Ransomware is everywhere and it is not slowing down. Some major ransomware attacks have dominated the headlines recently. Back in the beginning of May, for instance, the Colonial Pipeline Company suspended its daily transportation of 100 million gallons of fuel between Houston, Texas and New York Harbor following an infection at the hands of the DarkSide ransomware gang. The ensuing disruption caused fuel shortages as well as panic buying of gas along the East Coast. Two months later, Kaseya announced a serious supply chain security incident involving one of its solutions. The IT software management company warned customers to disconnect their product servers and to avoid clicking on links that attackers might have weaponized with ransomware. Most recently, cybercriminals targeted Howard University over Labor Day weekend.
Huntress examined those ransomware artifacts and determined that the REvil ransomware group was behind the supply chain attack. At first, the attackers focused on double extortion of the victims in the incident individually. That changed when the group demanded $50 million for a universal decryptor, a utility which Kaseya ultimately acquired from a “trusted third party.”
These attacks have helped to elevate the seriousness of the ransomware threat in the eyes of the U.S. government. Indeed, the U.S. Department of Homeland Security (DHS) launched StopRansomware.gov, a website with ransomware resources for individuals, businesses, and organizations. It also called ransomware “a long-standing problem and a growing national security threat.”
The Ransomware Onslaught: What MSSPs Need to Know
MSSPs chartered with defending customers from Ransomware have a new challenge before them as methods of delivery continue to evolve, oftentimes leveraging legitimate business applications and supply chain updates for infection. It’s important for the defenders to understand the nuances of today’s ransomware attacks.
Several factors have contributed to this recent surge of ransomware attacks. First, organizations are generally more reliant on digital infrastructure than they were in the past. More than four-fifths (82%) of chief financial officers (CFOs) told Gartner that they intended to increase their investment in digital capabilities in FY 2021 compared to the previous year, as reported by Campus Technology. Slightly less than that (70%) said they planned to grow their IT investments in the same period. Those two areas beat out other priorities among CFOs including cultural development, staff/hiring, and risk management at 59%, 35%, and 30%, respectively. A CFO’s focus on digital capabilities reflects just how much remote working, online education, and related developments have reshaped life following the events of 2020. Organizations’ digital security is no exception to that reality. Greater digital infrastructure means organizations have more digital assets that attackers can use as entry vectors to establish a foothold in the network before moving laterally and deploying their ransomware payloads.
Second, ransomware actors continue to rely on cryptocurrency for their operations. They demand that their victims pay their ransoms using cryptocurrency, and Ransomware-as-a-Service (RaaS) schemes rely on cryptocurrencies to divide up the profits of an attack between developers and affiliates.
The final factor is that victims are paying ransoms, giving digital criminals an opportunity to stage follow-up attacks. A 2021 survey revealed that more than half (56%) of ransomware victims had paid a ransom in 2020 to restore access to their data.Four-fifths of those victims that paid ended up suffering another attack, according to a global research report conducted by Cybereason, titled Ransomware: The True Cost to Business. Nearly half (46%) said that they believed that the attack originated from the same malicious attackers, while 34% said that they thought the attack came from a different ransomware group.
How MSSPs Can Defend Against Ransomware
MSSPs must balance efficiency and effectiveness to beat today’s ransomware. Time wasted triaging alerts is time better spent threat hunting and mitigating malicious operations. Understanding the process of a ransomware attack allows the service provider to integrate proper counter-measures at the end-point and cloud, terminating the encryption process, identifying the root cause and extent of the infection.
MSSPs need to offer customers the best multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.
Cybercriminals are going after enterprises and the public sector alike and investments in cybersecurity are overdue. It is time to have conversations with customers on increased investment in prevention and detection and improve resilience. The bad guys may find a way in, but we need to ensure customers are equipped with the right tools to slow them down, limit their actions, and make material breaches a thing of the past.
Author Stephan Tallent, CISSP is the VP for MSSP North America at Cybereason. Read more Cybereason guest blogs here. Regularly contributed guest blogs are part of MSSP Alert's sponsorship program.