Ram is cofounder and CEO of Acalvio Technologies, a leader in cyber deception technology.
The motive for ransomware attackers to date has been straightforward: deploy a cyberattack, take confidential consumer or proprietary data hostage and refuse to return it unless the company pays out. And it worked for some time.
Now, though, companies are more informed and careful about data storage and preservation, limiting the leverage gained by sticking to the old script. Although having a copy of the stolen data doesn’t prevent attackers from blackmailing companies from preventing the leak, it does reduce the likelihood that organizations will pay out except in the most extreme and sensitive cases—and the number of possible targets.
In the past, ransomware attackers may have targeted any business with connected ecosystems, but these days, they’re more likely to go after organizations that possess crucial client or patient information or internally valuable intellectual property. In addition, ransomware attackers have shifted to targeting backup systems—meaning even if you’re backed up, there’s still potential for harm.
Perhaps as a result of the above, data now shows that less than half of organizations actually pay ransoms when they’re targeted. But that’s not the only reason cyberattackers have adjusted their approach.
Changing Dynamics, Changing Tactics
Like the security improvements mentioned, expansions to ransomware insurance, for example, have also been a double-edged sword. Although insurance gives organizations that experience a breach more options for limiting an attack’s short- and long-term impacts, it’s also given hackers a list of targets and potential payouts.
Rather than deterring cybercriminals from targeting a company, insurance now serves as a target on organizations’ backs, driven by new schemes that zero in on insurance policy terms. Using the details of an organization’s policy, hackers can ask for exactly the covered amount. This may result in smaller payouts, but it’s a compelling trade-off for a simplified process that fosters a pseudo-transactional dynamic between organizations and the cyberattackers targeting their networks.
Also contributing to these changes is the rapid integration of connected devices into legacy operational technology (OT) environments, which has made critical infrastructure an alluring target. Take, for example, the Colonial Pipeline attack, which served as a stark reminder that the effects of ransomware can go far beyond data leaks. It showed citizens the damage attackers with access to OT systems could do just by breaching the network—and illustrated to attackers the potential payouts that might come from threatening citizens’ access to basic services.
Meanwhile, on the regulatory side, bans on paying ransom are becoming more common across the globe. Recently, the U.S. joined the conversation, mulling a ban of its own. Although the intentions of these guidelines are good, these bans may—like ransomware insurance—bring about their own unintended consequences and add even more complexity to the task of understanding cyberattackers’ motivations. When money isn’t on the table, the cybercriminals that remain will be after something else: disruption and chaos.
Defending Against Shifting Motives
If this illustrates anything, it’s that the relationship between cybercriminals and security specialists and regulators is fluid, with these groups constantly vying for the upper hand. As motivations, tactics and technology continue to evolve, so, too, will the job of security teams. It’s no longer about following best practices to the letter. It’s about understanding the nuances of attackers’ motives and devising tailored, informed responses as these threats arise.
To prepare for this new approach, cybersecurity teams should:
• Stay up to date on evolving threats. As the events of the past year alone have shown, attackers won’t be stopped, and for every obstacle that we put in front of attackers, they don’t seem to give up. Attackers stay on top of what’s changing in the landscape, so defenders need to be just as aware of evolving attack vectors.
• Review existing security stacks. If we’ve learned anything about ransomware attacks, we’ve learned that anything can happen at any time. With that in mind, you should review what kind of defenses you have in place and identify any potential holes in your existing security stack. It’s not easy to be prepared for anything, but emerging innovative technologies have certainly made it possible.
• Develop in-depth defense. Defense-in-depth is a proven concept already used by many organizations, wherein they design interlocked layers of defense as opposed to more layers of the same or silos. The whole concept behind active cyber defense (ACD) is to allow organizations to be more cyber resilient by letting their ACD detect, contain and mitigate cyber threats for business continuity, which is more in-depth than just your basic “detect and defend” types of security.
• Focus on proactive prevention and attack surface management. One of the biggest factors in the defense against ransomware attacks is being able to pinpoint an attacker’s motive before the attack is successfully executed. Deception technology uniquely gives organizations visibility into data or other parts of the network the attacker is looking for before they can leave the network. Ransomware attacks are all about the seeking of highly valued assets, and deception takes advantage of this strategy by deploying lures, decoys or even fake assets that lead the attacker to believe they’ve gotten what they’ve come for when really, all they’ve done is show their hand. Ultimately, organizations need to increase the cost to attackers if they want to protect their assets because just simply blocking access or execution will be a minor speed bump for attackers. Increasing the cost to attackers in terms of effort and time, not just money, is critical.
As the ransomware landscape continues to shift and motives become murkier, one thing remains certain: Attackers aren’t stopping any time soon, regardless of whether there’s money to be made or not. The only way to ensure you’re protected is by designing defenses that prevent them from getting your data in the first place.