The ransomware headlines in 2022 revolve around the surge in ransomware attacks. Of course, those were the headlines in 2021, 2020, 2019, and so on. Don’t misunderstand—those headlines were not wrong, as ransomware attacks have continued to rise for several years and show no sign of slowing down.
In fact, we seem to be entering a phase of not just rising ransomware attacks, but a branching out of ransomware groups. Right now, there are more than 50 active ransomware strains, which means there are a lot of cybercriminals who think that ransomware is going to continue to be profitable and are carrying out attacks. Despite the fact that law enforcement actions against ransomware groups are more frequent than ever, ransomware attacks are not going anywhere.
Unfortunately, a lot of myths around ransomware attacks have popped up over the last few years, which makes it harder for organizations to defend themselves. Sorting out the realities of ransomware attacks versus the myths is important for better focusing limited resources. Here are some of the biggest myths to be wary of.
This is a big one. A lot of organizations think that ransomware groups won’t target them, which is a misunderstanding of how we use the word “target” when it comes to ransomware attacks.
With a few exceptions, ransomware groups don’t target specific industries. Instead, they target certain vulnerabilities, whether that is leaked credentials, a willingness to click on phishing emails, having unpatched vulnerable systems exposed to the Internet, or having the bad luck to use a Managed Service Provider (MSP) that the ransomware group was able to compromise.
In the past year, we’ve seen a rise in ransomware attacks against car dealerships and real estate offices. Not because those businesses are of particular interest to ransomware groups, but because their vulnerability profile matches up well against the attack profile of these ransomware groups. Even organizations with as little operating budget as a food bank can be hit with a ransomware attack.
Unfortunately, every business, no matter how big or small is potentially subject to a ransomware attack and needs to take steps to protect itself.
This advice was more effective in earlier times. The thought was that if you had a good backup, you could just restore the encrypted files and ignore the ransom demands. This advice made sense when ransomware was primarily focused on a single machine, and ransomware operations were simpler.
That is no longer the case. Complex ransomware operations combined with the expanded extortion ecosystem means that backups alone are not a defense against ransomware. That doesn’t mean backups aren’t important. They very much are, and organizations should be focused on following best practices for backups, but good backups aren’t going to protect you from a ransomware attack.
Modern ransomware attacks specifically look for and attempt to encrypt any backups that are connected to the network. Ransomware groups know that organizations have invested heavily in backups over the last few years, and they want to make sure those backups are not operational. That is why it isn’t enough to have backups—your organization also has to have backups not connected to the network, whether a tape backup or some other disconnected media.
In addition to ransomware groups going after backups, there is also the problem of the expanded extortion ecosystem. Ransomware attacks aren’t just about encrypting files at this point—data theft and harassment of victims is now part of their concept of operations. In fact, some so-called ransomware groups, such as Everest and Lapsus$, don’t use encryptors most of the time—instead, they simply steal files and extort victims.
So, having good backups, while important (and please, please, please test those backups regularly), will not protect you from a modern ransomware attack.
Phishing is a common way for ransomware, and other threat actors, to gain initial access, so having a strong phishing training program coupled with solid email security controls is a good way to prevent not just ransomware, but other attacks as well. That being said, many researchers no longer rank phishing as the most common initial access vector.
Many researchers conclude that credential stuffing/reuse attacks have overtaken phishing as the main form of initial access by ransomware groups. But it’s not just phishing and credential reuse attacks—ransomware groups are also relying on exploitation of common vulnerabilities and, increasingly, the use of third parties to gain access.
This means that organizations not only have to have a strong phishing/email security program, they also have to:
There is a common misconception that, unlike nation state threat actors, cybercriminals are “lone wolves” operating by themselves. In the case of ransomware, nothing could be further from the truth. Ransomware groups tend to be large, loosely affiliated organizations with each member having a different role. Last month I discussed how the Conti ransomware group spends more than $6 million a year in payroll and employs between 60 and 90 people at any given time.
Ransomware groups are complex organizations, which is why they’re able to carry out so many attacks successfully. By dividing roles and responsibilities into gaining initial access, deploying the ransomware, negotiation, and other jobs, ransomware groups are able to gain an “economy of scale” that allows them to carry out dozens of attacks at a time and hundreds of attacks per year.
Why is this important? It demonstrates why ransomware is such a difficult problem to solve at the national/international level, and almost impossible for individual organizations to defend against. It’s not impossible to stop ransomware, but it is extremely challenging, as we’ve seen from the fact that ransomware attacks are continuing to rise.
While endpoint detection and response (EDR) is crucial, this really applies to any single security tool that your organization may be relying on for protection. EDR tools are in general really good, and when configured correctly can help detect and stop ransomware.
“Configured correctly” is the key here—an EDR may offer great detection against ransomware when first deployed, but your network and the ransomware actors are both dynamic. If you aren’t updating your EDR on a regular basis, it will quickly become outdated.
This doesn’t just apply to EDR, but also goes for asset management tools, email security, vulnerability management, or anything else you’re using to protect your network from ransomware. Security changes all the time, and your tools need to adapt to account for those changes. This is why many organizations turn to an MSP or Managed Security Services Provider (MSSP) to keep their security tools updated.
Ransomware protection is not a one-time investment—it requires continuous investment and updating to stay current against the latest threats.
These are some of the most common ransomware myths that I’ve come across. I’d love to get your feedback on others!