ARTICLES

Is Ransomware Here to Stay? 3 Trends to Expect in 2021

Now that the pandemic has shifted so many organizations to embrace a distributed workforce, cyber criminals are evolving to deploy new ways to take advantage of the abrupt shift. Nearly a year ago, as organizations in all industries scrambled to move their employees home, employees became more susceptible to some of the attacks that businesses were previously able to shield them from. For example, home internet connections are typically far less protected than corporate networks, and many organizations don’t have a plan for managing the information on their employees’ personal computers.

New attack surfaces with remote work

With a wider attack surface and a workforce not accustomed to handling their own cyber security, ransomware attackers are alert to new opportunities. To increase the likelihood of payment, they are strategically choosing which target to strike — and when. A moment that’s different in each industry, such as education and healthcare:

  • Successful ransomware attacks on the education sector increased 388% in the third quarter of 2020, timing the attack with the return to school. This increased pressure on school districts to pay the ransom quickly rather than further disrupt a fractured distance learning deployment driven by the pandemic.
  • With skyrocketing COVID-19 hospital admissions in late 2020, attacks on healthcare increased as cyber attackers bet on healthcare executives paying quickly to restore access. Researchers observed that the healthcare industry experienced more ransomware attacks since November 2020, rising 45%, more than double observed in any other industry.

Universal Health Services Inc. said a malware attack in late September cost the hospital chain $67 million last year before taxes. Revenue dropped as patients went elsewhere for care, Universal Health said, and it incurred expenses to restore its operating systems. - Wall Street Journal

What to expect from ransomware attacks in 2021

  • • Double extortion attacks. Criminals paralyze systems and threaten to release personal or sensitive data. This adds considerable urgency to organizations to pay the ransom — not only can they not operate as needed, but they may face regulatory fines and reputational damage if they “allow” sensitive information to be released.
  • • Backups don’t cut it. Cyber criminals know that many organizations rely on their backups to recover from a ransomware attack. Now, attackers access systems and install their ransomware, but they wait to make the ransom request, reducing the likelihood that a backup will eliminate the need to pay the ransom.
  • • Cold calling. Ransomware groups are now calling victims directly if they believe the organization is trying to restore from backups rather than paying ransom demands. A cold call makes a ransomware attack feel more personal and intimidating to victims.
  • • Targeting backups. Ransomware now targets backups directly. Most organizations pay the ransom in the hope that they can return to business, having relied on backups to protect them from a ransom-related attack.

Prepare for these 3 ransomware trends

Paying the ransom is no guarantee

Given these changing tactics, many organizations are likely to pay demands for ransom, but that’s no guarantee that they’ll get their data, systems, or operations back. Some cyber attackers seek an initial ransom payment, and then return for more every few days. Others attackers sell the data they harvested, even after receiving the ransom.

Delayed encryption leads to more challenging attacks

Ransomware groups now favor “post-compromise” attacks, in which the threat actors wait to encrypt the data, first destroying backups and disabling security processes, gathering credentials, learning and modifying the target environment, and pulling out sensitive data. Then they launch an attack that’s extremely difficult to recover from.

Ransomware attackers understand the value of data

Previously, ransomware attacks operated by denying an organization access to its own data until it pays the ransom, but ransomware developers have embraced the value of data. By making copies of the data and threatening to release it publicly, organizations face an additional threat. Not only are they unable to keep their organization free from ransomware, they may now be responsible for regulatory fines related to data protection. In addition, impacted organizations may lose customers, not only because their systems were down, but because customers no longer trust them.

Plan for ransomware

Cyber attackers made at least $350 million in 2020, according to Chainanalysis, so they aren’t going to stop ransomware attacks in 2021. Don’t wait until you get a ransom demand. Plan ahead so you can act decisively in case of an attack, and create a team that has authority to execute on large-scale, operational decisions to mitigate damages. Finally, consider possible vendor solutions and limiting users to the least privileged access necessary for them to do their jobs. Limiting access, together with monitoring, threat detection, and a response plan, can help you limit the amount of damage ransomware can cause in your organization.