By Rick McElroy, Principal Cybersecurity Strategist, VMware

Ransomware made mainstream news when cybercriminal group, DarkSide, launched an attack on U.S. fuel company Colonial Pipeline, which carries nearly half the fuel consumed along the U.S. East Coast. The disruption of critical infrastructure and the impact on our daily lives was a sobering reminder of the havoc that a successful cyberattack can wreak.

While its scale and impact grabbed headlines, this attack is only symptomatic of a dramatic resurgence in ransomware campaigns over the past year. Alongside an increase in the number of attacks, VMware found ransomware groups are becoming even more organized and sophisticated, while the rise in ransomware-as-a-service is enabling a much broader cybercriminal base to execute attacks using existing tools.

Understandably, this adds to the pressure already felt by CISOs, who are defending a more distributed environment than ever before.

Ransomware is a leading cause of security breaches worldwide

VMware surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report and found ransomware attacks were the dominant cause of breaches for organizations. The average number of ransomware attacks organizations experienced have doubled over the past year. Additionally, the VMware Threat Analysis Unit identified a 900% increase in ransomware over the first half of 2020.

Malicious actors have spent the pandemic capitalizing on the rapid adoption of an anywhere workforce and the use of personal devices and networks by remote workers.  Attackers now have an unprecedented opportunity to launch social engineering attacks, such as phishing, on unsuspecting employees.

No industry was off limits to attackers, either. The healthcare sector – already in the grip of pandemic response – was disproportionately targeted with ransomware in 2020. One in five breaches reported by the healthcare CISOs we surveyed were caused by ransomware. In the same way that DarkSide targeted critical national infrastructure, ransomware groups have looked to cash in on the healthcare sector, an industry more likely to pay due to their critical nature of their business.

Double extortion tactics pile pressure on victims

New tactics are making ransomware a much more nuanced threat, too. Instead of locking up systems immediately, attackers are aiming to infiltrate systems undetected and establish persistence on the target network, moving laterally and extracting data that can be monetized even if no ransom is ultimately paid. A system encryption and ransom demand will not be made until the perpetrator has covered their tracks and established a route back into the target network.

This gives cybercriminals greater hold over victims. As well as needing to decrypt their systems, organizations also face the possibility that critical assets such as customer data or trade secrets will be released for sale to the dark web and the breach will be made public. The reputational and regulatory risk tied to ransomware means the pressure to pay ransoms is often significant. However, unless the attacker’s presence in an organization’s network is fully removed, they are likely to return for another strike on a target that has shown willingness to pay.

The cybercriminal community has capitalized on the growing profitability of this approach, with nearly 40% of security professionals saying double-extortion ransomware was the most observed new ransomware attack technique in 2020.

Strengthening defenses against ransomware

As businesses adapt to supporting the anywhere workforce and malicious actors continue to target the expanded threat landscape, CISOs have a once-in-a-generation opportunity to strengthen defenses against ransomware and protect their organization by:

Delivering security as a distributed service: To protect the anywhere workforce, regardless of the devices and networks workers are using, deliver endpoint and network controls as a distributed service that follows the assets being protected throughout the environment.

Prioritizing visibility: Better visibility over endpoints and workloads delivers contextual insight and situational intelligence to help defenders prioritize and remediate risk with confidence.

Conducting regular threat hunting: The first step of a multistage ransomware campaign is gaining undetected access to networks. Regular threat hunting can detect silent incursions and the presence of adversaries in the environment by spotting anomalous behavior.

Keeping monitoring “quiet” to avoid counter-incident response: Assume the adversary has multiple means of gaining access to the environment. Watch and wait before taking action – don’t start blocking malware or terminating C2 systems until you are sure you understand all possible avenues of re-entry.

Engaging with an incident response partner: It is not a matter of if, but when organizations will be targeted, so it is essential to be prepared. Engage with an IR partner to devise a response plan and retain them to put it into action when needed. This should include post-incident remediation and analysis to root out any remaining adversary presence and avoid repeat attacks.

As organizations rethink their approach to security, defending against ransomware should be a top priority as the impact and scope of attacks increases. The anywhere workforce must be supported by a security strategy that surrounds and protects employees to let them work safely and productively without putting the infrastructure, reputation, and competitive position of the business at risk.