We asked industry experts: Although reports of the reduction of ransomware are encouraging, do organizations need to guard against complacency? Here are their responses:
David Arthur, Security Practice Lead, Australia and New Zealand, for multi-cloud security and application delivery company F5
Drop-offs in ransomware activity are not a new occurrence. These lulls have previously been attributed to factors such as geo-political unrest, as seen when Russia invaded Ukraine, forcing combined Russian/Ukraine ransomware groups to split and re-group, or threat actors allowing the heat to die down in the aftermath of a major incident, like the Colonial Pipeline ransom.
We’ve seen periods of decreased activity like this before, only to then witness the activity being replaced with vigorous new campaigns. With that evolution comes adaptation to ever-improving security controls. Organizations must remember that decreased incidents are likely the result of a shift in tactics, rather than a decrease overall.
Decrease in ransomware incidents aside, there has been a visible increase in cybercriminals targeting individuals through effective spear phishing campaigns, with the ACCC reporting Australians lost approximately US$2 billion to scams in 2021 – an 84% increase compared to the previous year. These scams are not generally attributed to ransomware but can be detrimental to the individual or business.
Additionally, a decrease in the number of ransomware incidents is not something to celebrate while the severity of those attacks is increasing. The ACSC reported that in 2021-22, the average loss per reported incident of cybercrime increased by 14% when compared to 2020-21. Ensuring robust security measures are in place will be necessary for organizations on an on-going basis, not just to defend against attacks but to minimize the impacts when they do occur.
It’s also important to factor in the potential for continuing consequences that can result from a single attack. The focus of ransomware attacks is exfiltrating or stealing data. Once that data, which is often sensitive personally identifiable information (PII), is in the hands of the cybercriminals, there are many, many ways it can be used maliciously.
As cybercriminals continue to find new ways to make money from their attacks, it’s likely they will increase focus on exploiting the personal information of individual victims, either through scams or fraud schemes which are, as is the case with cybercrime trends in general, becoming more sophisticated.
In a situation where attackers are unable to make money through ransomware attacks and subsequent blackmailing attempts, they will adjust their course to target individuals.
Ransomware attacks will continue to pose a significant threat, only worsening in severity as the tactics evolve. Resting on the notion that a decreasing number of attacks reflects a vanishing threat is an enormous mistake, and organizations that don’t remain prepared will suffer the consequences.
Steve Stone, Head of Rubrik Zero Labs
The first piece of complacency organizations must guard against is the notion a reduction in ransomware attacks will mean businesses are more secure.
There are a few big-picture things to keep in mind. First, although attacks do appear down, this is solely compared to the previous year which broke all records.
Second, simply measuring volume misses the rapidly growing complexity of ransomware. From nation-state-supported attacks to Ransomware-as-a-Service profoundly changing the criminal market, a lot is happening aside from just counting the number of ransomware events.
In other words, ransomware attacks are evolving and those behind them are refining their methods. As long as there is money to be made in ransomware, the threat will continue.
For example, last year we saw an undeniable rise in attacks involving data theft combined with encryption events. While this wasn’t fully new to 2022, attackers’ preference for multiple extortion options became clear over the last year. It is likely this trend will continue to accelerate over the coming year, though with a new shakedown method woven in – the threat of data destruction.
Cast your mind back to Australia’s highest-profile attacks last year. There was a clear trend of attackers favoring data exfiltration and extortion over encryption, but the impact on the victims – and their customers – was no less devastating. As such, we expect to see a corresponding decrease in pure encryption-style ransomware events.
Why is this likely to happen? There are three reasons at play.
Firstly, technology and best practices are improving victims’ ability to recover data without paying the ransom for a decryptor. Further, organizations now understand that paying for a decryptor often results in lost data or subsequent ransom demands. This negates any potential payout the attacker might receive.
Secondly, cybercriminals have realized the ‘hack and leak’ ransomware method provides a secondary way to monetize their efforts. This becomes more pronounced as regulations and governance requirements increase.
Thirdly, it is much easier to steal data and threaten to leak or destroy it than it is to create an effective encryption/decryption tool. Simultaneously, data destruction can place extreme stress on the victim, which acts in the cybercriminal’s favor and that is why we expect to see this become more commonplace in 2023.
So, while the threat being levelled at the victim is evolving, the core premise remains the same – infiltrate an organization, attack their data, hold it to ransom.
Ransomware as we know it might be changing, but the threat isn’t going anywhere. This is why combining infrastructure security measures with data security is critical for cyber-resilience, ensuring your organization can quickly get back up and running.
Joanne Wong, Vice President International Marketing APAC and EMEA at LogRhythm
For the past few years, the top cybersecurity threat faced by organizations around the world has been ransomware.
The potentially crippling attacks involve cybercriminals gaining access to a victim’s IT infrastructure, encrypting data and then demanding payment for the encryption keys. Triple extortion tactics where data is encrypted for ransom and attackers exfiltrate the data at the same time with the intention of leaking it or selling in the dark web while launching a DDoS attack have also gained ground. The result can be widespread disruption, financial losses, and a dire reputational fallout.
The most prevalent method used by cybercriminals to mount these attacks is phishing. Staff within an organization receive emails or text messages from what appear to be legitimate sources.
Yet when they interact with such a message, by clicking on an included link or opening an attachment, they inadvertently allow malicious code to enter their IT environment. The result is a ransomware attack.
Thankfully, a concerted education effort undertaken by many organizations has improved awareness of such threats among staff. The addition of sophisticated monitoring tools that scan networks for unusual traffic has added another layer of defense.
As a result, many organizations have been able to improve their ability to repel ransomware attacks. In some cases, those that fall victim are able to spot the intruder early and before damage and disruption occurs.
This is welcome news for IT security teams, senior management and staff.
However, despite this apparent improvement, it is vital that businesses and public-sector organizations are not lulled into a false sense of security. Just because defense measures have managed to catch up with attack techniques, this doesn’t mean the threat of ransomware has disappeared.
Any complacency that occurs now could result in a fresh wave of attacks in the future. Far from sitting on their hands, cybercriminals are actively looking for new ways to circumvent security measures and get their malicious code into new infrastructures.
To counteract this trend, it’s vital organizations stay ahead of the curve when it comes to identifying and preventing attempted ransomware attacks.
The education campaigns that have worked well in the past need to continue. All staff need to be made aware of the evolving techniques being adopted by cybercriminals and shown how they can quickly identify suspicious communications.
The security detection tools in place also need to be regularly reviewed and augmented to ensure they are able to deal with new attack variants as they emerge. Just because they have worked in the past does not mean current tools will be able to deal with future threats.
The battle against ransomware will continue to be fought by IT security teams around the world for years to come. Being fully prepared now is vital.
Click below to share this article