Ahhh, the ’80s, the decade of 15-foot telephone cords, Paula Abdul cassettes, and the Ghostbusters. We cherish all of it, but eventually they lose their luster and are replaced with newer, sexier alternatives. Cordless became the norm so my sister could hide in the bathroom and dominate the PSTN. Ms. Abdul moved up in the world giving way to fantastic come-ups like En Vogue and TLC. Even the Ghostbusters faded away into the paranormal ether. The bottom line is that every fad has a beginning and an end. Much like death and taxes, that timeline is guaranteed.
Over the last few years, the same can be said for cyberattacks. Malware has moved from a blast-everyone approach to well-organized business models that involve affiliate organizations of different skill sets.
Some affiliates are outside sales, farming victims (customers) and identifying areas of financial opportunity. Others focus on exploit and attack vectors, making sure their tooling is sharp enough for spear phishing, whaling, or the ilk. This “Ransomware as a Service'' model is highly lucrative and incredibly mature, but so was MTV in the ’80s: well organized, targeted content, even a development ecosystem.
Few of us have never watched an episode of the “Real World,” and still fewer have not experienced ransomware in some way. So then, has ransomware had its heyday? Is it the Jnco jeans of an attacker’s cyber arsenal? Well, maybe more yes than no…
Ransomware is now mature enough that most security teams know what to look for. As information security is and will always be in some way a cat-and-mouse game, ransomware will never truly fade away. My great aunt still has a rotary phone, and my daughters rock those high-waisted bell-bottom jeans to high school. Some things will be with us forever.
The defense mechanisms we deploy to combat ransomware are well known to us as well. A sturdy backup system that is air gapped, high frequency, and redundant in its own right is critical to mitigate the right-of-boom fallout from a ransomware attack. Further, a solid disaster recovery/business continuity plan with plenty of regular exercise also makes those right-of-boom recovery activities that much easier to enact.
Driving the recovery time objective (RTO) and recovery point objective (RPO) numbers to single digits is always the goal. On the left-of-boom side, next generation endpoint detection and response (EDR) solutions, behavioral and activity monitoring, honeypots/nets, and a strong vulnerability management program are all contributory to ensuring the blast never goes off, data is never exfil’d, and ransomware never encrypts a byte. The point here is that cyber defense has matured greatly (ok, let’s assume a limitless budget ) and ransomware’s effectiveness is thus mitigated. Certainly ransomware’s proliferation has not subsided, but is it still attractive to an attacker?
Very recently there’s been an observable shift, in much the same way as identity has become the new perimeter, to attackers capitalizing on simple human mistakes or afterthoughts. That is, using benign file transfer tools, remote access agents, and cloud services with absolutely no malicious nature – to effect their chaos. Weak passwords or MFA mechanisms are simply easier to exploit than any off road adventure on the MITRE ATT&CK trail.
Sophisticated nation states are focusing on embedding firmware into the manufacturing process (Gigabyte), or software update mechanisms (SolarWinds), spawning attack vectors never before seen (REvil, Darkside). Why spend copious amounts of time with a buffer overrun exploit delivered via compromised web site and bogus URL in a phishing campaign when you can simply just log in to a victim’s Office 365 instance as a long-since-terminated user with a password tied to their social media account leaked on the Dark Web in 2020? If a biomedical device or control valve can be overtaken with an iPhone power-cycling its Bluetooth antenna, and still provide the same path to a bitcoin payday, is continued investment in ransomware software still viable?
Assuming there is no boundary for this thought exercise, we can throw in soon-to-be-reality quantum computing to neutralize the fear of encrypted and unrecoverable data, thus imposing a costly and complex burden on the attackers to keep innovating ransomware’s capabilities (LockBit 3.0 is very impressive). Would-be victims are rapidly minimizing their attack surface with thin/zero clients, cloud migration, and bodiless (as opposed to headless) endpoints, thus removing the fissile material traditionally so attractive to a ransomware affiliate. Privileged account management and solid key management practices (HSM, KEK and DEK management) means that already-encrypted data is worthless during the exfiltration portion of a ransomware campaign.
TL/DR, or the bottom line, is that ransomware is just as vicious, adept, and effective as it always has been. There will always be a group of people that think vinyl sounds waaaay better than iTunes, and in many cases, they are probably right.
Ransomware is with us forever. But is it where our focus should be? Is it still “sexy” to attackers? Or have they moved on to more “human” attack vectors and commensurately, we need to adjust with the times as well? I say this as I wear my neon sweatbands while Billy Blanks kicks away on my tube TV, with the click-clack-click knobs behind me.
John Frushour has 20-plus years of experience in IT and is the Chief Information Security Officer for the New York-Presbyterian Hospital System. John’s responsibilities include NYP’s security operations center, identity and access management team, vulnerability and forensics team, security engineering and architecture teams, enterprise messaging, authentication services, and more.