cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Why the ransomware threat looms larger by the day

It has been around since the early 1990s, but ransomware attacks remain at the top of the list of cyber security concerns for many organisations, Rohan Langdon of ExtraHop, writes.

user iconRohan Langdon
Mon, 12 Sep 2022
Why the ransomware threat looms larger by the day
expand image

With the ability to cause massive disruption and financial loss, the attacks focus on locking up critical data and then demanding sizable payments for its release. Threats also can be made to release the data publicly if the ransom is not met.

The number of ransomware attacks occurring is increasing rapidly. During 2021, the government’s cyber security agency reported that there had been a 60 per cent increase in ransomware attacks against Australian entities in the previous year.

Concerningly, research also shows that organisations are not being attacked just once. A recent survey undertaken by ExtraHop of 100 security and IT decision-makers in Australia found 85 per cent of organisations experienced multiple ransomware attacks in the past five years.


An evolving threat

In the early days of ransomware, the goal of attackers was to simply encrypt files and then demand a ransom. The criminals gained entry, deployed their malware, encrypted data, and demanded payment in exchange for the decryption keys.

Over the years, it became fairly turnkey for the cyber gangs as they created customer service sites and helplines to make sure they got paid. However, something began to shift.

Criminals began to introduce payment incentives at multiple steps in the ransomware process, from exfiltration of data to exploitation of software to using victim’s resources to infect business associates. Just having the ability to restore from a backup is cold comfort if that data will be released widely.

Achieving effective protection

With the complexity of attacks continuing to climb, the task of preventing one taking place is becoming increasingly difficult. For this reason, organisations should focus on building security measures that are able to interrupt attackers, identify their behaviour early, and stop them in their tracks.

This is important because having an intrusion-prevention system that is 100 per cent effective at all times is simply not possible. Winning the fight against ransomware requires an organisation to focus on damage prevention instead of intrusion prevention to establish ransomware resilience.

The most effective cyber criminals are those who have the ability to move around within a targeted IT infrastructure while avoiding detection, staging data and gaining privileged access. They can take their time to access the assets that are available before triggering their attack.

For this reason, a defensive strategy must include the ability to continually monitor for suspicious activity and then automatically flag such events for closer inspection and action.

Deploying the right tools

A ransomware attack can be broken down into three parts. The first is initial access, when the cyber criminals gain a foothold within an organisation’s IT infrastructure.

This is followed by the midgame where the attacker moves laterally through the infrastructure, staging data, sending C2 communications and assessing the data that is available. The third part of the attack is when the data is encrypted and exfiltrated and ransom demands are issued.

Many organisations believe that if they have endpoint detection and response (EDR) tools in place they will be well placed to avoid a ransomware attack. However, such tools don’t provide coverage across the entire enterprise.

There is a need for endpoint and network security to both be in place to stop ransomware. Practitioners need to focus on the midgame to identify and mitigate an attack before it’s too late. It’s also important for organisations to have complete visibility into network activity so that teams can know what’s normal and what’s not.

It’s clear that the threat of ransomware is not going to dissipate any time soon. For this reason, it’s vital that organisations take the steps required to improve their infrastructure visibility so they can quickly take action should an attack take place.

Rohan Langdon is ANZ country manager at ExtraHop.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.