With the geopolitical weaponization of ransomware, tough multipartite action needs to be taken before the point of no return: industry observers
In the early days, ransomware attacks were conducted by single entities who developed and distributed massive numbers of automated payloads to randomly selected victims, collecting small sums from each “successful” attack.
Fast forward to recently, we saw how the Costa Rica government was forced to declare a national emergency when Russian hackers breached its Ministry of Finance and demanded a US$20m ransom.
According to a Threat Intelligence group manager Sergey Shykevich, Check Point Software Technologies, ransomware as we know it is evolving: the number of victims is decreasing, and hackers’ demands are changing. “You could be forgiven for thinking this is a good thing but in fact, it is because the ransomware ecosystem has become increasingly fragmented but in parallel, much more focused on specific targets and more sophisticated. New variations of malware appear daily, which has created a complex and hard-to-navigate threat landscape,” he said.
How to keep up with the evolution of ransomware
According to Shykevich, one way to prevent ransomware attacks would be to introduce a ban on organizations from paying ransoms. For example, in Florida and North Carolina, it is illegal for state agencies to pay a ransom, and Australia is considering codifying payment bans into law.
As ransomware turned from pure profit-driven motives to today’s weaponization for geopolitical agendas, the threat landscape has become more fragmented, Ransomware-as-a-Service continues to thrive, and nipping the problem in the bud would take more than just bans on ransom payments.
Shykevich even suggested that, with over 107,000 tech-sector employees having lost their jobs in recent times, the threat of disgruntled employees using their skills to support bad actors could start to filter into the cybercrime space as you read this article. But are we seeing the tides change as governments across the world move towards offensive action against these groups?
Has the time come to ‘hack the hackers’?
Nations around the world already possess offensive hacking capabilities. In January 2023, the US Attorney General announced that the FBI and its international partners had succeeded in temporarily disrupting the network of the prolific ransomware gang, Hive. In effect, they had hacked the hackers.
In another instance, the FBI was able to disrupt an attack against a Texas school district and stop it from making a US$5m payment to the hackers — proof that hacking-on-the-offensive works, and we could see more organizations adopt this method in the next 12 months.
Shykevich said it begs the question: if more groups knew they could be hacked before they launched an attack, would they think twice about it?
Thwarting trouble with solid backup and disaster recovery
On top of governmental interventions and hacking offensives, the basic mechanisms for preventing adverse outcomes in ransomware attacks still stand. According to Sunny Chua, General Manager (Singapore), Wasabi Technologies, holistic backup policies are de rigueur in the cloud-native age of inevitable cyber risks:
- Tapping on cloud backup solutions: The use of physical media or a secondary data center for air-gapped data protection is rarely practical, being costly and labor-intensive to achieve and adding days to the recovery process. Leading data backup vendors now recommend cloud storage as a simple and more affordable alternative.
- Ensuring speed of backup access and data immutability: Employ lightning fast backup and disaster recovery of encrypted data with object lock and immutability to ensure agility and resilience in the face of attacks. This will aid organizations in preventing costly downtimes and obviate the need to succumb to ransom payments.
- Rethinking legacy strategies like the 3-2-1 backup rule: As widely known as it is, the beloved 3-2-1 rule may need to be updated into a more robust security practice of the 3-2-1-1-0 rule: three copies of your data on two different media, one off-site, one immutable copy, and zero for zero errors by making sure the air-gapped backups are fully functional.
Said Chua: “Business leaders should then ask themselves whether their organization is prepared for data loss and how fast they could restore business-critical applications in an emergency. Have they recently tested their disaster recovery plans? Are these tests frequent enough? Have these strategies proven enough to protect their data for today’s digital climate?”
Another angle of attack to keep evolving preemptively and defensively in tandem with the ransomware landscape came from Andy Ng, Vice President and Managing Director (Asia Pacific and South Region), Veritas Technologies:
- Know and classify your data before backup: Organizations should implement comprehensive classification systems to understand the kinds of data they have and therefore where and how it should be stored and for how long. Implementing identification, categorization and retention policies will help them store their data effectively to ensure that the critical and sensitive data is retained appropriately. Also, they can reduce their attack surfaces by establishing policies, technologies and auditing that reduces their data footprint through methodologies such as deduplication.
- Double down on backup at the edge: Many organizations often do not apply the same level of protection to the edge as they do in the data center, often due to skills and staffing shortages. Each edge device needs to be protected and backed up and the resulting edge data needs to be assessed, categorized and protected accordingly.
- Do not assume your data is inherently safer in the Cloud: Most CSPs provide only an uptime guarantee of their service, not comprehensive cloud data protection with guarantees. In fact, many include a shared responsibility model in their terms and conditions. Never just assume someone else is doing that for your organization. So, ensure that the enterprise data protection capabilities you expect and use today can be extended to hybrid cloud and cloud native pathways.
- Automation is key to secure and cost-effective backup and recovery: To keep up with highly advanced cyber threat actors, enterprises will need to be equally advanced and automated. AI-based methodologies and technologies can be used to automate provisioning, lifecycle optimization and smart usage of resources like storage to keep up with the threats, as well as free up IT staff to focus on more strategic and transformational activity.
Only when the weight of world governments is brought to bear on the growing cyber problem, in tandem with private-public partnerships to make backup and disaster recovery pervasively ransomware-resilient, will the balance of power be restored to avert the undesirable outcome of cyber threats gone out of control: extended global social, economic and political chaos and implosion.
