Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective
Ransomware Retrospective

Rise of the Advanced
Extortionate Threat

Dotted Down Arrow Red

Ransomware Retrospective 2021

Red Capital Ransomware is not new. Since 2016, the United States Department of Justice estimates that more than 4,000 ransomware attacks have been perpetrated against US organizations every single day. While that number is staggering, the scope and severity of the problem is even larger. Chronic underreporting of attacks means that the daily number is likely far greater. The nature of ransomware attacks have also changed dramatically over the last eighteen months, with advanced nation-state tactics making their way into for-profit cybercriminal activity. In this report, we explore the ways in which ransomware has become an advanced threat with the "hat trick" of exfiltration, encryption, and software exploitation; how governments are changing their treatment of ransomware attackers; and what organizations can do to reclaim the advantage.

Intro
Troubling
Ransomware Trends

In March 2021, the cybercriminal syndicate known as REvil (aka Sodin, aka Sodinokibi) detonated an attack on Acer, the Taiwanese computer giant. At the time, it was the highest ransom demand ever made—$50 million. But while the price for the decryption keys was itself noteworthy, this attack drew attention for another reason. The "double extortion" model used by REvil—first exfiltrate the data, then encrypt it—wasn't new. But during the ransom negotiations, REvil claimed to have gone one step further, indicating that they had introduced an exploit into Acer software. If true, this would have allowed REvil to use Acer software to perpetrate attacks on Acer customers, in much the same way that SolarWinds Orion software had become an attack vector just a few months earlier.

What REvil was alleging was a worst-case scenario: a Cyber Hat Trick including exfiltration, encryption, and exploitation that—if successfully executed—would not only have done considerable damage to the original victim, but given the attackers easy access to thousands, if not tens of thousands, of other organizations.

Unfortunately, in July, the REvil attack on Kaseya confirmed the cybersecurity communities' fears. A ransomware gang had compromised a build server for a widely used enterprise software and introduced an exploit that enabled them to conduct a ransomware attack on a massive scale. It was SUNBURST—for profit.

With the attacks on Acer, Colonial Pipeline, and Kaseya in just six months, ransomware gangs have thrown the increasing use of advanced nation-state tactics into sharp relief. These attacks should no longer be called ransomware, but rather a new class of advanced persistent threat.

In this report, we'll look back at the evolution of the advanced ransomware techniques in 2021, and what governments and private organizations can do to combat the threat.

The New Class of Ransomware Threats

Headaches and Headlines

In late 2020, a large retailer based in North America received an alert in ExtraHop Reveal(x) 360 that ransomware activity had been detected. The same devices were also seeing alerts for detections on SMB data staging and suspicious file reads. The customer's security team determined that the attackers were also in the process of exfiltrating data before they encrypted it in an effort to inflict maximum damage—a double extortion technique that has become increasingly common over the last eighteen months.

By detecting this pre-ransomware deployment kill chain activity, the customer was able to quickly identify and quarantine affected assets and accounts, and as a result, the attackers were only able to encrypt a small percentage of targeted files.

According to a recent ExtraHop survey of 500 CISOs and other IT security leaders in North America and Europe, many are not so lucky.

85%

have suffered a ransomware attack in the last 5 years

38%

have suffered
5 or more ransomware attacks in the last 5 years

51%

had impact
to IT infrastructure

46%

attacks targeted
end users

98%

of attacks resulted in downtime, data loss,
fines

57%

paid the ransom
in half of ransomware attacks

Results from an ExtraHop survey of 500 CISOs and IT security leaders

High Profile Ransomware Attacks in 2021

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Kia Motors Logo

2.26.2021

Acer Logo

3.19.2021

Sierra Wireless Logo

3.20.2021

CNA Financial Logo

3.23.2021

Quanta Logo

4.21.2021

Washington DC Police Logo

4.26.2021

Brenntag Logo

4.28.2021

Colonial Pipeline Logo

5.7.2021

JBS USA Logo

5.31.2021

Kaseya Logo

7.2.2021

Accenture Logo

8.11.2021

Brown-Forman Logo

8.15.2021

Howard University Logo

9.7.2021

Kronos Logo

12.13.2021

Timeline Arrow Control - Left Timeline Arrow Control - Right

Ransom Report

2.26.2021

Kia Motors

Victim

Kia Motors Logo

Demand

$20M

Perpetrator

DoppelPaymer

Techniques

Unknown

In February, multiple media outlets began reporting that a Kia outage was actually due to a ransomware attack. Bleeping Computer obtained a copy of a ransom note from DoppelPaymer, the alleged attackers, demanding $20 million in Bitcoin payments. While there was substantial evidence that Kia had in fact been the victim of an attack, the company has continued to deny that any such attack took place.

Ransom Report

3.19.2021

Acer

Victim

Acer Logo

Demand

$50M

Perpetrator

REvil

Techniques

Exfiltration, Encryption, alleged Exploitation

At the time, the ransom demand on electronics giant Acer ($50 million) broke the record for the largest ransom demand to date. REvil used multiple extortion techniques to add leverage to the demand by combining encryption with data exfiltration and exploitation. As a result of their success with Acer, a newly emboldened REvil went on to set higher demands months later with an attack on Kaseya.

According to BleepingComputer, REvil may have leveraged a Microsoft Exchange Server vulnerability to gain initial access, which would mark the first time a major ransomware actor successfully weaponized Microsoft Exchange as an attack vector.

Ransom Report

3.20.2021

Sierra Wireless

Victim

Sierra Wireless Logo

Demand

N/A

Perpetrator

Undisclosed

Techniques

Exfiltration, Encryption

Ransomware halted production for Sierra Wireless, a Canadian IoT manufacturer with operations around the world. According to a statement released by the company, the attack affected internal operations and made the company's corporate website inaccessible, but the risk did not extend to consumer products or systems.

Sierra Wireless hired an independent incident response firm to investigate the attack, but the initial access point, demand, and responsible party are not publicly known. The impact of the attack is believed to have caused significant financial damage to the company, who withdrew their Q1 revenue forecast in the aftermath.

Ransom Report

3.23.2021

CNA Financial

Victim

CNA Financial Logo

Demand

$40M

Perpetrator

Phoenix Locker/Evil Corp

Techniques

Exfiltration, Encryption

In March, attackers gained a foothold on CNA's network using a fake browser update—which came from a legitimate website which had itself been hacked. Attackers maintained access from March 5-21, using living-off-the-land tactics to avoid detection, disabling logging and security tools, and exfiltrating data to hold as additional leverage. On March 21, they deployed ransomware, encrypting more than fifteen-thousand systems and demanding $40 million in ransom.

It was reported that the source code used resembled that of the sanctioned WastedLocker ransomware, leading to speculation that Phoenix Locker was another evasion by Evil Corp to avoid 2019 sanctions, which prohibited any financial transactions with them.

Ransom Report

4.21.2021

Quanta

Victim

Quanta Logo

Demand

$50M

Perpetrator

REvil

Techniques

Exfiltration, Encryption

REvil (also known as Sodinokibi) accessed the network of technology supplier Quanta, exfiltrating data and encrypting an undisclosed number of systems. Among the stolen data was schematics for a number of yet-to-be-released Apple products, which Quanta manufactures.

When Quanta refused to pay the ransom, hackers then demanded the same amount from Apple, otherwise threatening to release the stolen blueprints. When Apple refused to pay, REvil posted the data, which included schematics for the upcoming MacBook Pro.

While few details of the initial hack were shared publicly, REvil commonly exfiltrates data for additional leverage, encrypts systems, and modifies backup software to prevent companies from restoring their data after encryption.

Ransom Report

4.26.2021

Washington DC Police

Victim

Washington DC Police Logo

Demand

$4M

Perpetrator

Babuk

Techniques

Exfiltration, Encryption

Attackers exfiltrated sensitive files from the Metropolitan Police Department, claiming to have more than 250 GB of personnel and case files.

Babuk uses existing tools like Bloodhound, CobaltStrike, and Metasploit to achieve and maintain the access needed for both encryption and exfiltration tactics.

Ransom Report

4.28.2021

Brenntag

Victim

Brenntag Logo

Demand

$7.5M

(paid $4.4M)

Perpetrator

Darkside

Techniques

Exfiltration, Encryption

Darkside attacked German chemical manufacturer Brenntag, a company with over 17,000 employees working at over 670 sites worldwide. In addition to locking Brenntag out of business-critical applications and data, Darkside also claimed to have stolen 150GB of data during the attack. While Darkside initially demanded a $7.5 million payment, Brenntag ultimately settled the matter with a payment of the equivalent of $4.4 million in bitcoin.

Ransom Report

5.7.2021

Colonial Pipeline

Victim

Colonial Pipeline Logo

Demand

$4.4M

Perpetrator

Darkside

Techniques

Exfiltration, Encryption

There is nothing like the spectre of a gas shortage to capture the attention of the American public or the federal government, and the Darkside ransomware attack on Colonial Pipeline in May 2020 did just that, rocketing ransomware to the top of the national agenda. While Darkside made clear in the days following the attack that they didn't intend to hit such a critical and visible target, the damage was done. While only Colonial Pipeline's IT systems were hit, the company nevertheless shut down pipeline operations until it could fully investigate the scope of the incidents, resulting in hours-long lines and a panic over access to fuel up and down the Eastern seaboard.

Ultimately, the US government responded by attacking and disabling Darkside's servers, the first—but not the last—such action the US government would take in 2021.

Watch the Webinar: How to Catch & Stop Next-Gen Ransomware

Ransom Report

5.31.2021

JBS USA

Victim

JBS USA Logo

Demand

$11M

Perpetrator

REvil

Techniques

Exfiltration, Encryption

JBS USA is one of the largest meat suppliers in the US. On May 31, 2021, JBS announced that a ransomware attack required them to temporarily halt operations at five of their US plants, as well as across parts of their UK and Australian operations. In order to prevent disruption to grocery supply chains and limit panic buying, JBS chose to pay the $11 million ransom demand. The FBI attributed the hack to REvil.

Ransom Report

7.2.2021

Kaseya

Victim

Kaseya Logo

Demand

$70M

Perpetrator

REvil

Techniques

Exfiltration, Encryption, Exploitation

While REvil claimed to have compromised Acer's build server, they made good on the threat when they successfully infiltrated IT solutions provider Kaseya. Not only was Kaseya locked out of it's systems and data, the malware spread through Kaseya software to over 1,500 organizations across multiple countries.

The ransom demand—$70 million in Bitcoin to provide the encryption keys—was the largest in history, handily beating the previous record demanded in REvil's attack on Acer. Although it's not known how many Kaseya customers independently paid to have their data released, Kaseya itself opted not to pay the ransom, instead cooperating with the US government. Kaseya's decision to cooperate in the investigation would ultimately lead to the takedown of REvil.

Learn More About the Kaseya REvil Ransomware Attack

Ransom Report

8.11.2021

Accenture

Victim

Accenture Logo

Demand

$50M

Perpetrator

LockBit

Techniques

Exfiltration, Encryption

In August 2021, news broke that global consulting firm Accenture was the victim of a ransomware attack by LockBit. The attackers claimed to have exfiltrated more than 6TBs of data from the company—a detail not confirmed by Accenture for months and then only in SEC filings. In exchange for this stolen data, as well as the encryption keys, LockBit demanded $50 million. It is not clear what, if any, ransom Accenture paid.

Ransom Report

8.15.2021

Brown-Forman

Victim

Brown-Forman Logo

Demand

N/A

Perpetrator

REvil

Techniques

Exfiltration

Brown-Forman, the parent company of well-known brands including Jack Daniel's, Woodford Whiskey, and Finlandia Vodka, announced that it had been hit by ransomware. Compared to many other organizations, Brown-Forman got lucky. They detected the activity before their files were encrypted; however, REvil still made off with more than a terabyte of confidential data that they planned to auction off to the highest bidder before leaking the rest.

Ransom Report

9.7.2021

Howard University

Victim

Howard University Logo

Demand

N/A

Perpetrator

Unknown

Techniques

Encryption

At the beginning of the 2021-2022 academic year, Howard University was hit by a ransomware attack that forced the temporary shutdown of online and hybrid classes school-wide. While the school claimed that no student data was stolen, the attack disrupted major systems, including taking down the school's wifi network.

Ransom Report

12.13.2021

Kronos

Victim

Kronos Logo

Demand

N/A

Perpetrator

Unknown

Techniques

Encryption

Kronos, a division of Ultimate Kronos Group, which provides payroll and timesheet software, was hit by a ransomware attack that crippled its systems and effectively shut down payroll and timesheet operations for thousands of global customers. While the perpetrators and the ransomware demand have not yet been disclosed, the broad impact of the Kronos attack underscores just how costly ransomware attacks can be, particularly when they affect widely used software platforms.

Common & Emerging

Ransomware Tactics

red right arrow
red right arrow ending in an 'x'

It used to be that the sole endgame of ransomware was encryption. Deploy the ransomware, encrypt the files, and demand payment in exchange for the keys. In 2021, this was no longer the case.

Ransomware criminals have introduced payment incentives at multiple steps in the killchain, from exfiltration of data to exploitation of software. The ability to restore from backup is cold comfort when doing so will result in your customers' data being sold on the dark web, or your customers themselves becoming the victims of a ransomware attack.

Here are some of the most common techniques to emerge or become popular in 2021.

Timeline Arrow Control - Left Timeline Arrow Control - Right

Lateral Movement: Land and Pivot

Ransomware gangs have adopted advanced east-west maneuvering to amplify damage and halt business operations, improving their payment calculus. Modern ransomware exploits IT infrastructures to move stealthily and persist for longer periods of time before springing its trap (also known as ransomware midgame), putting security and IT at a disadvantage to prevent large-scale incidents.

Lateral Movement: Land and Pivot

Ransomware gangs have adopted advanced east-west maneuvering to amplify damage and halt business operations, improving their payment calculus. Modern ransomware exploits IT infrastructures to move stealthily and persist for longer periods of time before springing its trap (also known as ransomware midgame), putting security and IT at a disadvantage to prevent large-scale incidents.

Active Directory Exploitation

Ransomware playbooks share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges via AD speeds asset collection and data compromise. Ransomware now demonstrates shockingly short average dwell times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report. Numerous advisories on bad actors like REvil and BlackMatter (rebrand of Darkside) point to AD as the quickest path of attack.

Active Directory Exploitation

Ransomware playbooks share a common focus on exploiting Active Directory (AD). Targeting domain admin privileges via AD speeds asset collection and data compromise. Ransomware now demonstrates shockingly short average dwell times—just five days, according to Fireeye-Mandiant's 2021 M-Trends report. Numerous advisories on bad actors like REvil and BlackMatter (rebrand of Darkside) point to AD as the quickest path of attack.

Initial Access Broker

Today, ransomware is in reach of any motivated extortionists. Even the intrusion phase can be bought through an initial access broker (IAB). Skilled IAB operators first access business networks through phishing, RDP, supply chain, vulnerabilities, or brute-force hacking, then sell that access on dark web forums. Would-be extortionists can choose their victim based on business size, country of operation, and sector, then slide into the RaaS workflow.

Initial Access Broker

Today, ransomware is in reach of any motivated extortionists. Even the intrusion phase can be bought through an initial access broker (IAB). Skilled IAB operators first access business networks through phishing, RDP, supply chain, vulnerabilities, or brute-force hacking, then sell that access on dark web forums. Would-be extortionists can choose their victim based on business size, country of operation, and sector, then slide into the RaaS workflow.

Data Exfiltration

Stealing data is nothing new for cybercriminals. It is naive to believe ransom-driven criminals promise they didn't make a copy of your data and that you have the only copy, encrypted but intact. Noisy, data exfiltration is a critical element of the ransomware playbook. Having your data adds to their ROI calculus, enabling a double and a bonus sold on the black market.

Data Exfiltration

Stealing data is nothing new for cybercriminals. It is naive to believe ransom-driven criminals promise they didn't make a copy of your data and that you have the only copy, encrypted but intact. Noisy, data exfiltration is a critical element of the ransomware playbook. Having your data adds to their ROI calculus, enabling a double and a bonus sold on the black market.

Costs of Ransomware Recovery

Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. In 2021 the average ransomware payment was $170,000; the average cost of recovery was $1.85 million.

Costs of Ransomware Recovery

Availability of backups is a critical part of the payment calculus. Unfortunately, the ransom payment has little bearing on the total financial damage that the attack will inevitably cause. Research suggests that ransom payments account for 10% of the actual damage to victims. In 2021 the average ransomware payment was $170,000; the average cost of recovery was $1.85 million.

Ransomware +

Critical Infrastructure

There is nothing like the specter of a gas shortage to capture the attention of the American public. When Colonial Pipeline shut down its operations in May 2021 in order to respond to a ransomware incident, drivers up and down the Atlantic coast rushed to gas stations, waiting in hours-long lines to fill their tanks, and in many cases filling up any vessel they had available with extra gas. While the shutdown itself was short-lived, its impact was lasting. Just a few weeks after the attack was disclosed, the Biden Administration announced that it would start giving ransomware attacks the same priority as terrorist threats. The administration has, thus far, made good on that promise.

Colonial Pipeline Map

Decisive Action

In a May 2021 press conference on the Colonial Pipeline attack, President Biden stated: "We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. ​​We're also going to pursue a measure to disrupt [ransomware attackers'] ability to operate."

Early the following morning, news broke that Darkside—the ransomware group responsible for the Colonial Pipeline attack—had itself gone dark, with access cut off to its blog, payment processing, and distributed denial-of-service (DDoS) operations. While the US government did not claim responsibility for the takeown, within minutes of the news breaking, the 780th Military Intelligence Brigade quietly retweeted, without comment or context, a blog from Recorded Future about the shutdown. It wouldn't be the last time.

within minutes of the news breaking, the 780th Military Intelligence Brigade quietly retweeted, without comment or context, a blog from Recorded Future about the shutdown. It wouldn't be the last time.

Just before the July 4th Holiday, news broke that software provider Kaseya had been hit by ransomware. But this was no ordinary ransomware attack. Not only had REvil, the syndicate responsible for the attack, exfiltrated and encrypted Kaseya's data, they had exploited a vulnerability in Kaseya's software to propagate their ransomware out to thousands of Kaseya customers. In consideration for pulling off the first known Cyber Hat Trick, REvil demanded a $70 million ransom to provide the encryption keys to Kaseya and its customers.

On Tuesday, July 13, 2021, REvil disappeared from the internet. While speculation ran rampant that either the US, Russia, or some combination of the two governments was responsible for the takedown, there was no official comment from either country. But as in the case of the Darkside takedown, there wasn't complete silence. At 11:23am ET on July 13, as news was breaking that REvil was down, the twitter account for the 780th once again quietly retweeted the news.

Within a matter of weeks, REvil had managed to restore its servers and was back online. Then in mid-October, news once again broke that REvil had been taken down, and this time, speculation about who was responsible didn't last long. On October 21, Reuters confirmed the involvement of US Government agencies in both the July and October shutdown operations.

about who was responsible didn't last long. On October 21, Reuters confirmed the involvement of US Government agencies in both the July and October shutdown operations.

According to Tom Kellermann, head of cybersecurity strategy at VMware and adviser to the U.S. Secret Service on cybercrime investigations, "The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list."

Blocking Crypto Ransomware Payments

In September 2021, the US Treasury Department announced its own set of actions aimed at disrupting ransomware actors, notably a set of sanctions against virtual currency exchanges known to facilitate ransomware payments. According to the Treasury Department's press release, virtual currency exchanges are "critical to the profitability of ransomware attacks." In some cases, the exchanges themselves have been exploited by ransomware criminals in order to facilitate payments. In many other cases, however, the currency exchanges themselves engage in the facilitation of illicit transactions for their own illicit purposes.

In addition to the sanctions, the Treasury department also announced new efforts to help private sector organizations combat ransomware, as well as increase reporting on ransomware attacks and payments.

Quote Icon

Analysis of known SUEX transactions shows that over 40% of SUEX's known transaction history is associated with illicit actors.

Press Release, US Treasury Department

The Ransomware Disclosure Act of 2021

long dotted red arrow pointing left

In October 2021, both the Biden Administration and the US Legislature announced several major steps aimed at combating the ransomware advanced extortionate threat.

On October 5, US Senator Elizabeth Warren and US Representative Deborah Ross introduced a bill called The Ransom Disclosure Act. The bill, if enacted, would require any organization that pays the ransom in a ransomware attack to disclose that payment to US authorities within 48 hours.

that payment to US authorities within 48 hours.

The disclosure requirement is an important step in understanding the scope of the ransomware threat. According to the recent ExtraHop CISO survey, of the nearly three-fourths of respondents whose organizations had paid a ransom at least once in the last five years, nearly 61% stated that they attempt to limit, as much as possible, any public disclosure of either the attack or the ransom payment. This affirms what most already suspect: ransomware—and ransom payments—are far more common than is reported.

public disclosure of either the attack or the ransom payment. This affirms what most already suspect: ransomware—and ransom payments—are far more common than is reported.

According to the same survey, while 61% avoid any disclosure of ransomware, a full two-thirds of respondents believe that it's actually good for companies to disclose when ransomware attacks happen to increase awareness and improve the ability to respond to future attacks.

ability to respond to future attacks.

Senator Warren and Representative Ross agree, and their bill is designed to take the decision out of the hands of the victim and make it a requirement. "The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation," said Ross as part of a joint statement about the legislation.

When it comes to ransomware, disclosure to US Authorities is a critical first step, but it's not enough.

If the victim organization happens to be part of critical infrastructure, then they should also be required to report the attack and subsequent payment to any associated departments that have regulatory authority or interest over that infrastructure. If the ransom disclosures are subject to FOIA, the bill should also require that companies provide notice to shareholders and to their board of directors. Finally, even if individual ransom payments are not subject to public disclosure via FOIA, the government should be required to report aggregate data about ransom attacks and payments to Congress, the GAO, and other interested parties.

Mark Bowling, VP, Security Services, ExtraHop

Just a week after the Ransom Disclosure Act legislation was announced, the Biden Administration continued its own campaign to increase transparency, accountability, and collaboration against ransomware. The administration convened the largest multinational gathering on ransomware to-date, bringing together law enforcement, national security, and cyber intelligence personnel from thirty countries. The gathering produced a statement of intent to cooperate across areas including disruption of ransomware organizations through law enforcement and strengthening cybersecurity across the public and private sectors, with special emphasis on hardening critical infrastructure.

The Future of Ran$omware Insurance

The primary philosophy behind insurance is that risk held collectively is smaller than risk held individually—otherwise put, that bad things will happen to some, but not to all. By paying a small amount of money into a system, every participant gains access to a pool of money larger than what they put in, that they can tap into if necessary.

But the system only works if the pool has more money in it than the sum of its claims. And when the claims begin to exceed the pool, insurance becomes either prohibitively expensive, or altogether unavailable.

When cyber insurance was originally introduced to insurance portfolios, it was seen as a low risk means of diversification. However, over the past several years, loss ratios in cyber policies have drastically outpaced those in the broader casualty industry, prompting cyber insurers to urgently reassess their risk appetites and premiums. And it looks like ransomware is to blame.

According to Insurance Journal, ransomware claims rose by 35% in 2020 and accounted for a whopping 75% of total cyber claims (Insurance Journal). Early predictions for 2021 appear even more grim.

The recent ExtraHop CISO survey supports this assertion. Of the 85% of respondents whose organizations experienced at least one ransomware attack, nearly three-quarters paid the ransom at least once. In most, if not all, of those cases, insurance was likely involved.

This rise in claims has alarmed insurers. If the number of claims continues at the current rate, ransomware is on track to become an uninsurable risk for insurance providers, who will grow to view it like they see a fire in California wine country or a flood in New Orleans—an inevitable risk. For California wineries and New Orleans residents, the solution is obvious, if painful. If the property you rely on for shelter or livelihood can't be protected financially or otherwise, relocation may be the only option.

But cyberattacks are not natural disasters. They are calculated efforts made by actors across the globe with very little to lose and everything to gain. And in our increasingly connected and interconnected world there is nowhere to move, and nowhere to hide.

So what happens when ransomware is deemed an uninsurable risk, as it seems likely it will be?

It's possible that the cost burden of ransomware will fall on the taxpayer. Much like the housing crisis of 2008, enterprises deemed "too big to fail" that are hit by ransomware will either need to be bailed out or risk extinction.

It's also possible that governments decide to much more aggressively target ransomware syndicates with counter-cyberterrorism measures. Following the attacks on Colonial Pipeline and Kaseya, the US and other governments took out the operations of Darkside and REvil. But this approach has its limitations. It's cost prohibitive and would likely be reserved to only the most serious attacks.

But there is a third option:

Security organizations simply get better at defending against these attacks.

long red dotted arrow pointing down

The

Kill Switch

in the Ransomware Kill Chain

Teal Capital The best chance organizations have to protect themselves and their customers, avoid paying the ransom, and maintain their reputations, is to build defenses that interrupt attackers before they spring their extortion trap. Ransomware actors have the first-mover advantage and will likely gain initial access to the network. Having 100% intrusion prevention is an impossible goal. Winning the fight against ransomware requires SecOps teams to be strategic by extending the detection window. It requires organizations to expand their attention, focusing on damage prevention instead of intrusion prevention to establish ransomware resilience.

The number one resource that modern ransomware attackers have on their side is the ability to slink around the enterprise environment, just out of sight, accumulating as many assets and data to prime their payment calculus. Therefore, a defensive strategy must include the ability to shine a light on the dark corners where they're hiding and living off of the land.

The good news is, extortion driven intruders are not the type to stay in place. Their shameless drive for profit means that they're regularly moving around, looking for meaty data to damage, steal, and dangle over victim organizations. But, hidden in their greed is opportunity. Bad actors move laterally around your network. Organizations have ownership and visibility over their environment. If security teams are watching for the expansion tactics and lateral movement common to ransomware, it's possible to identify indications of compromise before the breach occurs.

How to Mitigate Ransomware

The modern ransomware playbook is executed in three acts. Each act has its unique specialization, tooling, and as-a-service ecosystem.

Traditionally, security operations centers (SOCs) have relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But those tools don't provide the real-time visibility into East-West traffic that is essential for spotting ransomware in its midgame, expanding through your infrastructure.

Target
enumeration

Lateral
movements

Domain
escalations

SMB files system
& DB exploits

Command &
control

Data
staging

EDR has come a long way from an easily evaded anti-virus tool and plays an essential part in preventing initial access. But as the leaked Conti playbook, as well as real-world attacks like Solarwinds SUNBURST, remind us, attackers evade EDR or avoid managed endpoints altogether. Moreover, the exclusive dependence on EDR leads to extensive coverage gaps across servers, IoT, 3rd-parties, and other unmanaged endpoints. Equally, SIEM technology offers essential security controls, including alerting, compliance, and dashboarding, but the fuzzy view from logs present limited actionable insight to respond to laterally moving intruders.

ExtraHop Network detection and response (NDR) leaves no such gaps.

table comparing ExtraHop NDR with EDR and SIEM

*Requires advanced agent on the targeted host **Dependent on the data source

NDR solutions passively capture network communications across every device, including servers, Linux hosts, unmanaged IoT, and 3rd-party software, and apply advanced , behavioral analytics and artificial intelligence to identify both known and unknown attack patterns.

NDR does not depend on other technology's telemetry quality like SIEM log collection or the technical and operational friction of deploying agents on hosts and things, as does EDR. NDR's traffic visibility even works as a compensating control for the prevalence of servers, Linux hosts, and IoT devices that continue to present challenges to EDR coverage gaps.

This complete midgame visibility with advanced analysis gives real-time detection insights into today's modern ransomware campaigns, so you can stop the intruder before the real damage is done.

Conclusion
Take Action

By all measures, 2021 was a landmark year for ransomware. From record-setting ransom demands, to attacks on critical infrastructure and the first known supply chain-based ransomware attack, to the actions taken by the US government and its allies to take down perpetrators, it has become clear that we are facing an entirely new class of threat.

This new class of ransomware is sophisticated, well-funded, and its perpetrators are ruthless in the pursuit of illicit profit.

While there is no panacea for ransomware, there is hope. The scope and severity of attacks in 2021 brought new focus, urgency, and transparency to the problem of advanced cyber extortion.

New government initiatives aimed at curtailing the ability of ransom attackers to gain access to funds, combined with countermeasures that included shutting down major ransomware syndicates, represent an important shift in how authorities intend to treat attacks.

Likewise, private organizations and individuals are waking up to the reality of ransomware. From initiatives aimed at training employees to accurately spot phishing emails, to growing investment in cybersecurity, companies around the world are acknowledging the increasing severity of this evolving threat—and beginning to take action.