It's a dubious anniversary, but widespread encrypting ransomware has been around for 20 years — and we don't seem to be any closer to defeating it today than we were in 2005.
As with many persistent cybersecurity issues, ransomware attackers have managed to stay a step ahead of defenders and learned to evade many common protections. Throwing money at the problem doesn't seem to work, as bigger cybersecurity budgets often just mean the same old mistakes are made more quickly.
Your organization can achieve effective ransomware protections, however, by implementing structural changes and defense-in-depth.
Useful policies and tools include least privileges, network segmentation, access controls, strong multi-factor authentication, zero trust, rapid incident response and robust identity security based on a privileged access management (PAM) platform.
"Having a very specific strategy around a platform, really understanding what the ransomware behavior profile is, and then spending your resources there versus elsewhere, is really how you're going to have to do that," says Art Gilliland, CEO of PAM provider Delinea.
The ransomware landscape today
An upcoming survey report from Delinea reveals several disturbing findings: The number of successful ransomware attacks has grown significantly for the past two years, despite continued investment in protections against it.
The share of all ransomware targets that are large enterprises is growing. Yet cybersecurity-budget increases seem to go more toward basic protection tactics (patching, backups and password "best practices") and less to structural ones like enforcing the principle of least privilege and disabling email macros.
Ransomware attackers are "getting pretty sophisticated on how to identify the basic protections that you would expect in a typical company," says Pierre Mouallem, Chief Information Security Officer at Delinea. "You're always going to see attacks like ransomware happen because they're pretty lucrative and smaller companies or industries are always going to be playing catch-up."
The percentage of companies paying ransoms has decreased, yet more than half still pay up — and not all victims get the data back once they've handed over the ransom. Recovery from a ransomware attack takes up to a week for most victims, and for some it can take months.
On the brighter side, nearly all the large companies surveyed say they're using AI to combat ransomware. Even most of the smaller ones say so too, although these are self-reported numbers. Many organizations use AI to spot indicators of compromise and phishing emails, and the latter category remains a top vector for ransomware penetration.
Why neither traditional defenses nor bigger cybersecurity budgets are working
When it comes to increasing the cybersecurity budget, many organizations are spending freely but not wisely. Patching vulnerable software, maintaining offline backups and basic password management are common cybersecurity best practices, not cutting-edge techniques, yet they're sometimes touted as signs of progress.
Attackers have learned how to get around these well-understood obstacles, how to avoid detection by endpoint-protection software, and how to find areas that an organization's various security tools leave uncovered.
"Historically, we've spent a ton of money on a bunch of controls in particular that haven't been that effective, because the adversary is so good at finding the cracks," says Gilliland.
Instead of exploiting known vulnerabilities, attackers can steal account credentials and log into targeted systems. Instead of infecting systems with recognizable malware, they will "live off the land" by using Windows' own management and encryption tools to lock up valuable files.
Meanwhile, the use of AI in phishing campaigns makes it possible for attackers to rapidly create finely targeted, well-written malicious messages en masse. AI-written malware and the growth of licensed ransomware as a service (RaaS) means that even amateurs can quickly be successful at cybercrime.
"You don't need to have that deep subject matter expertise to write something that can evade [detection]," says Mouallem. "You can leverage what others are doing."
New avenues of penetration by ransomware attackers have opened up, such as sneaking into Slack or Teams message threads to inject malware or perform internal reconnaissance on a targeted organization.
Cloud assets are frequently well guarded by cloud-native application protection platforms (CNAPP) and other defenses, yet the fact that they're always being refined and improved by developers creates another access vector for attackers.
"The cloud environments are usually environments where you have almost every developer hanging around with very high levels of privilege, which leads to catastrophic results," says Gal Diskin, VP of Research and Identity Threats at Delinea.
Then there's the growing prevalence of "double extortion," in which the attackers not only encrypt files but steal sensitive data. The victims have to pay to both unlock the data and receive a promise that the stolen information won't be publicly posted online.
In some ways, this is a sure-fire way for attackers to get money out of organizations that have properly backed up their data and can quickly recover from a ransomware attack. As the Delinea survey found, some attackers don't even bother encrypting the data now — they just use it to blackmail the victims.
"Usually if a company has protections in place to recover from ransomware attacks by having data backups, then the need to pay a ransom is no longer there," says Mouallem. "However, if there is a risk of your data or your customers' data being exposed publicly, that can be far more damaging than the limited disruption that ransomware impact can have."
Identity on the front lines
Identity-security systems are, in this age of perimeter-free networks and perpetual remote access, the first line of defense — and increasingly, the first target of attack.
"There is a tendency for ransomware attackers to target the identity systems in recent years, because this is the door to complete mayhem," says Diskin.
Diskin pointed that the ransomware attacks on MGM Resorts International and other organizations in the summer of 2023 "were very catastrophic for the targets, exactly because of the compromise of the identity systems."
Non-human identities — user accounts belonging to software, devices or algorithms — can often be hijacked more easily than those belonging to humans, due to obscurity and lack of oversight. These machine accounts often have excessive system privileges, increasing the potential for serious damage.
"The controls around non-human identities tend to be a little bit more lax, from what we've seen, than human identities," says Mouallem.
It's no surprise, then, that more than half of organizations that fall victim to ransomware choose to pay up.
Some simply don't have a choice, as they can't function without critical systems or even physical machines. Others would rather pay up than suffer the indignities (and legal costs) of having customer data or other sensitive information publicly disclosed.
"It's a question of the impact on the affected organization," says Diskin. "If I block the publication of this private data, I will pay less than if I pay reparations to all my customers for the data going public."
Two other factors contribute to increasing cybersecurity spending without creating a return on investment. More rules and regulations mean that organizations must devote a greater share of resources, both in staffing and spending, to compliance and making sure they pass audits.
And increasing demand among business clients and end consumers for security safeguards and privacy protections sometimes results in superficial cybersecurity additions that may contribute little to improving an organization's resilience to ransomware.
How to create better ransomware protections
Fortunately, there are effective ways to protect your organization against ransomware. Some are structural improvements that your internal team can implement on its own.
Implement the principle of least privilege.
Ransomware, especially when delivered through phishing attacks, can be contained by not giving any user, from an intern to an API to the CEO, any more system privileges than they absolutely need to do their jobs.
As Gilliland explains, if a regular user account is compromised by a phishing attack, the damage will be contained because the account can't do that much.
"We can radically control and radically limit what that user system is allowed to do in the environment," he says. "We basically limit the blast radius."
Limit the distribution of administrative credentials.
Most users don't need the ability to install or modify software on their workplace machines. That often stops the installation of ransomware on an endpoint dead in its tracks. Gilliland says that even he, as the CEO, doesn't have admin rights on his company laptop.
"They've eliminated my ability to create a new database connection, or a new back-end system, or if I want to add new software to my laptop," he says.
Even if he falls victim to ransomware, Gilliland adds, "the only laptop that gets compromised is mine, and so the cleanup and recovery is just a lot faster."
Implement a privileged-access-management (PAM) program.
It's even better to limit the longevity of administrative credentials, especially when it comes to organization-wide systems. Privileged access management is designed to control, limit and provision the keys to the kingdom.
PAM can be set up so that even top IT managers and non-human accounts get high system privileges only as long as it takes to perform specific tasks, a practice called "just-in-time" provisioning. A corollary is "zero standing privileges" in which no user has any elevated privileges except for the short periods of time during which they're necessary.
Implement centralized password management, or vaulting.
Managing and controlling administrative credentials, or even ordinary user passwords for various tools and services, is made simpler by "vaulting" them in a secure centralized database run by a PAM system.
Adopt stronger forms of MFA.
Most white-collar workers have finally grown accustomed to using MFA in the workplace. The flip side is that the forms of MFA that are most commonly used, such as one-time codes that are sent via text message or voice call, are very weak and can easily be hijacked by attackers.
"Weak forms of MFA are being evaded," says Diskin, relating the story of a CEO whose account was compromised after his phone number was hijacked because he had enabled both texted and voice-call codes. "Sometimes more is not necessarily better. It has to be also really better."
Instead, roll out phishing-resistant MFA such as number-matching push notifications (not those with just a simple yes-or-no confirmation), physical USB sticks like Yubikeys or smartphone-based passkeys. Your users will be far less susceptible to phishing attacks.
Implement zero trust.
Despite sometimes being reduced to a marketing buzzword, zero trust is a powerful and important guiding principle to radically reshape your network and identity architectures.
Like least privilege, zero trust will greatly curb the "blast radius" of a ransomware attack, as Gilliland put it, by constantly challenging every user, every time, to verify their identity when moving from one area to another within an organization's systems.
Micro-segment your network.
You want to greatly limit the ability of attackers to move laterally around your network. Logically chop it up into many smaller subnetworks, and make sure any user moving from one to the other has to face identity challenges.
You may also consider an endpoint privilege manager, such as Delinea's, that limits responses to requested connections.
"The ability for ransomware to spread through the organization just is blocked completely," explains Gilliland. "It's different than a network connection where there actually are perimeter walls that block. I'm asking to connect to that thing, and the other side just doesn't say yes."
Beef up your anomalous-behavior detection.
Because many of today's attackers prefer to use software that's already on the system, you'll need to spot them by what they do. A constantly vigilant monitoring system will be able to quickly spot suspicious behavior.
Incorporate AI into your defenses.
Attackers are already using AI to write code and phishing emails, and Diskin says it won't be long before they mount fully automated ransomware-injection campaigns.
The time to exploit a vulnerable target, he explains, "will shorten significantly as AI becomes part of the attacker toolkit in that area."
You won't be able to keep up unless you use AI in your defenses to rapidly scan and process mountains of information to detect phony email messages, deepfakes, strange behavior and hidden malware at volumes that humans are incapable of handling.
Implement an identity threat detection and response (ITDR) platform.
Because identity has moved to the front lines of protection and is accordingly being targeted by malicious attackers, it's best to put into place a platform that's designed to detect and respond to attacks on your organization's identity systems.
ITDR can spot anomalous user behavior, ring-fence accounts that may have been compromised, and alert security teams while automatically taking the first steps toward containing an attack.
"We have ITDR solutions to detect compromises of accounts, and we have discovery of privileged and non-human identities in order to be able to manage those and secure those," says Diskin. "We are blocking the permissions that are usually required in order to kill the backups and be able to truly ransom an endpoint."
