Chapter 13 – Was 2021 the Year of Ransomware Attacks?

Ransomware has been the threat of the year, shutting down sections of the economy and raising national security concerns.

The number of ransomware attacks has surged 93% in the first half of 2021, according to Check Point. High-profile victims included the nation’s largest pipeline and the world’s largest meat supplier, among others. And the forecast is even grimmer for 2022, driven by innovations in attack techniques and increased threat surface with IT/OT convergence in industrial environments. 

Read this article to uncover:

• Why ransomware is the topic of the hour in cybersecurity circles.
• What’s causing this dramatic increase in current cyberattacks.
• How industrial organizations can safeguard their operations.

Such is the concern with the impact of cyber breaches on the U.S. national security that the White House has taken a series of measures in 2021 to ramp up critical infrastructure protection. The final package of the bipartisan Infrastructure Investment and Jobs Act directs about $1 billion to modernize and protect local, state and federal IT networks. 

The U.S. government has also created an official website — StopRansomware.gov — to provide resources about this threat. According to the latest cyberattack statistics, the ransomware costs to U.S. institutions reached $19.5 billion in 2020.

What is ransomware?

Ransomware is a type of malware that holds a company’s data or systems hostage. After the attackers breach the network, they encrypt files and keep the company locked out of its systems or hold their data hostage until it pays up a ransom.

The initial access might occur through:

• Phishing email. Social engineering techniques that use human interaction to compromise systems are an effective method. The SANS 2021 Survey: OT/ICS Cybersecurity listed spearphishing attachment as one of the top initial attack factor vectors in reported OT/ICS incidents.  
• Brute force or stolen credentials. Poor password habits leave organizations susceptible to breaches. Data from 1Password’s survey indicates that 63.5% of surveyed office workers have created at least one unsanctioned account using their work email, with 33.3% of those respondents admitting to reusing memorable passwords.
• Software vulnerability exploit. That has been the case with WannaCry ransomware, which spread through computers operating Microsoft Windows. Microsoft released a security update to address the vulnerability, but manufacturers and other industrial organizations often have a large number of older or unmanaged devices that cannot be easily patched. 

The initial breach rarely causes damage. Once the infection occurs, the bad actors tend to stay quiet while doing network reconnaissance and lateral movement. This means that the intruders move laterally to other assets, spreading the infection, stealing credentials and gaining more control over the network. Next in the cyberattack lifecycle, they look for sensitive data and even backups of that data before making a ransom demand. 

One of the extortion tactics is to steal sensitive data (financial records, confidential plans, credentials) and threaten to leak them. Another popular tactic is to encrypt the data, corrupt files and delete backups, forcing the company to pay a ransom to regain access.

These cybersecurity attacks can:

• Cause supply chain disruptions and operational downtime.
• Lead to data loss and exposure.
• Damage a company’s reputation.
• Put lives at stake — as seen in the case of hospital and healthcare threats.

Why ransomware attacks keep happening

An IDC survey released in August indicated that more than one-third of organizations worldwide have experienced a ransomware attack in the previous 12 months. The manufacturing and finance industries accounted for the highest ransomware incident rates.

Ransomware is not a new threat. The Cryptolocker ransomware, for example, emerged in 2013. Threats such as WannaCry, deployed in 2017, started to target the supply chain industry. Over the years, these types of cyberattacks have accelerated with increased sophistication. 

“Ransomware-related transactions in 2021 will be higher than the previous 10 years combined.”
House Committee on Oversight and Reform

Here are some factors that contribute to the proliferation of recent cyberattacks:

Better encryption

Advances in encryption technology, whose idea is to protect data from unauthorized access, have been crucial to the boom of ransomware threats. Encryption algorithms were developed to be unbreakable, which is why security vendors can’t go around it. The idea is to protect data from unauthorized access. Without the decrypt key, the files will remain encrypted even after the malware has been removed.

Increased threat surface

With the Internet of Things (IoT), the number of devices connected to networks keeps growing. In industrial environments, the convergence between information technology (IT) and operational technology (OT) has also increased the risks, dissolving the air gap that has protected OT from cyber threats in the past. These new trends contribute to an increased attack surface — or the number of all possible points where a breach could happen.

Securing IoT and OT devices brings unique challenges because they are:

• Unmanaged and therefore cannot accommodate a traditional security agent. 
• Sensitive to scans, which can cause OT systems to crash.
• Not designed with security in mind and might not have a method to receive patches.

Lack of security measures and employee awareness

Poor cyber hygiene and employee awareness of cyber threats make organizations an easy target for cybercriminals. Many organizations do not follow security best practices, including:

• Complete network visibility
• Continuous monitoring
• Network segmentation
• Patch management

The popularity of cryptocurrencies

As seen in big-profile cases, such as CNA Financial, Colonial Pipeline and JBS Foods, bitcoin was the cybercriminals’ favored currency to collect ransom payments. Bitcoin and other cryptocurrencies have helped fuel this type of crime because they make it easier for criminals to maintain anonymity. These currencies are decentralized, poorly regulated and hard to trace.

Lucrative business model

With millions of dollars in payouts, ransomware has become a very lucrative business to criminals. So how much money does ransomware make? As per the U.S. Department of Justice (DOJ), organizations have paid roughly $350 million in ransoms in 2020, which is 300% more than in the previous year.

Ransomware groups often operate as organized crime. After monitoring the leak sites of 13 different ransomware gangs, Armis noted that some of these criminal organizations even specialize in targeting certain countries or sectors, such as cyberattacks in the healthcare industry.

What should companies attacked by ransomware do?

Paying ransoms to regain access to the system is a controversial decision, often taken at the board level of organizations. According to the IDC report, only 13% of companies reported experiencing a ransomware intrusion and not paying a ransom. The average payout was almost $250,000, as per the study.

The FBI and Department of Homeland Security recommend avoiding paying ransoms and reporting the case to the U.S. government. There’s no guarantee that the intruders will hold up to their end of the bargain. In addition, lucrative payouts only encourage more criminals to pull off more ransomware crimes. 

Some high-profile examples of companies that made large payouts in 2021 include:

• Colonial Pipeline paid $4.4 million, but later the U.S. law enforcement officials recovered $2.3 million.
• German chemical distribution firm Brenntag paid the equivalent of $4.4 million.
• CNA Financial, one of the nation’s largest insurers, paid $40 million. 
• JBS paid $11 million to stop their attack. 

New trends of ransomware-as-a-service

Gartner’s latest Emerging Risks Monitor Report reveals that “new ransomware models” topped the executive concerns in the third quarter of 2021. These models include the demand for bitcoin payouts and the rise of ransomware-as-a-service (RaaS).

Like its SaaS counterpart, RaaS is a subscription-based model. In this case, criminals don’t need sophisticated technical expertise to execute attacks. They can lease already-developed ransomware tools and capabilities and pay a percentage of the ransom money collected.

These schemes contribute to the spike in ransomware activity.

Roadmap to preventing ransomware breaches

More than 90% of ransomware attacks are preventable, as per Gartner’s research. Organizations can better protect themselves from cybercrimes by taking the following measures:

1. Get comprehensive visibility into your network

The first step to protecting your organization from ransomware is eliminating your blind spots. Organizations need complete asset visibility to know what devices they have in their networks and what vulnerabilities they pose. With Armis Agentless Device Security Platform, organizations can discover all devices in their environment, both managed and unmanaged.

2. Deploy a threat detection tool

Knowing how a device in your environment is supposed to behave can help to prevent attacks. If a device is behaving abnormally, you can stop the spread of the infection. With the Armis platform, organizations can continuously monitor their assets and network. The Armis platform also performs a risk assessment to identify all threats and help to develop a mitigation plan with policy enforcement.

3. Follow the industry’s best practices

To increase their cybersecurity posture, organizations should follow frameworks such as the Center for Internet Security’s CIS Controls. CIS Control 10, for example, focuses on malware defenses. Other best practices include multifactor authentication, network segmentation and zero trust policies. Educating employees about cybersecurity risks and ensuring your data is backed up and known vulnerabilities are patched can also help to prevent breaches.

4. Build an incident response plan

Organizations should prepare to act in case of an incident. It’s crucial to have a strategy to help mitigate, respond to, and recover from cyberattacks. Ransomware is a federal crime, and organizations are encouraged to report incidents to law enforcement, such as the FBI or the Secret Service.

Armis can help you get a complete inventory of hardware, software and users in your network. But we don’t stop there. Our platform analyzes all traffic and asset behavior, identifies security gaps and threats and orchestrates automated actions to stop attacks—all without the need for disruptive security agents. Book a demo to learn more.

Discover more of the IT OT Convergence Playbook:

1. Chapter 1 – Industry 4.0 Challenges on IT/OT Convergence
2. Chapter 2 – Air Gap and Perdue Model
3. Chapter 3 – Ramping Up Infrastructure Protection
4. Chapter 4 – Defending Industrial Environments
5. Chapter 5 – See All Assets on Networks
6. Chapter 6 – The Influence of Passive Security Monitoring in Productivity
7. Chapter 7 – Best Practices to Protect Industrial Assets
8. Chapter 8 – ICS Cybersecurity Risk Assessment
9. Chapter 9 – Cybersecurity Frameworks to Secure OT assets
10. Chapter 10 – ICS Zero Trust Framework
11. Chapter 11 – Armis CIS Controls
12. Chapter 12 – Comprehensive Coverage for Mitre Att&ck for ICS
13. Chapter 13 – Was 2021 the Year of Ransomware Attacks? 👈 you are here
14. Chapter 14 – Cybersecurity Best Practices for IT/OT Convergence 👉 read next chapter