The threat of Ransomware has been looming for a good while now, but that threat reached a new height with the recent Darkside attack on the Colonial Pipeline.
The attack, which was the largest known ransomware attack on infrastructure in the United States, shut down the gas pipeline and knocked out half of the eastern seaboard’s gas supply, triggering a spike in gas prices and a wave of panic-buying in May.
It may have been the most visible ransomware attack this year, but it’s far from alone—experts that study the subject estimate that such attacks cost billions worldwide. With insurance companies increasingly unlikely to cave to attackers’ demands and official discouragement of making ransomware payments, businesses, organizations, and individuals all need to step up their defenses against cybercrime.
So what is Ransomware? This article will explain what it is, what it does, and how to best prevent what has become a persistent and increasing threat to cybersecurity.
What is Ransomware?
Just like the ransom notes in the movies, ransomware is an attack that holds data hostage in order to get demands met. As time has gone on, these attacks have focused less on removing access to data towards threatening to share sensitive information that, for many companies, is literally worth millions. According to a report from ZDNet, IBM has found a shift towards targeting manufacturing companies, the professional services industry, and the government. And the method of attacks has moved to a mix that includes extortion. If targets don’t pay up for access, they are threatened with the release of sensitive information as well.
And, due to a deadly combination that includes more societal reliance on technology and the appearance of cryptocurrency, the attacks are on the rise. A report from Forbes recently relayed that, in 2021, a ransomware attack will take place every 11 seconds, with the cost of those attacks expected to top out at $20 billion. Brenda R. Sharton, reporting for the Harvard Business Review manages to get across the staggering increase of ransom attacks over the last couple years, writing, “We saw more attacks of every kind, but the headline for 2020 was ransom attacks, which were up 150% over the previous year. The amount paid by victims of these attacks increased more than 300% in 2020.”
Ransomware is booming—so much so that attack “kits” are now being peddled to those who want to break into the cybercrime business. Ransomware as a service (RaaS) has become increasingly popular. As CrowdStrike explains, it’s offered up as a subscription service, with licensing fees and profit sharing, just like a legitimate business.
Back to that Colonial Pipeline attack, which caused more than 5,000 miles of gas pipeline to be shut down, the CEO of the company has revealed that it occurred due to an oversight. He told a Senate committee that hackers gained access through an old virtual private network that the company believed was out of commission. A CNN article from June 4, 2021 reveals that a single compromised password was all that was required to gain access to this network.
Though it’s far from alone in terms of impacting physical infrastructure—hospitals, governments and police have all been victim to attacks—the security breach at the pipeline has apparently served as a screaming wakeup call to the Biden Administration. But while we wait for them to lock down national security there are steps that can be taken by businesses and individuals to stay safe.
How do ransomware attackers gain access? How can they be stopped?
Generally speaking, even though ransomware is the “latest” threat to your security, preventing attacks remains pretty much the same as with any malware. Malicious software can’t get access to your files without access to your system, so never download, open, or install files from email or online without knowing their source.
There are some general tips for preventing ransomware, which you can find online. We’ve condensed the basics from the Carnegie Mellon University Software engineering Institute’s guide to best practices for ransomware prevention and response:
- Back up your data, offline and preferably offsite.
- Avoid suspicious downloads, unsolicited emails, etc.
- Keep software patched, maintained, and updated.
- Restrict code execution.
- Restrict administrative access.
- Disable vulnerable protocols.
- Educate your employees.
Knowing these best practices is crucial, and becomes more so each year. Not only has the threat of attacks increased in number and severity, insurance companies and regulators are also becoming more security-minded. The companies have published their own best practices guides that advise against paying ransoms—and lots of companies are sticking to these rules themselves. That means that these insurance companies are less likely to pay out ransoms demanded of their clients. As Darkreading reports on this trend, “The era of companies being able to confidently shift cyber-risk to insurers may be coming to an end.”
In addition to insurance companies applying increased pressure on clients to ramp up their security and prevent ransomware attacks, the government is taking an increasingly hard line on would-be victims as well. As reported in The Hill, federal officials have been toying with the idea of making ransomware payouts illegal. That might sound a little harsh, but the reasoning behind the imagined legislation is that there is a lack of security and transparency against a threat that some worry could stop the country’s economy dead in its tracks.
If this spurs you to action, or if you are in charge of more than just yourself, you might want to look into some of the more detailed reports that are available online. As a starting point, the Cybersecurity & Infrastructure Security Agency has published prevention best practices and a response checklist on their site. (The agency also has guidance and resources available online.) In addition, the Institute for Security and Technology has published a report on combating ransomware, a compilation of recommendations from their Ransomware Task Force.
Fighting Ransomware with Digital Certificates
As a part of good security hygiene, digital certificates from publicly trusted certificate authorities (CAs) like SSL.com can help fight some common vectors for ransomware and other types of malware.
Signed and Encrypted S/MIME Email
Email is one of the most common delivery methods for ransomware, and phishing attacks can also be used to acquire credentials and gain administrative privileges on computers and networks. Using the S/MIME protocol to sign and encrypt email can help. S/MIME can work as a failsafe to keep company emails secure, because even educated employees can make mistakes:
- Good: Educate staff not to click links or open attachments in unsolicited email.
- Better: Educate staff and use digitally signed and encrypted email to assure email authenticity and prevent phishing, snooping, and tampering with messages.
Client Certificates and Mutual TLS
Passwords can be stolen via phishing or social engineering, or cracked by brute force methods. Additional identification factors can help. Mutual TLS with client certificates can help authenticate users, networked computers, and IoT devices (we’ve blogged about how this works before.) Remember that compromised password that gave attackers access to the Colonial Pipeline’s disused VPN? Using client certificates as an additional authentication factor would have prevented that.
Code signing certificates assure your customers that software is really from you and free of malware, and are also often required for compliance with OS platform policies. (For example, an EV code signing certificate is an absolute requirement for distributing Windows 10 kernel-mode drivers.)
As a software customer, you should also insist on installing signed software. And never, ever click through security errors and warnings to install software without a valid digital signature.
Unencrypted HTTP is ridiculously insecure, and there’s no reason to use it at all on the web in 2021. That goes double for any website your customers or employees use to shop or access company resources, potentially exposing login credentials or other sensitive data to attackers. At the very least, every website should include a domain validated (DV) certificate. Extended Validated (EV) and Organization Validated (OV, also known as high assurance) SSL/TLS certificates let users know who is running the website they are visiting and downloading files from.
Ransomware is a frightening threat to national and personal security, but that’s no excuse to avoid the topic. By arming yourself with knowledge, and familiarizing yourself with security best practices, you are taking steps to make sure attacks stay far away from your devices and data. We hope this article has helped make a confusing, daunting topic a little easier to understand.