Staying strong against evolving ransomware
- By Jim Richberg
- Sep 21, 2020
Malicious actors employ myriad tactics to breach state and local government networks, and the potential damage is greater than ever than ever as attackers turn to ransomware as a service (RaaS) – now with a twist.
According to our FortiGuard Labs’ most recent semi-annual Global Threat Landscape Report, not only is valuable data being encrypted and held for ransom, but encrypted versions of that data are also being posted online, with the threat that if a ransom is not paid all of the data will be released for public access.
In other words, ransomware is doubling down, using the threat of “doxing” as additional leverage, ensuring that even if a victim opted to restore its encrypted data from a backup copy rather than pay the ransom, it would still be threatened with the potential compromise and exploitation of sensitive data.
Recents examples have shown that even in the best cases, state and local jurisdictions may spend millions recovering from ransomware attacks. Beyond that, attackers often target critical services, leaving citizens without the essential government services they need.
Local government agencies often have separate, independent networks as well as organizational structures, making it difficult to develop centralized and consistent cybersecurity programs and standards across an entire municipality. Simply put, silos don’t lend themselves to efficient collaboration and defense.
RaaS gives cyber criminals an offensive advantage. It enables even those without deep technical knowledge to launch often complex cyberattacks. Because RaaS utilizes the “as-a-service” model, attackers can buy various packages so they don’t have to code the malware themselves.
By purchasing a ready-made deployment model, non-technical attackers get step-by-step guidance on how to execute an end-to-end ransomware attack. Some packages even include a platform to display the status of the attack using a real-time dashboard.
What should governments be doing to protect their data?
RaaS isn’t new, but it has gained traction in the first half of 2020 -- especially since the COVID-19 surge in telework broadened agencies’ attack surface to include employees’ more-vulnerable home networks and IT devices. For state and local governments, recent malware attacks are another reminder of how quickly threats are evolving and how agile the agencies need to be to fend off these attacks.
Thankfully there are some simple immediate steps agencies can take to mitigate these kinds of cyber intrusions, including:
- Backing up data regularly and automatically and storing a copy in an off-site location that is disconnected from the network.
- Running recovery drills and pre-assigning responsibilities so systems can be restored quickly in the event of a successful breach.
- Implementing zero-trust network access policies -- including continuous assessment -- so that users can’t infect business-critical applications, data or services.
- Segmenting the network into security zones to minimize the spread of infection.
- Using forensic analysis tools to identify where an infection came from, determine how long it has been in the environment, verify all of it has been removed from every device, and monitor IT assets to ensure it doesn’t come back.
- Planning around the weakest link in your security system: employees. Training is essential but not perfect, so agencies should look to security tools such as secure email gateways to eliminate most phishing emails and malicious attachments.
As cybercriminals expand the RaaS market with new ransomware variants to increase their potential profits, governments must significantly step up efforts to protect agencies, networks, personnel and citizens. Malicious actors are focusing their attacks to achieve maximum impact and profit, often combining highly targeted attacks with increasingly powerful and novel methods such as this combination of ransomware and doxing. Agencies that prepare now stand the greatest chance of withstanding both existing and emerging forms of criminal activity.
The success cyber criminals have had in extracting sizable ransoms from victims relatively easily means we’ll almost certainly see little reprieve from ransomware activity for the foreseeable future. The increase in hybrid attack techniques and the growing availability of RaaS suggest that the potential damage from ransomware threats is only going to get worse. The situation is not hopeless, however; there are quite a few effective ways agencies can successfully combat ransomware. Being smart and proactive in identifying malware and implementing defensive steps is key to improving their odds.
Jim Richberg is a Fortinet field CISO focused on the U.S. public sector.