Everyone with access to the news already knows that Ransomware is bigger than ever before, and the public and private sectors are realizing that being the next target is not a matter of if but when.
How has it come to this? For twenty years, businesses have been buying anti-virus protection, and yet they still lost the game. In this blog, we discuss six critical reasons why we are only now seeing the beginning and not the end of the real ransomware pandemic.
1. Broken Windows Can’t Be Fixed
Microsoft Windows and associated enterprise software are full of vulnerabilities. In the previous three months alone, Microsoft has had to patch over 200 bugs, with 27 of those rated Critical and the vast majority of the rest rated as Important in severity. At least six were under active attack prior to the release of a patch.
In March of this year, four separate zero days in MS Exchange software led to breaches in thousands of organisations. One of these flaws had existed in Microsoft Exchange since 2013, while others date back to 2016 and 2019.
The recent remote code execution PrintNightmare vulnerability in the Windows Printer Spooler service was rapidly folded into popular hacking tools like Mimikatz and Metasploit. Even after being initially patched, researchers quickly discovered a full bypass. Similar vulnerabilities like FaxHell, Print Demon and Evil Printer were discovered in 2020 and it is likely that attackers will continue to look for and find systems exposed to such vulnerabilities for years to come.
NTLM-relay attacks have been a particularly rich source of privilege escalation vulnerabilities over the years. The most recent, dubbed PetitPotam, allows attackers a simple way to achieve full environment takeover of exposed Domain Controllers.
Some bugs remain hidden for years, even decades at a time. CVE-2021-24092 is a privilege escalation vulnerability in Windows Defender – Microsoft’s own security software that’s supposed to keep attackers at bay. This privilege escalation bug lay unpatched for 12 years.
It’s tempting to think that it must just be a matter of time till all these bugs are eventually found and patched, but unfortunately that’s not the way it works. New bugs are introduced with new code, and just like every other product, Microsoft needs to create new features – and write new code – to remain attractive to enterprise users. The recent HiveNightmare (aka SeriousSAM) local privilege escalation vulnerability was actually introduced into Windows 10 in version 1809. It allowed any standard user to escalate to full SYSTEM privileges, with all the horror that that entails for security teams.
While HiveNightmare requires the attacker to have a foothold on the system in order to leverage it, chaining this flaw with others such as PrintNightmare can give a threat actor both access and full permissions.
2. Sophisticated Attacks Beat Simple Security, Everytime
Bugs aside, Windows Defender – the built-in security of Windows devices – is simply not good enough to stop today’s sophisticated attacks. Putting aside the inherent conflict of a security product that is sold by an OS vendor (should security really be an upsell for an operating system vendor?) the recent Sunburst/SolarWinds attack was not stopped by Windows Defender, according to NETRESEC. The same source shows that even some 3rd party vendors including CrowdStrike and Carbon Black were also bypassed by the malware and failed to provide the needed visibility for detecting the attack.
Of course, sophisticated attacks are designed to beat simple security controls, but the days when anything less was sufficient for businesses are long behind us. Sophisticated tools are no longer the sole provenance of nation-state backed threat actors, and they are no longer only used against targets nation-states want to spy on.
The modern threatscape of financial crime is all about leverage. Threat actors want your data – either to sell or to ransom back to you, or both – and they have the muscle to buy, develop and steal the tools required to get it. Ever since the Shadow Brokers leaked the NSA’s own powerful hacking tools – including EternalBlue, which was involved in the WannaCry and NotPetya attacks – crimeware gangs have not only had those particular tools at their disposal, they’ve had the knowledge of how such tools can be built.
Moreover, an entire ecosystem exists on the Dark Web for the less-sophisticated to access powerful tools developed by others. The Ransomware as a Service model means sophisticated malware developers can sell to a large number of clients, each paying a relatively low-price. It’s a simple economic model that threat actors have understood and exploited with aplomb.
With ransomware affiliates queuing up to breach organisations with powerful tools that defeat simple controls, the days when enterprise security could rely on humans to do the heavy lifting are a thing of the past. Sophisticated attacks require sophisticated tools that can respond autonomously at machine speed to keep ransomware attacks out. But while there remain so many organisations that still have this lesson to learn, we will continue to see high-profile ransomware attacks afflicting both our public and private enterprises.
3. The Rewards Are Greater Than The Risks
Buggy software and weak security controls also combine with low risk and high rewards to make ransomware an attractive proposition to criminals. Back in the day, cybercriminals did not realise the vast rewards that awaited them from attacking enterprises and organisations, and were focused primarily on consumers, who were sent demands for automated payments of $300. Back in 2010, one cybersecurity commentator was able to note that “Ransom on the internet may not garner much money per incident but patient extortionists can cast a wide net and haul in many innocent victims who have no recourse other than to pay.”
How things have changed since then. Today, ransomware extortionists collect far more revenue through double extortion: good-old file encryption on the one hand, coupled with exfiltrating data and blackmailing victims on the other. It’s a numbers game. REvil ransomware operators recently exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key. Last year, all ransomware extortion payments were believed to total around $350 million in cryptocurrency.
The history of crime teaches us that people will take big risks for much lower rewards. A bank heist can carry a sentence of life imprisonment and is much more likely to go awry. A ransomware attack on a U.S. institution – conducted from home in a nation that is not particularly concerned about cracking down on such computer crimes – is less risky than a late night walk in the park.
The upshot? It’s not just nation-state backed threat actors that we have to worry about but nation-state tolerated criminal gangs, too. And for your average business anywhere in the West, the latter is a very much more real and present danger.
4. Cryptocurrency Makes Payment Easy
Cryptocurrency is booming. While naysayers keep on talking up the risks of the ‘cryptocurrency bubble’, criminals are more than happy to use it as a means of anonymity, easy cash transfer and – as prices soar – a fast route to riches.
Prior to the pandemic, Bitcoin was trading at a little over $7,000, but when the economy shut down around the world, Bitcoin boomed. By December 2020, it was trading at $24,000, hit a peak of $64,000 in April 2021 and is currently hovering at around $46,000. The bubble doesn’t look like it’s about to burst, and for cybercriminals extorting businesses, every price rise is just more incentive to keep attacking.
It’s not just the rising prices, of course, that makes cryptocurrency attractive to criminals. Cryptocurrency offers anyone involved in crime an easy way to get paid with far more anonymity than a bank account, since the blockchain technology it is based on uses hashes of public keys rather than people’s names to record ownership.
While there is a whole art and industry behind trying to track criminal payments, there’s plenty of invention on the criminals’ side, too, to obscure “cashing out” – the conversion of cryptocurrency to hard cash. Some of that innovation is technological, some of it is just the tried and tested method of laundering funds through bank accounts for shell corporations. Are there gangs of finance criminals offering their services to the cyber criminals for just this purpose? You bet there are.
5. Business Inertia Means Legacy AVs Just Won’t Die
While cybercriminals cash in on modern technologies, the vast majority of businesses are hanging on to legacy AV technologies that were defeated long ago. AV security suites like Symantec, Avast and McAfee continue to hold market share because many businesses were locked in years ago to aging technologies relying on malware file signatures and hashes.
Despite the prevalence of these legacy AV security controls, there were an estimated 9.9 billion malware attacks in 2019 alone, up from 8.2 billion in 2015. While this can be regarded as a huge success for cybercriminals, it is a damning indictment of the failure of cybersecurity’s incumbent vendors.
The evidence is clear: Threat actors have adapted to and evaded these old approaches to security. Supply chain attacks, fileless attacks, and exploit kits with known bypasses or evasions for such security controls are common fare among ransomware operators and their affiliates, who swap news, tricks and techniques in darknet forums on how to bypass AV software. Some even offer prizes in research competitions.
6. Attacks Happen on Devices, Not in the Cloud
If legacy AV hasn’t really changed that much, our network infrastructure certainly has. The cloud – on-prem, hybrid, IaaS, PaaS, containerized workloads and more – have changed our environments beyond recognition since those old AVs were first thought of. In response, both old and new vendors have thought to exploit the cloud for the purposes of defense. What if you could send all your device (whether physical or virtual) telemetry to a vendor’s cloud resources and have it analysed there? The advantage? They say it’s all in the added compute power of the cloud.
It’s right to take advantage of technology where it helps us or supplements our core defences, but the key to endpoint device security cannot lie on a remote server or with a remote analyst. When a thief enters your home, the last thing you want is to wait for a remote cop to decide whether or not the thief should be there. The burglar might have already made off with your goods, causing who knows what kind of damage in the meantime.
The same is certainly true for endpoint security. Whether you’re securing employees’ Windows or Linux workstations, macOS laptops or personal devices, your office IoT or your company’s servers – on prem or in the cloud – what you need at the heart of your endpoint security solution is an autonomous agent on that device that responds at machine speed to a threat.
Ransomware encryption speeds are a source of great pride among crimeware developers, with each new service claiming to encrypt and exfiltrate faster than competitors. When the endpoint itself cannot respond automatically and without minimum delay, the problem of ransomware will not go away. When vendors speak about remediation after 60 seconds or 1 hour, they are talking about entering a game that is already over. There is no remediation when you’re relying on human labor to defeat machine-speed attacks.