I think that it’s safe to say that the vast majority of people are familiar with ransomware. Even if you have never fallen victim to a ransomware infection yourself, you have no doubt heard ransomware horror stories from those who have. Historically, the whole concept behind ransomware is really simple. The infection encrypts the victim’s data and then the victim must either restore a backup or pay the ransom if they want to regain access to their data. However, this simplistic business model (if you want to call it that) and the nearly universal awareness of ransomware are beginning to prove problematic for ransomware authors. Because ransomware threats have become so pervasive, organizations and individuals alike have been putting countermeasures in place to prevent ransomware infections and to ensure their ability to recover their data if a ransomware infection should occur. In other words, people are going to great lengths to avoid paying ransoms.
With their revenues presumably on the decline, ransomware authors have been coming up with new schemes for forcing their victims to pay up. Two such schemes are particularly troublesome.
The first of these schemes is that ransomware is increasingly targeting an organization’s backups. This is hardly unexpected being that backups are the single best tool that organizations have for avoiding a ransom payment.
In some ways, attacks against backups really aren’t all that new. There are reports going back a couple of years of ransomware targeting backups in various ways. Previously, though, this sort of thing really didn’t happen all that often, and certainly wasn’t a mainstream attack vector. Attacks against backups also tended to be somewhat limited in their capability. For example, ransomware might attempt to infect the Volume Shadow Copy Service.
More recently, though, ransomware authors have been attacking the actual backup storage appliances. These attacks can occur in a few different ways, but attackers will typically look for storage appliances that are accessible over the Internet. Once a specific appliance has been identified, the ransomware author may check to see if the appliance is running outdated firmware that is known to contain an exploitable vulnerability. At that point, the ransomware author may be able to take control of the appliance or corrupt the data that it contains.
There are two things that are particularly worrisome about these types of attacks. First, unlike traditional ransomware attacks, these attacks aren’t necessarily dependent on a user clicking on a malicious link or opening an infected email attachment. Second, the attacks are directed specifically at the very thing that would normally be used to recover from a more traditional attack.
Cyber-extortion as a new weapon
The other new trend that is starting to take hold with regard to ransomware infections is that traditional ransomware is beginning to merge with cyber-extortion. As previously noted, ransomware authors are probably seeing a decline in their revenues because given a choice, restoring a backup is infinitely preferable to paying a ransom. That being the case, ransomware authors have discovered that they need to take steps to entice their victims into paying the ransom. This is where cyber-extortion comes into play.
Some of the more recent types of ransomware threats have been going beyond the mere encryption of data, and are threatening to expose the data unless the victim pays the ransom.
When you first hear about this type of scheme, it may be tempting to dismiss it as being completely inconsequential. However, the exposure of data can be extremely problematic for both individuals and for corporations. From an individual standpoint, the seriousness of a data exposure event varies based on two factors. These include the nature of the data that is exposed, and whether or not the data’s owner can be positively identified by the ransomware author.
If the victim’s data is relatively benign, then exposure of the data may lead to problems such as stolen credit card numbers or identity theft. However, that’s probably a best-case situation.
If a ransomware author is able to positively identify the owner of the data, then threatening to expose the data might only be the first step. The threat of exposure can quickly evolve into blackmail. For example, the ransomware author may threaten to expose the victim’s porn collection or web-browsing habits. Worse yet, the extortionist might threaten to alert the authorities to the victim’s pirated software of digital media (movies, music, books, etc.). The extortionist could even go so far as to send all of the victim’s personal financial data to a government taxing agency. To the best of my knowledge, none of these things have actually happened yet, but they serve to illustrate how the contents of someone’s computer might be used against them in truly horrific ways.
Most organizations probably don’t have to worry about these specific types of exposure. After all, most corporations probably aren’t in the habit of downloading bootleg media from torrent sites. Even so, organizations could conceivably suffer consequences that are even more dire.
The biggest risk to having an organization’s data exposed is arguably that of regulatory fines. Regulations such as HIPAA and GDPR impose severe financial penalties when an organization suffers a data breach.
Even if an organization does not operate in a regulated industry, a data breach can still be devastating. The public disclosure of the organization’s data may give competitors an unfair advantage. The breach might also erode customers’ confidence in the organization. Depending on the nature of the data that is exposed, the event might also put the organization at risk of civil litigation.
Old defenses don’t cut it against new ransomware threats
Sadly, ransomware threats are not going to go away, at least not in the foreseeable future. Organizations must, therefore, look beyond their normal ransomware defenses and develop a strategy for countering these new types of ransomware threats.
One of the most important things that IT pros can do to protect their organizations against next-generation ransomware is to keep storage appliances up to date with the latest available firmware. It’s also important to make sure that none of the organization’s appliances are using default passwords or are unnecessarily exposed to the Internet.
As previously mentioned, attacks made directly against storage appliances are not the only ways in which ransomware has been known to attack backups. That being the case, it is important to use a backup solution that supports data immutability. That way, ransomware cannot encrypt the data that has already been written to backup.
Ransomware-related cyber-extortion is far more difficult to protect against. One thing that you can do is to monitor outbound network traffic streams and use an alerting mechanism to inform the administrative staff of any large data transfers to an unknown destination. This might also be a good time to revisit your organization’s data archiving policy. After all, data residing in an offline archive is inaccessible to ransomware.
Finally, make sure that you practice least-privileged access. Just as ransomware cannot access your offline archives, it is also unable to access any data for which it lacks the necessary permissions. Ransomware infections are often triggered by a user, and the ransomware runs under that user’s security context. Limiting the data that the user is able to access has the effect of also limiting the damage that ransomware can do.
Featured image: Shutterstock