The path of digital transformation, accelerated by the unique requirements of the Covid-19 pandemic, has led to untold efficiencies and revolutionary connectivity – but it has also ushered in an era of incredible threat. New, more devious ransomware puts data at more risk than ever, and the rise of remote and hybrid working means criminals now have a vast number of new avenues through which it can be deployed. Analysts are calling this the ‘golden age of ransomware’ – and it’s time for the entire industry to fight back.
Put simply, ransomware works. A single attack could net hacktivists millions of dollars – recent attacks have demanded upwards of US$70 million and cybercrime itself costs organisations $6 trillion per year in global damages. Spreading through various means including phishing emails, unprotected portable computers, exposure to public Wi-Fi, and Zero-Day vulnerabilities, 46% of those hit with a ransomware attack pay the ransom, at an average of over US$800,000. Ransomware is no longer something reserved for the lone ranger or hacking collective: the money behind it means it’s an increasingly professional criminal endeavour.
Any prospective hacker, from business rival to international power, can now access Ransomware-as-a-Service (RaaS), which sees ransomware authors offering clients off-the-shelf malware variants, expertise from the cybercrime community and databases full of online credentials. Criminals are also getting bolder, moving from simply locking down data to also stealing and threatening to share it – known as double extortion – or even making ransom demands to a business’s third-party clients, called triple extortion. A modern attack could cause serious reputational and regulatory damage as well as an average of 20 days of business downtime, equating to a significant financial loss.
The human element presents great liability
Ransomware’s rise has much to do with the vast growth in network-connected hardware and software. The Internet of Things (IoT) is likely to grow to over 22 billion devices by 2024, any one of which – particularly if not patched – could act as a gateway to an improperly secured network. The speed at which IT departments were forced to roll out remote access systems during the pandemic, often via common third-party tools or hastily compiled bespoke applications, left many inadvertent loopholes. And the subsequent sea change to commonplace home and hybrid working means employee hardware now routinely runs on insecure home networks, and often over public wi-fi in places like coffee shops.
VPNs are a target, shoulder-surfing passwords is a real threat, and a single lost or unattended laptop could be enough for a hacker to gain the credentials to launch an attack. Brute force and physical attacks are out there, and must be considered, but they’re not the biggest issue. A potential hacker could be attacking a network’s perimeter for days, weeks or months before they finally manage to break in. It is far easier to simply trick someone into giving them a key.
Attack sophistication is growing in complexity
While Zero-day attacks, which exploit platform vulnerabilities known only to hackers, are a real and present threat, they aren’t something that can be easily prepared for. Moreover, phishing – a common method of network infiltration – has become ever more complex and devious over time. Phishers have mastered social engineering and confidence tricks to the point that two in three users open phishing emails, and a third will click the links or attachments within. Over half of those will then enter details into whatever lies at the other end – usually a fake login screen, passing their network credentials directly to the attacker.
The richest prize, when phishing, comes from those with the highest level of access, and hackers now perform detailed reconnaissance on key targets. They spear phish, crafting targeted attacks on individuals by aping high-level employees – a practice which can now be automated via AI to produce communications so authentic looking that they generate conversion rates of up to 80%. AI can be, and has been, used to emulate the voices of CEOs, making phone-based phishing (known as vishing) truly effective. And as the power of AI grows, such deep fakes will infiltrate video calls too.
Protecting the enterprise with a Zero trust strategy
Minimising the possibility of IT infrastructure attack means taking a Zero Trust approach – building a framework whereby no entity which interacts with your organisation earns any implicit trust. Every device, user, platform, tool or vendor must clearly demonstrate its security credentials, particularly as liability for data breaches is highly unlikely to be passed on to third parties. Employees must be trained to understand this, and a workplace culture must be built around cyber hygiene and resilience.
However, even savvy employees can slip up in a tired moment. Hackers with enough insider knowledge may be able to gather sufficient information to infiltrate a network regardless of an organisation’s policies.
The tactic now must be to secure the key asset of any business – its data – by implementing consistent encryption and employing a backup policy. Backups must be as protected as core data, ideally with strong encryption, and kept in triplicate online, offline, and off-site.
Key access must be protected by stringent policies. The Zero Trust philosophy is doubly important here: trusting keys to a cloud storage provider, for example, could result in the data and keys falling into the wrong hands in the event of a data centre breach. Moving encryption to a hardware module removes risk, and ensures that all moving data, from the cloud to email, can be properly protected end-to-end and rendered functionally useless as collateral for hackers. Using hardware encryption on backup drives or USB sticks further strengthens the protection in the case that the media itself is lost or stolen.
It might seem like preparing for the inevitable is a little defeatist, but there may be no real technological way to stop ransomware attacks from happening, particularly with the human element so vulnerable. True security comes from physical and logical separation between keys and data: if we can render ransomware attacks useless and have a plan in place for recovery, they will end up little more than a very temporary inconvenience.
Learn more about data security here