The History and Current State of Ransomware Attacks

Christian Wiens Director of Marketing

Christian Wiens is Director of Marketing at MixMode. He has 10+ years of experience as a cybersecurity professional. He has his BA from The University of California, Berkeley and resides in Austin, TX.

The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” Malicious actors demand a ransom payment in exchange for decrypting and freeing access to the victim’s systems and files.

Ransomware uses a variety of attack techniques, including phishing where it can be very difficult for a human to discern whether an email is safe or not. These attacks usually impact the operations of a company immediately, and the recent rise in Ransomware attacks coincides closely with the rise of cryptocurrency as hackers are able to demand payment in untraceable forms like Bitcoin.

Millions of organizations with lesser-known profiles are hit with ransomware each year and find themselves on the hook for an average of $1.85 million in data restoration attempts and other associated costs, according to Sophos in their State of Ransomware 2021 report. Sophos found that over 51% of companies have been hit with Ransomware attacks and, sadly, 92% of the organizations that decide to pay a ransom don’t wind up recovering their stolen data.

Over the past several years, ransomware attack capabilities have become available to any bad actor who pays for a Ransomware as a Service (RAAS) subscription on the so-called ‘dark web’. This advancement in ease of access has led to more frequent, random attacks on the small business community, where companies are less likely to have complex Cybersecurity solutions in place.

Ransomware attackers have also evolved their overall approach. While large companies like Microsoft, SolarWinds and Cisco are still targeted, bad actors are now more likely to go after supply chain companies via their operational technology (OT), which powers industrial equipment at factories and plants.

This was true of the Colonial Pipeline ransomware attack that interrupted fuel supplies across several southern U.S. states, causing spikes in prices at local gas stations. This same approach is being used against smaller entities and specific assets like medical IoT systems and meatpacking plants.

Technology and Operational Challenges

It’s clear that the typical approach to guarding against ransomware attacks is falling short, but why? Even companies that invest millions into Cybersecurity programs are frequently hit with successful ransomware attacks.

The answer can be found by considering ransomware in a larger scope, in the overlapping area between Cybersecurity and operational approaches. Often, the issue is a function of poor business processes and visibility versus just technology limitations.

Data points to several key characteristics of ideal ransomware targets, including organizations with:

● Limited IT teams and budgets

● Outdated or irregular processes around patching and updating

● Irregular or missing backup and recovery procedures

● Significant amounts of private or valuable customer data

Several particularly vulnerable organizations such as health care providers, state and local governments and large organizations with less robust technology practices, such as law firms and companies headquartered in certain countries.

Fear, Uncertainty and Doubt

Organizations tend to “disconnect” as the initial response to a ransomware attack, but that isn’t a solution that organizations should expect to limit the damage. Bad actors make ransomware known to the organization immediately compared to other types of attacks which can lay dormant for months or years doing harm. The hackers want the organization to know they’re there and demand payment. This means retrospective discovery and analysis won’t work, true real-time detection is the only option to strengthen defense and minimize damage.

Organizations can look back and see where a firewall might have prevented an attack, but in order to prevent an attack, a real-time threat monitoring solution like MixMode can often discover looming attacks before a virus is activated.

The key to detecting ransomware in time is to utilize a solution that leverages “real-time behavioral anomaly detection and machine learning” that is advanced enough to detect ransomware attacks that have both been seen before and those that have never been seen previously (sometimes referred to as zero-day attacks) as illustrated by Ed Amoroso, Founder, and CEO of Tag Cyber in his recent post titled Advice on Ransomware. A solution like MixMode that can constantly monitor your environment for anomalous behavior, leveraging self-supervised AI, allows it to detect attacks — both known and novel — giving you the best chance to stop a bad actor in their tracks.

It is entirely possible to meaningfully lower the risk posture and potential impact of Ransomware on an organization.

Surprisingly, the standard approach — dedicated ransomware defense tools — isn’t as helpful in the long run as broader solutions that can identify attacks that come in through various vulnerable entry points. More and more, bad actors who are deploying ransomware are utilizing zero-day exploits for attacks and blindsiding organizations essentially out of nowhere. According to WatchGuard, zero-day exploits were responsible for half of all malware detections last year, a figure that increased 60% from the previous year.

Dedicated malware defense tools are triggered when an infection has been detected and generally at a point where it’s too late to rebuff the attack. This unfortunately is usually after regular business processes have already been compromised.

For example, attacks that arise from dormant malware and target live network assets, backups, and recovery processes could have a lower success rate if the targeted organization had more robust security processes in place around these functions.

When stronger processes are paired with supplemental technology like MixMode which utilizes sophisticated self-supervised AI to predict the future behavior of a data stream (i.e. at the cloud, log data, and network levels) and isolate anomalous behavior in real-time, allowing for detection of known or unknown attacks like zero-days, organizations can significantly lower their risk posture.

Learn more about MixMode and reach out to our team to set up a demo today.