Despite being around for more than three decades, ransomware attacks are more pervasive and successful than ever. There’s one reason for this: monetization. The FBI’s 2023 Internet Crime Report found that losses from ransomware totaled $59.6 million, up from $34.3 million in 2022. And that’s just the organizations in the U.S. that report an attack to the FBI — many don’t. Globally, estimates on the total cost of ransomware attacks tops more than $1 billion.
Click for more special coverage
As the saying goes: “If it ain’t broke, don’t fix it” — and cybercriminals haven’t. Barely a day goes by that we don’t hear about another high-profile ransomware attack. Instead of slowing down, cyber threat actors are innovating. While ransomware of a decade ago traditionally was executed by a single individual or cybercrime group, today, organizations and law enforcement agencies are up against a gig economy with the evolution of Ransomware-as-a-Service (RaaS).
Ransomware developers, also called RaaS operators, develop and maintain ransomware tools and infrastructure and package them into RaaS kits that they then sell to other hackers, called RaaS affiliates or proxies. These ready-made ransomware kits have made it possible for even individuals with limited technical skills to carry out attacks with devasting consequences.
The RaaS business model has caused a proliferation of ransomware threat actors — each responsible for an individual aspect of the attack. For example, initial access brokers (IABs) are often used to gain access into victim networks. Once in, they hand off responsibility to another group to execute phase two, usually conducting reconnaissance, including learning valid access credentials they can use to move laterally across the network. From there, RaaS affiliates may take over and use the ready-made kits they purchased from RaaS operators to detonate ransomware. Like traditional businesses, some ransomware gangs even have call centers for victims and support teams that handle negotiation and encryption care.
If the thought of battling a single individual or cybercrime group isn’t overwhelming enough, cybersecurity teams are now up against multi-tiered RaaS businesses and a whole gig economy.
Get proactive to stay secure
This dynamic may seem like a “David and Goliath” situation that stops organizations in their tracks. But by getting proactive against ransomware, it’s possible to level the playing field and even come out on top. Here are four essentials that organizations can prioritize now to bolster their cybersecurity posture to defend against ransomware:
- Implement a strong cybersecurity foundation: Companies need a strong foundation of cybersecurity fundamentals if they are going to add on more advanced layers and expect them to work properly. Essential building blocks of a strong cybersecurity program include having data backups, identity and access management tools, multi-factor authentication, patch management, pen testing, tabletop exercises, and security awareness training.
- Develop and practice an incident response plan: An IR plan can help organizations keep the entire response process moving and organized in the face of chaos. Common elements of an IR plan include the following: select an incident command leader; define all stakeholders involved, outlining their responsibilities and how best to contact them; establish relationships with business units and legal entities; define a chain of command when outside help is needed; put back-up communications plans in place; acquire a Bitcoin strategy; and identify if the company has an IR retainer and cyber insurance. Once the organization develops an IR plan, it’s imperative that organizations practice it routinely, so they are prepared — and not scrambling — in the event of a real incident. Additionally, practicing response actions builds reflexive knowledge that can overpower the human emotion that arises when a company is under attack — ensuring the best decisions are made for the organization.
- Establish a public/private partnership: Over the last 10 years, law enforcement agencies in the U.S. and abroad have become far more aggressive in their cybercrime involvement. Given this, these agencies can serve as a helpful resource when a cyber incident happens. But to make the most of a public/private partnership, organizations need to establish relationships prior to an attack. This means getting to know the local FBI field office, cyber supervisor and cyber squad. Additionally, depending on the industry, it could also mean getting involved in organizations such as InfraGard and Information Sharing and Analysis Centers (ISACs). The middle of a cyberattack is no time for tracking down law enforcement agencies for help. Having the relationships already in place saves tremendous time—and when a ransomware attack happens, every second counts.
- Determine a stance on paying a ransom: To pay, or not to pay? That’s literally the million-dollar question. Right now, there’s no overarching legislation dictating an answer, although the U.S. federal government recommends that organizations do not pay a ransom, since the money goes to fund cyber terrorism and threat actors. Still, each organization must make the decision on whether or not to pay. Based on my two decades of experience working ransomware cases, I also believe paying a ransom is not the best course. There are a few reasons for this. First, we can’t trust cybercriminals. Paying a ransom does not guarantee the threat actors behind the attack will hold true to their word and give the data back. If the company does get back the data, it will likely lose 20% to 30% in the restoration process anyway. Second, by putting the right cybersecurity basics in place — data backups and IR plans, for example — organizations can restore systems on their own without needing to pay a ransom. Regardless which option the company takes, it’s helpful to make a decision before an attack so the team can execute without argument in the event of a real security event.
The evolution of ransomware into a gig economy driven by RaaS has made it more accessible and profitable than ever before. While this presents a formidable challenge to organizations, there are proactive steps that companies can take to mitigate the risk of ransomware attacks. Prioritizing the security measures I outlined here will help protect the organization, its people, and valuable assets from ransomware — and all types of threats.
James Turgal, vice president of cyber risk, Optiv