Recently in Canada ransomware attacks have plagued companies and organizations, with digital extortionists encrypting data, compromising communication, data security, and overall productivity. In today’s increasingly virtual world, these attacks are growing in both volume and ease, with inimical consequences that can impact almost any company or essential service, as seen recently in the attack on the Toronto Transit Commission. “Any technology that has an operating system is vulnerable”, said Greg Young, Vice President of Cybersecurity and Corporate Development at Trend Micro.
Often overlooked is the fact that ransomware is identical to any other attack that uses malware; whether that be a virus, or common code. The main difference between the two is how ransomware manifests afterwards, in that it encrypts a company’s data as opposed to stealing it right off the bat. By encrypting data, the attackers can render a system useless, sparing only the user’s ability to communicate with the ransomware attacker. Previously, attackers tended to destroy or steal data, however now the script is flipped, and with ransomware it has become exponentially easier for them to manipulate companies by encrypting and holding their data hostage. “This can be done to virtual servers, devices, vehicle systems, but primarily it’s being done to mobile phones, laptops, and tablets”, Greg explained.
At the top of the target list are typically manufacturing and transportation organizations, followed by healthcare and municipal governments. These types of organizations all share the quality that they typically don’t rely as heavily on technology, and thus they are less fortified against cyber threats. They tend to spend less on security per dollar of IT spending, and overall monitor their environments less thoroughly, causing them to incur more damages once hit by a ransomware attack. Almost all cases are a result of a system being left either unpatched or unupdated, with only a slim fraction occurring when systems are patched. By encrypting data, attackers typically possess a key to decrypt it, demanding money in the form of Decentralized Finance as a safe non-traceable means in return. However, the extortion may not stop there. “There’s a new variation called Double Ransom, where they not only encrypt data but threaten to release it publicly” Greg said, explaining a tactic that could be especially detrimental to healthcare organizations who hold private data that is vulnerable to exploitation once publicized.
In regards to the best defence mechanisms in order to mitigate these attacks, Greg said that, “Number 1 is patching, it’s the best defence to ensure that you’re not vulnerable to the typical kinds of malware attacks. Number 2 is backing up data, if your data is backed up no matter what happens you can always restore that data.” In addition to backing up data, specifically off-site backups are going to provide further protection. Security software is also an effective precautionary measure, as it is not only able to protect against incoming malware, acting as a shield for an unpatched system, but it can also detect malignant agents moving through a network or organization.
In the last 20 years, mirroring the digital era and development, ransomware attacks have evolved to become more focused in their efforts on fewer targets, resulting in bigger pay offs. These attacks first began with single machines that would be compromised, however “since then they’ve really concentrated their efforts on variations and refining the techniques, such as getting more machines, going after cloud resources, being more stealthy and changing techniques to avoid detection, as well as lateral movement”, Greg noted. Lateral movement has been a large proponent in attackers’ recent ability to overcome the entire system of a given company, achieved by entering the system through unexpected avenues, such as smart systems, speakers, AV setups, or by preying on fear, prompting employees to open harmful attachments. From there they are able to access the corporate system and move laterally, expanding and encrypting more before suddenly shutting it down and asking for ransom. The trend definitely points to an advancement in the organization behind these attacks, as Greg said, “the degree of quality in the software has become excellent. It used to be very sloppy code, sloppily written, but now you have well funded groups of incredible resources, so this is definitely organized crime.”
Ultimately, these attacks have been able to develop to a level where they have built a whole economy, and as technology keeps changing, akin to a teeter-totter, attackers will continue to adapt with it. However, there have been advances in the starvation of this economy, as Greg said, “stopping Bitcoin and starving the attackers of getting paid is going to be a real advantage for governments”. The bottom line is that organizations must take these steps to invest in their IT security, such as patching, updating, off-site backups, and security software, in order to ensure the best possible protection against these cyber security threats that can yield far reaching implications. “Organizations have been stepping it up and doing their best, there’s definitely no victim blaming going on here because this is a very complex attacker,” Greg added.