Strategies to Thwart Ransomware’s Latest Moves
When it comes to the evolving cybersecurity landscape of 2024, ransomware presents a unique challenge for professionals. Emerging threats underscore the need to revisit defense strategies and grasp the legal ramifications of successful ransomware attacks.
Denial of confidentiality takes center stage
Instead of launching traditional encryption-based “denial of access” attacks, cybercriminals are embracing data theft and extortion (aka “denial of confidentiality”). That’s because a simple ‘data out and cash out’ approach is far more efficient and appealing.
It frees cybercriminals from the complexities of traditional ransomware operations – think key management and cryptographic module coding. No more avoiding decryption efforts by security experts and public/private initiatives such as nomoreransom.org. For targeted organizations, it also means no more “Get Out of Jail Free” card via recovery from backups.
And we are seeing evidence of this shift all around. In 2023, even well-established and successful ransomware group Cl0p abandoned its preferred data encryption approach. Instead, it exploited a zero-day vulnerability in MOVEit file transfer software to simply exfiltrate data.
No doubt cybercriminals are thrilled to learn how effectively they can monetise vast volumes of data and countless victims. As a result, we should expect to see continued targeting of zero-day vulnerabilities that expose access to data and services.
Encryption is an effective defense – but adoption lags
It may seem ironic, but encryption is a key defense in this new landscape. Effective encryption ensures any exfiltrated data is useless to attackers.
To effectively use encryption against “denial of confidentiality” attacks, organizations must:
- Comprehensively encrypt sensitive data at rest, in transit, and during processing
- Use it hand in hand with mature backup and recovery procedures
- Conduct regular updates and audits of encryption standards to stay ahead of potential vulnerabilities
Even though encryption is a proven defense, deployment lags. Why? Though encryption technology has evolved over the years, fears about complexity, cost, and the impact on system performance hinder widespread adoption. An unwillingness to embrace this technology burdens organizations with yet another vulnerability in today’s threat landscape.
Understand the legal ins and outs
While the security aspects of encryption are well worth the investment, so is the legal angle. If encrypted data is exfiltrated, it’s not a notifiable breach in most cases. In fact, often, an organization’s customers, partners, and staff are not at risk if the data was encrypted.
In fact, from a legal standpoint, encrypted data is treated differently in the event of a breach. Under the General Data Protection Regulation (GDPR) in the European Union, organizations are not required to notify supervisory authorities or affected individuals when encrypted data has been breached provided the encryption renders the data unintelligible to unauthorized persons (Article 34).
Similarly, in the United States, several state laws – like the California Consumer Privacy Act (CCPA) – include provisions specific to encrypted data when it comes to breach notifications. Particularly, litigation only applies to unencrypted sensitive data that’s disclosed or lost. The CCPA even requires enterprises to demonstrate they use the appropriate level of encryption to mitigate the risk of a data breach.
Proactively defend against today’s ransomware
Over the coming year or so, ransomware threat actors and affiliates will likely become more selective. Expect to see them actively seek out victims known to have:
- Cyber incident insurance
- Paid a ransom (aka double-tap retargeting)
We’ve already seen examples of the latter with ransomware variants of AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. On these tailwinds, a victim-profiling data-as-a-service market will probably emerge and mature, similar to the tried-and-trusted “suckers list” for postal, romance and 419 scams.
In the face of increasingly sophisticated ransomware tactics, organizations are wise to address the following:
- Proactively and holistically manage their security posture. Doing so makes it possible to address vulnerability discovery and mitigation, misconfiguration detection and exposure management.
- Adopt and effectively use encryption. This helps defend against and mitigate the consequences of today’s attacks, and serves as a legal safeguard.
- Understand and enumerate digital assets. It’s essential to have a view of both managed and unmanaged/unknown assets, including data, applications, and systems (IT, OT, IoT, IoMT).
- Measure exposure to potential threats. Which services are running? Is the asset exposed to the internet? Can the asset be directly managed? Is the asset currently compliant? What are the consequences to the business if an asset is degraded, compromised or unavailable?
By identifying the greatest risk (e.g., assets with higher exposure facing a more critical threat), organizations’ risk management teams can prioritize their efforts most effectively.