Knowledgebase

Ransomware is nothing new. The first recorded example was in the late 1980s, but in the last 3 years there's been a real explosion in growth.

The WannaCry attacks in spring 2017 - followed by NotPetya a few months after - alerted the public to the potential impact of ransomware attacks. Both attacks were attributed by the NCSC as the work of state actors. The ransomware spread independently and virulently throughout networks, impacting almost every device they touched.

Ransomware today looks quite different. Not in terms of the impact (which continues to have devastating operational ramifications for victims), but rather the techniques employed. This blog goes beyond the NCSC ransomware guidance, to provide some insight into the trends we’ve seen whilst helping organisations to respond to ransomware attacks. More specifically, it looks at how ransomware has evolved on two fronts, in terms of:

• hybrid business models for monetisation
• increasingly sophisticated (and targeted) methods of deployment

Ransomware works because organisations struggle to operate without the modern-day commodity of data. Even a brief halt of the most mundane of administrative functions, can bring a whole business to a standstill.

Until recently, ransomware focussed on just the 'availability' element of the Information Assurance (IA) triad, by locking users away from their data. This was achieved either through encryption, or by modifying user accounts and passwords. But as the prevalence of backups and system redundancy grew to mitigate the disruption to availability, attackers moved to the 'confidentiality' element of the triad, by threatening to post stolen material online.

Rather than simply ignoring the ransom demand whilst restoring their systems from backups, victims now have the worry of their sensitive data being exposed to the world, and with it face the risks of reputational damage. There will also be additional considerations of the impact of enforcement by a data protection authority (such as the Information Commissioner’s Office in the UK).

WannaCry and NotPetya spread quickly through victims’ networks, thanks to a widely unpatched vulnerability in the Microsoft Operating System. However, to a modern cyber criminal, the unconstrained expansion of the ransomware is not necessarily beneficial.

At its core, ransomware is a financial transaction; if you want your stolen data back, you have to pay for it. This involves overheads such as financial processing, the delivery of goods and even customer services. Unconstrained expansion (via a wormable exploit) places a strain on the cyber criminals' resources, making it harder for them to target the really lucrative organisations. This ultimately reduces the return on investment.

Thankfully, wormable exploits in an enterprise environment (that affect clients as much as servers) are rare. Most enterprise ransomware incidents that we see today use more traditional network intrusion methods, with the attacker spending days (if not weeks) inside the network, before finally deploying the ransomware right where they believe it will have the greatest impact.

For most victims that reach out to the NCSC, their first priority is - understandably - getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer. Even with the ransomware removed and the system restored from backups, attackers:

• may have backdoor access to the network
• probably have administrator privileges
• could just as easily re-deploy the ransomware if they wanted to

We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again.

Accordingly, my opening gambit when responding to a ransomware incident is ‘how did it get there?’

The NCSC has provided detailed guidance to help mitigate malware and ransomware attacks. The advice falls into two sections:

• preventing compromise in the first place
• reducing the impact of an attack when it does happen

The final thing I’ve noticed over the last few years, is that recovering from a ransomware incident is rarely a speedy process. The investigation, system rebuild and data recovery often involves weeks of work. Whilst COVID has tested business continuity planning more than most events, operating without IT (and just pen and paper) is a different proposition altogether. This is why it is so important to practice these steps before an event occurs, and the NCSC’s Cyber Exercise Creation guidance can help you to do exactly that.