There are few words quite like APT, Zero-Day, and ransomware that can instantly silence a room of cybersecurity professionals (or anyone in the IT industry for that matter). These three words are a nightmare knockout combo, that is, they define the highest-level cyber attack groups, the most severe type of exploit, and the king of malware respectively. This combo can topple any business, small or large, as well as any government wall (even to this day). According to the United States Cybersecurity & Infrastructure Security Agency, “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption”. CISA then goes on to give us this information, “In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.” According to Cybersecurity Ventures, global damage due to ransomware is forecasted to reach (most probably surpass) $20 billion this year. This figure has multiplied dozens of times since 2015, when it was just $325 million in damages, making it by far the fastest-growing type of cyber threat in the world.
According to the National Cyber Security Centre of the United Kingdom, they define ransomware like so: “Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted, or encrypted. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017”. When it comes to ransomware, we can figure out that the word ransom is combined with ‘ware’ -short for software. Ransomware is so serious that it is climbing to the top of the list of global risks, even surpassing natural disasters at this point. Ransomware is the most ruthless form of cyber attack (digital attack) that has caused at least hundreds of millions of dollars of damage, not to mention collateral damage to almost every sector imaginable (even breaching intelligence agencies). Ransomware destroys data, websites, and server downtime (which is maybe the worst effect) most commonly via using social engineering scams as the primary infection ‘vector’. Unfortunately, cybercriminals have launched ransomware attacks on critical sectors such as the health and finance sectors which has caused the loss of files, extreme financial damage, and even damage to human health.
Let’s look at two high-profile ransomware incidents (to date, that is) which are relatively recent. The first is WannaCry, as mentioned earlier, and the second is the SolarWinds incident which took place very recently only last year.
WannaCry is a type of crypto-ransomware believed to have originated from North Korea that targets systems using Microsoft Windows. The notorious massive WannaCry attack was launched in 2017 which exploited a stolen NSA tool known as EternalBlue, infecting systems in around 100 countries including China and Russia. Unfortunately, the British health service NHS (National Health Service) was among the worst hit, which caused canceled patient operations and appointments. The ransomware also hit banks in Russia as well as health ministries, mobile operators and transport firms. Transport firms in Spain and Germany were also hit, as well as natural gas companies that had to switch off systems immediately. The ransomware also manages to extract over one hundred thousand British pounds of bitcoin value. The cybercriminals designed the malicious software so that it asked for an ‘unlock’ fee between $300 and $600 for the data that was taken hostage.
The SolarWinds breach is probably the worst cyber incident in history and took place in 2020. According to several reports, cybersecurity and intelligence agencies have pinned the attack to the Russian APT (Advanced Persistent Threat) ‘Cozy Bear’ group. The Russian groups used ransomware and a Zero-Day exploit to breach a high-tier network security firm called Orion which allowed the infection to move laterally across other networks, sensitive data, and confidential files. The attack was most probably politically motivated and has affected over 100 major US organizations, even breaching branches of the US government. On an international level, at least 18,000 organizations were hit as well as NATO and the European Parliament. This massive and severe cyber-attack, of which the remnants are still plaguing systems, has solely led the US to completely reconsider its cybersecurity framework.
We have seen that ransomware can lead to debilitating consequences on a global scale. Social engineering methods like phishing and spear-phishing are usually the head of the operation, where a ransomware payload is the tail end. Everyone must understand how to prepare for massive ransomware threats, especially when we realize that trillions of dollars of damage are being exerted on the world economy every year. The biggest problem is that there is no magic pill to ward off ransomware, there is no guarantee that a server will be safe from it. However, there are some practices, strategies, and proactive measures that regular people, as well as organizations and their employees, can learn from that will greatly help fend off intrusions.
The following is a list compiled based on research about defense against ransomware from the top cybersecurity organizations and IT specialists around the world;