Why Do Ransomware Attacks Keep Happening?

Did you know the first instance of ransomware was in 1989? Though we’ve moved on from floppy disks containing malware and cashier’s checks used to pay attackers, we are far from moving past ransomware. Instead, ransomware has become more streamlined, and is one of the most popular tools of both amateur and expert threat actors. Just about anyone can purchase a ransomware strain off the dark web or can have the work done for them with ransomware-as-a-service (RAAS). And with the advent of cryptocurrency like Bitcoin, attackers can be nearly impossible to trace. But what has given ransomware such longevity, and what makes ransomware so dangerous? Read on to learn three key reasons why ransomware is often the chosen weapon of threat actors.

1. Popular Ransomware Vectors are Nearly Impossible to Close.

Though employees are an organization’s greatest asset, they’re also their greatest cybersecurity risk. According to the 2021 Malware Report, the top three ways previous ransomware breaches had entered the surveyed organizations were phishing emails (70%), email attachments (54%), and users visiting malicious and compromised websites (41%). While spam filters can prevent some of these phish from making it to the inbox and firewalls can block some of these websites, social engineering attacks now appear so genuine and realistic that more than a few will slip through the cracks. The primary barrier against such threats are the employees, and the strength of that barrier comes down to how discerning they are.  

Additionally, as has been seen recently, many organizations work with Managed Service Providers (MSPs) or other third-party vendors that have access to their systems. If their security is breached, attackers may have a clear path straight into every business that MSP has as clients. This means that even if organizations do everything possible to make sure their own IT environment is secure, they have to rely on the security of any third-party that has access, as well.

2. Paying the Ransom Incentivizes Attackers.

The desire to simply get it over with and pay the ransom to quickly get data back and return to business as usual is an instinct everyone can sympathize with. However, doing so is not a guarantee of recovery and has also created a vicious cycle.

Paying the ransom incentivizes attackers to continue using ransomware. Even if you get your data back, giving into demands only encourages further attacks on other organizations or even a repeat attack on your own. For example, the UK’s National Cyber Security Centre (NCSC) wrote about an attack on one company that paid £6.5 million pounds to recover their data. Since the decryptor did restore their files, the company didn’t investigate the origin point of the breach or its attack path. Less than two weeks later, the very same threat actor used the exact mechanism and ransomware as before to attack them again.

Further, paying the ransom encourages threat actors to increase their future ransom demands. In fact, according to the 2021 Cyber Threat Report, the average ransom payment in the first quarter of 2019 was $12,762, while the average payment in the fourth quarter of 2020 was $154,108. 

Finally, you simply cannot trust that attackers will return your data once you’ve paid. Experts almost universally advise not to pay the ransom. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. Despite this, according to the 2021 Cyber Threat report, 57% of organizations have paid the ransom. Unfortunately, 28% of these victims failed to recover their data. It’s far better to invest the ransom payment into recovering the data through other means.

3. Ransomware Attacks are Increasing and Evolving.

Many people think that once you receive the ransom note, the ransomware attack has begun. But in actuality, the note comes towards the end of an attack—once the data has already been encrypted. The median dwell time before detection of ransomware is currently 24 days. This means attackers have all of that time to explore an organization’s environment, gain additional privileges, encrypt more data, or even steal sensitive information. However, the median dwell time before detection has gone down steeply—in 2020 it was 56 days. While this is certainly good news, unfortunately, attackers are quickly adapting, becoming increasingly efficient while remaining just as destructive. This narrows the window an organization has between infection and extortion, making it more difficult to avoid the consequences.

Threat actors and cybercriminal organizations just recently demonstrated how quickly they can adapt during the Coronavirus pandemic. Taking advantage of the transition to remote work and general upheaval, ransomware attacks spiked in the first months. Phishing efforts increased dramatically, with Google reporting that they were blocking 18 million phishing emails a day that contained the keyword “COVID-19,” in addition to 240 million emails with the simplified term “COVID.”

Ultimately, attackers show no signs of slowing down their development of more frequent attacks and more sophisticated ransomware strains. According to a report by defense think tank Royal United Services Institute (RUSI), ransomware operators are actively recruiting new people to improve their strategies and further advance the technology.

What Can Be Done to Reduce Ransomware Risk?

While the outlook may seem bleak, there are plenty of options to help safeguard your organization. First, we must all have realistic expectations—ransomware breaches are no longer fully preventable.  Instead, the goal is to put as many barriers in place between an attacker and an organization’s critical, sensitive data.

Running vulnerability scans and regularly penetration testing your environment helps find new vectors before an attacker does, minimizing risk. Vulnerability assessments can be a simple way to get a routine status update on your security stance. They uncover potential vulnerabilities that an attacker may use to move laterally within a breached system or escalate their privileges. Then penetration tests can uncover which of these vulnerabilities is posing the most risk, allowing you to prioritize remediation efforts.

Penetration testing is also the best way to prevent an attack being deployed, as they can help prepare employees to better recognize ransomware infection methods. Social engineering pen testing can uncover who is susceptible to these attacks by launching phishing simulation campaigns. From there, additional training can be provided to teach your employees how to be more vigilant before clicking another suspicious email.  

Finally, it is critical to be able to detect ransomware breaches as quickly as possible, to minimize damage or thwart attackers completely. Threat detection tools like network traffic analysis (NTA) work to monitor your network for malicious activity, alerting your security team the moment an active infection is uncovered. After a breach is caught, there’s no time to sigh with relief, as it’s important to investigate the cause and assess the state of the environment to ensure that there won’t be a repeat attack.

Ultimately, while it’s tempting to want to throw up your hands as the ongoing threat of ransomware looms large, but constant vigilance is a long-term strategy for this ongoing problem.