notes that ensuring backups are regular, uncorrupted, redundant, and isolated from the primary network is also a key defense tactic.

"Ransomware is never going to go away in the foreseeable future, but we have to keep working on it," says Edwards. "We can make things better, and that's what we're doing. It may be a cliché, but it really is an arms race."