Why the ransomware epidemic can no longer be stopped

[Man]

More than half of organizations that experience ransomware attacks agree to pay the ransom. Many of those pay it again.

Can a legislative ban on ransom payments help in the fight against ransomware? How do the activities of law enforcement agencies in different countries affect the activities of ransomware groups? In this article, we will look into why the ransomware epidemic will not stop and what to do to protect your business.

Encryptors vs. IS regulators​

A number of countries have a legal ban on paying ransoms to ramsomware groups. At first glance, this idea sounds logical, as it would deprive cybercriminals of financial motivation.

Anna Trokhaleva.
Head of Information Security Incident Analysis, UCSB

There are several reasons why you should not pay extortionists. Firstly, this supports the development of malware. Secondly, it does not guarantee that the data will be decrypted after the ransom is paid. Thirdly, the funds received from the ransom can be used to sponsor new illegal activities, which under certain circumstances can be considered as terrorist financing.

Introducing legislative prohibitions on paying the ransom and liability for this can significantly reduce the number of requests after detecting information security incidents, since a company that has paid the ransom will not be able to contact law enforcement agencies to investigate, identify and punish the criminals.

Before deciding to pay the ransom, you should contact law enforcement agencies and experts in the investigation of information security incidents to take measures to respond, investigate and prevent similar incidents in the future.

However, in practice, this measure may prove ineffective. Much depends on the specific amounts and forms of liability. Scenarios are likely where companies will face repeated extortion - similar to cases of personal data leaks.

Vadim Matvienko.
Head of the Cybersecurity Research Lab, Gazinformservice Cybersecurity Analytical Center

Everything will depend on the form in which the law is adopted, what it will contain and how it will be implemented. Let's say an administrative fine is introduced for organizations.

Organizations will proceed from financial considerations: it will be more profitable for them to pay the ransom and the fine than to face downtime and losses. Or they will understand that the fine can lead them to bankruptcy, and then they will invest in security and backup to effectively counter ransomware.

In the second case, the number of payments will decrease, and financially motivated attackers will look for other ways to make money.

In addition, even if the payment is refused, the company may lose valuable data, the recovery of which is expensive and not always possible. And, of course, the fine for paying the ransom does not eliminate the causes of the attacks and does not make the company more protected from encryptors.

Alexey Grishin.
Head of Penetration Testing at Infosecurity (Softline Group)

A ban on ransom payments to ransomware could theoretically reduce the number of attacks by reducing the motivation of criminals. However, in practice, this could have negative consequences: companies could break the law or hide attacks to avoid fines. In addition, the ban does not solve the problem of infrastructure vulnerabilities, which leaves organizations at risk. For this ban to be effective, it must be accompanied by measures to strengthen cybersecurity, international cooperation, and support for affected companies.

A complete ban is unlikely to reduce the frequency of ransomware attacks, but it will probably force businesses to look for workarounds to pay the cybercriminal's ransom. That is why the law on the ban has not yet been adopted and is still in the development stage - it is necessary to carefully weigh all the pros and cons and find the optimal solution to the problem.

Encryptors vs. Security Forces​

Cybercriminals using encryption software are becoming increasingly brazen and aggressive. But law enforcement agencies are not sitting idle either. There are several examples of successful operations by law enforcement agencies in different countries against encryption software operators on the Internet:

1. In 2022, the FBI arrested two members of the REvil group, which is believed to be responsible for attacks on JBS and other major organizations.
2. In 2021, British police arrested 10 people suspected of involvement in the LockerGaga ransomware that attacked hospitals and schools.
3. In 2020, Israeli police arrested members of the Netwalker group, which attacked more than 700 organizations around the world.

These operations are an undeniable success in the fight against cybercrime. But should we relax? Successful operations against individual ransomware groups are more like victories in a battle than in a war.

Cybercriminals are constantly evolving, inventing new methods of attack and changing their methods of operation. They use anonymous networks and cryptocurrencies, which makes it difficult to track them. In addition, cybercriminals operate from different countries, which complicates international cooperation and operations. Therefore, relying only on security forces is not worth it.

Ransomware vs. Information Security Companies​

Ransomware is one of the most serious cyber threats of our time. The number of ransomware attacks increased by 75% in 2023. Ransomware not only steals valuable data, but also paralyzes the work of entire organizations. But the information security industry does not stand still either.

Kai Mikhailov.
Head of Information Security at iTPROTECT.

The industry has a noticeable problem of incorrectly assessing the risk of a cyberattack. There is a widespread view that the potential damage from a cyberattack is lower than the cost of continuous security maintenance. The funds definitely need to be spent, even if a cyberattack does not occur, and protection does not guarantee the absence of damage. This situation is especially evident in the field of personal data protection; a leak of information about tens of thousands of individuals can cost an enterprise a fine of several thousand rubles. A legislative ban may motivate government organizations to reallocate the budget for purchases in the field of information security, but will not guarantee subsequent investments. The ransom to the attackers is usually transferred in cryptocurrency and can be paid anonymously, so the attacks will not be able to track the payments, although the ban will complicate this practice.

Intensive work is underway around the world to create new solutions to protect against ransomware.

1. A comprehensive approach to protection against ransomware. This approach includes not only preventing attacks, but also restoring data without paying a ransom.
2. Artificial intelligence on guard. AI is playing an increasingly important role in the fight against ransomware. It helps analyze large amounts of data, identify suspicious activity, and warn of potential threats.
3. Joining forces. Information security companies around the world work closely with each other and with law enforcement agencies to share information about new threats and attack methods. This knowledge sharing helps develop new solutions and respond more quickly to ransomware attacks.
4. Education and training: Security companies are actively providing cybersecurity education and training to companies to help them strengthen their defenses against ransomware.
5. Development of security platforms. Security platforms that combine different tools and technologies into a single system are becoming more widespread. This allows companies to manage cybersecurity more effectively and respond quickly to ransomware attacks.

Fighting ransomware is not an easy task. But the information security industry is constantly evolving and looking for new solutions to protect businesses from this serious threat.

How to protect yourself from ransomware​

Forewarned is forearmed - companies cannot relax for a minute. And even paying a ransom to cybercriminals does not guarantee that the same group will not attack the company again in a week or a month.

Dmitry Zubarev.
Deputy Director of the Analytical Center of the UCSB

To prevent history from repeating itself, the best option is to conduct a full investigation of the incident. The investigation will determine how the attacker got into the infrastructure, show how access to the attacked systems was obtained, and identify the shortcomings that the attacker took advantage of. Often, there is no need to even wait for the final investigation report: many problems are discovered in the first days and even hours of the investigation. Specialists report important findings promptly, so they are quickly put to work: network access is restricted, accounts are blocked, backdoors are removed.

In addition to conducting an investigation, there are general recommendations: ensure as much antivirus coverage of the infrastructure as possible and conduct scans, as well as change the passwords of all infrastructure users - and for accounts such as krbtgt, the password reset must be performed twice.

And in the future, of course, it is advisable to conduct penetration testing - this is the most effective way to identify weak points in the infrastructure and get recommendations for troubleshooting.

Ransomware is a serious threat to any business. Data loss can lead to financial losses, reputational damage, and business downtime. Therefore, it is important to take a comprehensive approach to protecting against ransomware.

Taras Dira.
Director of the STEP LOGIC Information Security Services Center.

If your infrastructure has been compromised, and the attackers most likely have access to your network. It is necessary to thoroughly analyze this incident, namely:

1. Determine the attack vector, infected hosts, what vulnerabilities were exploited.
2. Determine what data was stolen.
3. Determine what tools were used by the attackers, including potentially installed malware.

Next, you need to develop measures to ensure that the effects of this attack are eliminated, malware, possible backdoors are neutralized, vulnerabilities are patched, etc. This will ensure that at a minimum, attackers cannot use the same path to gain illegitimate access to your network. This task may include the following steps:

1. Evaluate the security policy taking into account new input and the past attack.
2. Implement new measures, tools, and information security mechanisms. Perhaps consider implementing such classes of solutions as NGFW, EDR, NTA.
3. Raise the level of qualification and awareness of the organization's employees. Practice the principles of digital hygiene within the company.
4. Conduct a pentest to identify weaknesses.
5. Implement and improve security analysis and vulnerability management processes.
6. Store copies of backups in an isolated segment.
7. Consider using a cyber incident monitoring and response service.
8. Improving the protection system against phishing attacks.

A well-built information security system is the only way to ensure protection from cyber attacks. If you don’t know where to start, contact professionals, as this will ultimately save your money, nerves and reputation.

It is important to understand that cybersecurity is not a one-time event. It is necessary to regularly update your defense strategy and adapt to new threats. In this fight, a combination of technical solutions and the human factor is important. Employees must be aware of the threat and know how to protect themselves from cybercriminals. In this endless race, it is necessary to remain vigilant and be ready for any challenge.

Source