Ransomware Actors Keep Finding Success, Why?

The threat from ransomware continues to be an unfortunate daily reality for technologists and security professionals. But, before we talk about “doom and gloom” we should recognize how far the industry has come. I would argue in the not too distant past, most companies were susceptible to what we would consider a relatively unsophisticated ransomware attack. Open Email -> Malware -> Network spread -> Ransomware -> 🤬🤬🤬.

With the advancements primarily in the endpoint space, adoption of work from anywhere, and zero trust principles, the industry has made significant advances in protecting against these types of attacks.

Still, every week we see new articles on successful ransomware attacks. Many ransomware report trackers actually show an uptick in 2023. For instance Black Fog’s The State of Ransomware report shows an 8% uptick year over year. In addition, we see actors starting to target data storage outside of what traditionally is attacked, such as cloud storage and cloud databases.

If we truly have made advances against ransomware, why the increase in successful attacks?

In analyzing these successful attacks, I’ve identified two primary categories where the system breaks down, allowing malicious actors to succeed in ransom style attacks.

1. Lack of investment in an information security program. At the surface this seems obvious, and it is. You pay for what you get. Organizations with big-budget security teams suffer fewer ransomware attacks (with exception discussed in the next category).It’s easy to put on your curmudgeon hat and say “Well people just need to take this more seriously, and spend more on security!” The reality is most attacks we see in the news resulting from a lack of investment are against public services. Many of these organizations are simply not financially equipped to invest in the staff, time, and “cutting edge” technologies that can stop attacks. I’m going to end the thought there as it’s a different blog on politics, public policy, and unification. Public spending is not a topic that can be glazed over. But, the next category we as an industry can tackle more easily.
2. We have on blinders. I understand this is a big statement, but when the topic is approached correctly, I often hear vigorous agreement that this is the case.
   When I say we have blinders on, I mean we are not fully vetting the risk model of ransomware. We are too focused on how common attacks succeeded to see where we have gaps in our security programs. We focus on protection of endpoints, servers, and traditional data storage technologies (SAN, NAS etc) and consequently succeed in protecting those assets from attack.

At the end of day, a threat actor who wishes to hold data for ransom only has to accomplish one task: deny availability of critical business data.

Many companies are more focused on controls for preventing attacks than implementing a holistic strategy to protect availability. In other words, don’t focus only on the ransomware attack, focus on a more general availability protection strategy inclusive of “data encryption for impact” (ATT&CK ID T1486.)

For example, many ransomware playbooks are focused on the idea that an actor could execute a binary payload and encrypt data. But the same effect could be achieved, given sufficient access, by simply swapping encryption keys on a critical database. The degree of difficulty for an attacker to pull this off varies wildly, but for many organizations it is a valid attack path. Don’t be too quick to point out that native DB backups, multi-versioning etc. can solve this. It’s not wrong by any means, but the reality is that due to performance impacts on large databases, these controls are often disabled and you may or may not be informed. In addition, management of these protection methods are often done from the same privileged credentials as normal admin activity, which are the credentials targeted by threat actors.

All in all, it means you should revisit your ransomware playbook and consider making a top-level availability playbook if you don’t have one already (If you do, revisit it with a ransom lens). This should be a cross-functional effort. The security team should take a first pass, then sit down with data owners, infrastructure teams, and DR/BC teams to brainstorm on the most realistic protection and recovery methods. Many protection and recovery methods come with a performance trade off. Security can not ignore this reality, and IT can’t ignore security in favor of performance. There is no one size fits all answer.

The following can be used as a loose starting point for what to think about in this effort:

1. Understand all critical business data stores, including:
   • “Private” managed data stores, NAS SAN
   • Employee devices
   • Databases (both on-prem, traditional cloud abstraction, and  as-a-service
   • Cloud storage
2. Create a list of tactics, techniques and procedures that can be used to impact availability of your critical data stores and map to MITRE ATT&CK. (https://attack.mitre.org/tactics/TA0040/)
   • Ex 1: Mass encryption of endpoints
   • Ex 2: Theft and deletion of critical data stores (Cloud and on-prem)
3. Map tactics to data sources, and rank based on likelihood of occurrence. 
   • Prioritize based on a legal, operational, and strategic risk
4. Evaluate controls and processes 
   • Identify opportunities to implement controls for prevention, detection, response, and recovery by data source.
   • Identify gaps
   • Create new processes and controls
5. Update your ransomware response playbook with response methods for all techniques based on your response and recovery procedures from step 4.
6. Run a joint table top exercise (TTX) and DR exercise at the same time. 
   • This is a real challenge. Combining the two to perform a “open book” TTX with some random injects will really show how the teams work under the pressure of a real ransomware incident.

Threat actors keep evolving to stay relevant and protect their income. Although we have gotten pretty good at protecting against traditional ransomware threats as an industry, every organization likely has a few blind spots. 

• Ransomware attacks keep succeeding. 
• As we get better at stopping traditional attacks, threat actors change their tactics to maintain success 
• Threat actors are targeting data stores such as DBs and cloud storage 
• Update your response playbook with detect, prevent, respond and recovery options for non-traditional availability recovery
• Implement immutable and performant backup solutions for DBs and cloud assets.

Clumio focuses on helping customers build resilience into their cloud applications and data. When it comes to ransomware, recovery is a key backstop to maintaining your business application availability. With Clumio’s backup options for databases like Amazon RDS, MS-SQL on EC2, and DynamoDB as well as Amazon S3, EC2, EBS, and Microsoft 365, you can create performant recovery strategies to make both infrastructure and security teams happy.