In 2020, 10% of all breaches included ransomware. This doubled the following year, according to the 2021 Verizon Data Breach Investigations Report. Approximately 37% of global organizations said they were the victim of some form of a ransomware attack in 2021, according to IDC’s 2021 Ransomware Study. And the FBI’s Internet Crime Complaint Center reported 2,084 ransomware complaints between January 1 and July 31, 2021. That represents a 62% year-over-year increase.
The hybrid cloud problem
Hybrid cloud architecture may provide a great computing environment, but it is also a goldmine for intelligent hackers. They can exploit security gaps to obtain an initial foothold in the network and then move laterally between on-premises and cloud applications to wage a highly damaging ransomware campaign. They don’t even necessarily need additional vulnerabilities to make the jump to the cloud because there are so many legitimate cloud configurations that allow them to do so – for example, an access key found on a developer’s workstation.
For an attack to be successful, hackers only need to uncover one of the following:
● Vulnerabilities: Environments that have been exploited and sometimes even patched, but are already in the possession of attackers
● Misconfigurations: Configuration errors that allow attackers to exploit the environment and perform future man-in-the-middle attacks
● Poor security hygiene: If attackers are able to compromise the machine of an IT employee, they can find credentials and move laterally through the network
Even worse, ransomware is evolving every day, keeping IT leaders on their toes and challenging them to adapt their responses. Mass attacks are giving way to highly targeted incidents, and hackers have moved beyond mere databases to target AWS S3 public cloud storage buckets, compute resources (virtual machines), and other components that sit in the cloud. It’s important to understand the nuances and trends so that you can defend against them.
The difference between ransomware and ransoms
We’ve seen ransom in the form of extortion for hundreds of years — long before cybersecurity was around. 10 to 15 years ago, we saw ransom campaigns against individuals that extorted money to prevent DDoS attacks. But then ransomware hit, and we were subject to multiple malware variants. Now, we are seeing attackers who breach enterprise networks via phishing emails or some other simple method, then use vulnerabilities and misconfigurations to pivot their way through the network – both on-prem and into the cloud – until they find the critical assets. And by then, it’s too late.
These new attacks are not ransomware in the traditional sense; in other words, they do not involve a hacker designing a piece of malware to infect your entire organization. As such, there are different terms tied to these campaigns, such as ‘software exploits’ and ‘cracked passwords.’ Imagine an attacker gaining control of an AWS account’s permissions via a hacked password, as opposed to using malware to infect the organization and lock out its resources. Simply gaining access to account permissions isn’t ransomware; it’s extortion with a ransom attached to it.
Differentiating between real ransomware and cloud or DDoS ransom is essential. By not understanding the nuances, organizations frequently request ransomware tests and exercises for their environment with no understanding of what it means. Are they talking about specifically dropping a piece of malware on an endpoint? Or finding all of the different ways their critical assets could be breached and held for ransom? Typically it’s the latter, and that differentiation needs to be made.
Ransomware is becoming a more sophisticated industry
As ransomware has evolved, it is no longer a one-person job. It has become a more mature industry, with actors who think of attacks as their business.
The process has also evolved into multi-pronged exploitation. If an attacker is able to secure the right credentials on-prem, they can get access to the cloud to conduct advanced persistent threats. Once they’re inside the environment, they can lurk there for days or even weeks to access as many components as possible and maximize the ransom demand.
Take the Colonial Pipeline attack, for example: once hackers gained access to the system, they conducted stealth reconnaissance while laying the groundwork for a wide-scale assault. It began with access to a directory account, then moved to a VPN, then finally moved laterally to critical assets before holding those for ransom.
Sure, a customer database might be worth some ransom money, but once attackers have established control of the environment, they can wait and gain access to more components that allow them to request 5x, 10x or more than what they could’ve requested just for the database. The Colonial Pipeline attackers were able to request significantly more in ransom than they would have if they’d jumped once they had access to the directory account.
In other extreme scenarios, entire organizations have gone dark due to both their IT and OT systems being completely compromised.
Triple extortion ransomware: The third-party threat
Prominent attacks that took place last year also point at a new attack chain —
essentially an expansion to the double extortion ransomware technique of exfiltrating a victim’s sensitive data in addition to encrypting it. Now, attackers are integrating an additional, unique threat to the process —
Not only are hackers demanding money from the companies they breach, they’re also now extorting those companies’ customers. For example, hackers who breach your health insurance company could demand payment from the business and then turn around and email you directly, stating that they will release your credit card details and medical history if you don’t pay a ransom.
The Ransomware Remedy: Modeling attack paths
One proven way of defending against these evolving attacks and ominous triple extortion ransomware is by modeling attack paths. An attack path is a visual representation of all the vulnerabilities, misconfigurations, user privileges and actions that chain together to provide attacker access through a company’s network. For example, let’s say an adversary gains an entry point into your system by exploiting a weak password. Once they get a foothold, they can then try to harvest credentials and move through the system by exploiting access privileges and network access, eventually moving towards a critical asset, which is then exfiltrated or otherwise compromised..
By viewing your network through the eyes of the attacker, you are able to see all existing attack paths to your critical assets, identify the choke points where multiple attack paths converge, and take quick and simple remediation steps to eradicate the risk in the most cost-effective manner, so that even if an attacker breaches your network, your ‘crown jewels’ cannot be compromised.
Ransomware is not going away; it will just continue to take on new forms. This is why developing a strong security posture across your hybrid-cloud networks must be a continuous effort.
The first step is to understand that breaches are a fact of digital life. You will get hacked, so it is crucial that you find and remediate the security issues that put your critical assets at risk —
before they are exploited. On the bright side, solutions are available to make the task easier. Using attack path management to shine a light on exposures is one of the strongest weapons you can have in your arsenal. It illustrates not only where you are vulnerable, but how hackers could exploit those exposures to pivot through your network until they reach your critical assets.