Introduction

Ransomware has been a threat for more than thirty years, but recently the nature of the battle has changed. Within the last three months, ransomware has evolved more quickly than it’s done over the past half-decade. In today’s world, global businesses must assume that every ransomware attack is also a data breach, a fact that has profound implications for how we should design security architectures and network defenses.

Far too many organizations continue to rely on legacy perimeter-based cybersecurity strategies. In this model, known as the castle-and-moat approach, defenses—which are typically firewall-based—are centered around the network’s perimeter. This leaves resources and applications unprotected when attackers attempt to move laterally across the computing environment—and this sort of lateral movement is the number one contributor to the success of ransomware attacks.

Every successful ransomware attack must include an initial incursion in which attackers establish a foothold within the environment. The next step of a successful attack is facilitating the ability to move laterally within the organization’s network. Without lateral movement, the ransomware wouldn’t be able to infect more than a single machine, and its devastating effects wouldn’t be felt across the entirety of the enterprise. And without lateral movement, the attackers wouldn’t have access to the data repositories from which they’re exfiltrating invaluable information. Simply put, without lateral movement, there would be no ransomware problem.

Instead, as recent high-profile events have demonstrated, the ransomware threat has grown to crisis proportions. In mid-May of 2021, a ransomware attack forced Colonial Pipeline, one of the largest pipeline operators in the U.S., to shut down operations in the aftermath of an IT systems freeze. This measure brought the transport of roughly 45% of the East Coast’s fuel supply to a halt. Less than two months later, the IT solution provider Kaseya, which supplies remote monitoring and management tools to managed service providers (MSPs), reported that a vulnerability in its software had allowed malicious payloads to spread to more than 70 MSPs and their customers. All told, as many as 1,500 end-user organizations were impacted, making it the most widespread ransomware attack to date.

The current wave of ransomware attacks shows significantly more sophistication and innovation than ransomware operators were exhibiting even one year ago. If 2020’s events accelerated the pace of digital transformation by three to four years—as numerous analysts claim — it’s apparent that ransomware’s development has sped up in tandem, with attack tactics evolving more quickly than they had over the entirety of the previous decade.

New strategies that today’s ransomware attackers are employing include double extortion, a method in which data is both encrypted and exfiltrated to increase leverage and ransom demands, staged attacks including a distributed denial-of-service (DDoS) component, and supply-chain attacks that leverage third-party partners and vendors to gain access to victims’ environments.

On the one hand, researchers are observing larger numbers of highly targeted, customized attacks. On the other, they’re seeing greater volumes of “spray and pray” style attacks carried out by less sophisticated adversaries relying on commodity malware, or Ransomware-as-a-Service (RaaS) kits that are now readily available on the Dark Web.

Ransomware’s Evolution

Ransomware is a form of malware that encrypts an organization’s most important files, rendering them unreadable and unusable. Criminals then demand a ransom payment to decrypt the files in amounts that are often scaled proportionally to the number of systems infected and the data’s perceived value.

The present ransomware scourge had humble origins: the first attack was largely experimental in nature, involving an auto-installing trojan circulating on floppy disks and mail-in payments. The basic idea that still underlies today’s ransomware activities had already been conceived of—namely, that victims would be willing to pay to avoid losing access to digital information—but the three critical factors necessary for large-scale ransomware campaigns’ success had not yet come into being.

Before ransomware attack volumes could reach the epidemic proportions we’re currently seeing, there needed to be:

  • a means of disseminating malware widely, across organizations’ internal networks as well as to multiple victims
  • strong file-level encryption
  • a solid strategy for collecting anonymous payments

With the Bitcoin boom of the 2010s, the stage was set for ransomware operators to dramatically scale their operations. Transactions became much more difficult to trace, making it easier to target businesses and public sector organizations instead of individual consumers, ask for larger ransoms, and collect payments across international borders.

At the same time, ransomware operators greatly improved their capabilities to orchestrate lateral movement across their victims’ IT environments. This means they became better at encrypting not just the contents of a single user’s device, but all the computers, servers, and backup file systems that housed an organization’s information assets.

To read full download the whitepaper:

Using Zero Trust to Defend Against Every Stage of a Ransomware Attack

Leave a Reply

Your email address will not be published. Required fields are marked *