Why is Ransomware still a problem?

Ransomware has been with us now for over 30 years. Let that sink in. Ransomware was around before the modern internet as we know it and the first example was distributed on floppy disks in 1989. While the floppy disk has been thrown in to the recycle bin of history, ransomware is still with us and still poses a serious threat to businesses, governments and individuals across much of the world. What’s worse is modern ransomware attacks have evolved from simply encrypting files and demanding payment for a decryption key to complex attacks that add data extraction and extortion to the attacker’s playbook.

It Used to be Easier

From the attacker’s perspective, ransomware is popular because it is comparatively easy to go from initial infection to a cash pay-out. With stolen credit card information, for example, the attacker needs a way to get the pay-out from the card. Whether that’s by selling the cards to someone else on the dark web or using the card themselves to make purchases or get cash advances, there are extra steps involved that make the attack less attractive and less lucrative. Likewise, stolen personal information can allow a range of attacks and can be a valuable commodity on underground markets, there are additional steps between compromise and pay-out.

By using the initial attack to plant their malware and hold the victim’s encrypted files for ransom, the attacker eliminates a layer of complexity and the profit taken by middlemen – unless the attacker is using some kind of Crime as a Service, the ransom pay-out goes directly to them. No extra steps, and no paper trail as could happen with stolen credit cards. But the model wasn’t perfect.

We Learned to Defend

While ransomware originally just entailed encrypting the victim’s files and demanding payment for the decryption key, attackers still found there were weaknesses in that business model. In some cases, flaws in the malware. Weak encryption, or a sloppy implementation of the algorithm, made it reasonably easy to generate keys and break the encryption.  There were publicly available tools that could recover files encrypted by several different malware strains, which limited their effectiveness – to the great relief of their victims.

Disaster Recovery and Business Continuity plans also evolved to compensate for malware attacks, including, specifically ransomware. There is an entire industry built upon providing rapid backup and restoration capabilities in the case of file loss. The current generation of cloud backups is dramatically faster and more efficient than the tape backups of old and made recovery from ransomware a fairly simple and relatively painless process.

Backups let businesses respond to a ransomware attack with “sorry, but no,” while they simply restored the damaged files from a secure backup. This backup and restore capability was already baked into many disaster recovery plans, and this alone should have been enough to turn ransomware attacks from a massive and expensive outage to barely an inconvenience.

They Didn’t Go Away

As more and more businesses embraced operational plans that account for those attacks, we would have expected to see ransomware attacks fade. That’s not even taking into account cyber security technologies that could prevent, or at least slow, these attacks before they damaged more than a handful of files. But that is not what happened.

Faced with improved defences, cyber criminals evolved their attacks. Now, before their malware starts to encrypt files and throw up the disconcerting “your files have been encrypted!” banner, they copy large volumes of their victim’s data outside the business and threaten to expose it if the victim doesn’t pay the ransom.

Now, even if the target can rely on a robust backup plan to rapidly recover from a ransomware attack, they are still subject to blackmail lest their company secrets are revealed.

Evolve and Adapt

It’s this evolution to hybrid attacks that includes holding data for ransom both through encryption and the threat of revelation, that has kept ransomware a near top-of-mind threat in the cyber security space. Our existing ability to rapidly recover destroyed files doesn’t prevent the damage that comes from having the said files released to the public. This change in attacker strategy forces us to shift our defence plan from one of recovering rapidly after the attack to one that must resist the attack in the first place.

Assume They Are Already In

In truth, resisting attacks in the first place is where cyber security should start. It is always better to keep the bad guys out so they’re not in the environment doing damage in the first place. Unfortunately, the reality is we know the bad guys will find their way in. Yes, improved perimeter defences can go a long way to keeping them out, as can risk-based user authentication systems and multi-factor authentication solutions. But we must operate from an “Assume Breached” perspective. After all, the best perimeter defences in the world are of little use when an attacker bribes an insider to plant malware or otherwise compromise the business.

The “assume breach” posture means we need to have internal defences that can identify an attack before it does serious damage. Whether that’s through micro-segmentation that helps thwart lateral movement, endpoint defences that contain malware infections, deception systems that lead attackers into revealing themselves, or security analytics that can identify an attack by the attacker’s behaviours and tie them together through context, businesses need a comprehensive security stack that can thwart even a sophisticated attacker.

Back to The Question

To answer the ultimate question of why ransomware is still a problem, it’s because cyber criminals have evolved their business model to go beyond simple ransomware. We evolved our defences to thwart their attacks and they have evolved their attacks to get around our defences in an unending cycle.

However, with a combination of solid disaster recovery and business continuity plans, and a comprehensive security stack that’s built around defences in-depth and assuming attackers can find a way in, businesses can blunt the impact of ransomware attacks – if not eliminate the threat entirely.

Do you want to defend your business from ransomware attacks? Check out our Protection Plans or get in touch with us today to find out more.