Ransomware Protection Strategies for Modern Threats

Ransomware is a major threat in the modern internet. And behind every attack is a network of software developers, brokers, and money launderers working together like a criminal tech company to steal data and extort companies. Ransomware protection has never been more important. Tools like layered defense and zero trust architecture can help you prevent these attacks. See The Ransomware War with Cynthia Kaiser for a complete transcript of the Easy Prey podcast episode. Cynthia Kaiser spent twenty years of her career with the FBI, about half of which was investigating cybercrimes in the United States. She did a lot of work with cyber threat intelligence, engaging with critical infrastructure, and working with the White House and Congress on emerging digital dangers. After two decades investigating cybercrimes after they happened, she moved to the private sector and joined anti-ransomware platform Halcyon. There, she’s able to focus on prevention side. In particular, she’s helping build their Ransomware Research Center, which pulls together information, threat intelligence, and policy work to really help people stay safer. You’ve probably seen stories about ransomware in the news. At the very least, last year’s attack on CDK Global was everywhere for a little bit. But the problem is way bigger than we see in the news. It’s even bigger than what the government knows about. When we look at ransomware, we’re just seeing a small window into the problem, because it’s pretty easy for criminals to hide their tracks. Tech is always changing and we’re always playing catch-up. There’s a lot we don’t know, and that’s been consistent for the last decide. [Cyber threats] are way bigger not only than what we see in the news, but than what the government knows. Even when looking at a specific ransomware attack, it’s often hard to tell if it’s a nation-state, a criminal organization, or just a one-off attack. The lines are very blurry. One of Cynthia’s last jobs at the FBI was being responsible for the Internet Crime Complaint Center (IC3) . They get over 3,000 reports a day. And it’s often hard to identify who’s behind it, because it can be a little bit of both. Maybe a nation-state actor is trying to make some money on the side. Maybe a nation-state has contracted something to a criminal group, or they’re trying to make it look like criminals are behind it. There’s so much overlap that it can be challenging to identify who’s behind it. If you can, that makes it easier. But most of the time the more important part is how to stop them. Ransomware can get on your device in a lot of different ways. You could click on a link. It could be through a zero day – a vulnerability that doesn’t have a patch yet. Or maybe you reuse passwords or your credentials were exposed through a data breach and the criminals bought them. There are lots of options. Once they get in, they move around, trying to find what they want and bypass security. Often, once they find what they want, they steal your data and they lock it up. That’s where the “ransom” part of ransomware comes in. They steal your data, lock it so you can’t access it, and demand payment to give it back. It’s almost never just one person doing it. There’s a whole business ecosystem of developers making the malware, affiliates actually using the malware in attacks, initial access brokers selling ways to get into systems, money launderers, infrastructure providers, and more. Criminals specialize in different parts of the crime and work together to target victims more effectively. For a lot of criminals, this means less risk. Especially on the developer side, they’re less exposed if they’re just writing the software and not directly targeting victims. In many ways, it works a lot like a startup. It’s quite challenging for one person to write the ransomware software and get access to systems and run the attack and launder the money. Instead, they’re finding one specific part of the market, staking out a market share, and using that to get their share of the ill-gotten gains. One reason ransomware protection is so critical is because of how heavy the costs are of being a victim of it. The blockchain analysis company Chainalysis tracks ransomware payments, and they determined companies paid about $75 million in ransoms last year. But often, the cost of the ransom is less than a quarter of the actual cost of ransomware recovery. The average for a company is 22 days of downtime – that’s millions in lost revenue. Not to mention the cost of incident response and restoring your systems. Oftentimes the actual ransoms paid are 15%-20% of how much it actually costs to get back online [after a ransomware attack]. Whether or not to pay is an awful choice. If you do pay, you’re known as a company that pays. Criminals might target you again later. And if you pay and get that decryptor key, it might not work. People who create software to break things don’t generally put a lot of effort into fixing them again. The majority of ransomware attacks are about making as much money as possible, but some also have an attitude of sticking it to the victims, too. We used to see a kind of criminal ethics. They have to honor the ransom or nobody was going to pay, they didn’t target hospitals, that kind of thing. We don’t see that as much anymore. Hospitals have been victims of ransomware attacks. And once the criminals get the money, they move on – if the decryptor doesn’t work, that’s the victim’s problem. Groups don’t want to be known as someone you don’t pay at all, but that doesn’t mean it has to work every time. Somewhere around 75% is good enough for them. So even if you pay, you may not get your files back. Initially, ransomware attacks were just about locking up your files and making you pay to get them back. But then people started creating backups so they could get back online without paying. So many attackers started stealing data, too. It provides an additional incentive. You may have backups and be able to get your company running again without paying, but they have your data now. If you don’t pay, whether or not you need your files decrypted, they’ll release your data. If you do pay, they’ll delete it. That’s what they promise. In some of her investigations with the FBI, Cynthia got to see what these groups actually did with the files. And many of them didn’t actually delete them. Whether that was because they just didn’t care about doing it, they were waiting for an opportune time for future extortion, or they thought it could be put to some other criminal use like credential harvesting, it wasn’t clear. But even if you pay, it may not protect your data. And AI tools can make it quicker and easier for criminals to go through your data and figure out what might be useful. So ransomware protection isn’t just about preventing downtime, but also about protecting your data. When it comes to ransomware protection, the basics still really matter. The majority of incidents happen because of passwords that are easy to guess or brute force , a lack of two-factor authentication , not patching vulnerabilities , and other basic stuff. Why would criminals use difficult and expensive tools if cheap and easy ones work? Doing all the basis matters for ransomware protection. Why would threat actors use hard and expensive tools if the easy things work? Doing all those basic [security steps] really matter. Endpoint Detection Response (EDR) systems work. So some advanced ransomware groups are starting to target those and find ways around those. That drives home the idea that you can’t rely on just one thing for ransomware protection, even if it’s really good. You need layered defense or defense in depth. That’s what Halcyon does – they work on both detecting ransomware activity and doing protective steps along the way. You also need to practice your incident response plan . Most companies have a plan, but if it just sits on a shelf, it’s not helping. If it’s not used, it’s just a document. You have to practice it, think about it, and know who to talk to. When an incident happens, minutes matter. Being able to react quickly is essential to stopping threats and dealing with incidents. In the early days of ransomware, we saw attackers targeting individuals too. But that’s much less common now. These days, individuals are much more likely to be targets of scams and cyber thefts than ransomware. Ransoms can be in the millions for organizations, but criminals just can’t get that much out of most individuals. For protection against ransomware and all kinds of scams and cybercrime , you can do all the same basic things. Don’t reuse passwords. Turn on two-factor authentication. Cynthia thinks authenticator apps are the best for personal use, but even getting a code by text message is better than nothing. Make sure your systems are up-to-date and install updates when needed. Run an antivirus program. In organizations the best kind of security is zero trust . As an individual, you also want to zero trust your brain. If you get an email that there’s an issue with your Amazon account , or get a call that there’s been fraud on your bank account , or a loved one says they’re in trouble and need money , don’t automatically trust it. Whatever the urgency, you have to take a step back and verify first. AI can create really believable deepfake imitations. Cynthia has seen many believable deepfakes that she would have fallen for in that situation. Have a secondary person you can call to verify, almost like an in-person multi-factor authentication. These people are crafty and their lies are believable. You have to verify before you trust. Whenever there’s urgency behind an ask, it’s incredibly important to take a beat and really figure out if there’s a way for you to verify this before moving forward. Dealing with a ransomware incident is hard. Hopefully, you’ve practiced. You should already have an incident response plan and know who you’re going to call. Have specific contacts – not just the general 1-800 number but exactly who you need to talk to. As the saying goes, you want to find a lawyer before you need a lawyer. This holds true with everyone you’ll need in case of an incident. You don’t have time to collect recommendations when you’re company is already locked down with ransomware. Hopefully you have a good endpoint detection or other cyber company providing ransomware detection and they spotted it early and worked to contain it quickly. Your first priority is to make sure it isn’t going to spread. Then you can start looking at who you need to call, who you have to notify, deciding if you need to tell customers, figuring out if you need to bring in someone external to help you recover, and how you’re going to make sure it didn’t go further than you thought. External people can be really helpful in bringing in different expertise and perspectives. You don’t want to be figuring it out in the moment or trying to manage it all on your own. The best way to respond is to follow your playbook – which requires you to have that playbook worked out and practiced in advance. Cynthia is just starting to build the Ransomware Resource Center at Halcyon. She loves cyber threat analysis and doing deep dives on niche topics. The Ransomware Research Center will be a great place to find that research. They are also going to collaborate with other industry partners and startups with specific data so they can pull it all together. While at the FBI, Cynthia oversaw the transition from each agency doing its own cyber threat notification process to the joint advisories they have now. She’s hoping to see that in industry, too. When they get a lot of people together, she believes they can create a great resource. She’s also a big believer in education. The Ransomware Resource Center will be a one-stop shop for ransomware, how it gets in, what the ecosystem looks like, and ransomware protection strategies. Even though they are just starting out, right now they have a page for every known ransomware actor with as much details as they have. The goal is to make it easy to find resources. They’re also interested in policy solutions to help defend against ransomware. It will require both government action and public/private partnerships. She’d especially love to work with partners to figure out how to stop ransomware against hospitals. It won’t decrease the amount of ransomware in the world, but she thinks everybody would be okay with a world with the same amount of ransomware but where nobody dies because a hospital’s system got locked up. Let’s make sure no one dies from a computer attack today. As long as there are computers and vulnerabilities, people will try to exploit them. It’s felt like an arms race forever. Defenders put up a new defense, and adversaries are constantly trying to find a way around. Tools like AI-based behavioral detection for threats are going to be a big boost on the defender side, but it will always be a challenge. In the end, basics matter. It’s essential to ensure the right basic ransomware protections are in place. It’s also important to remember that things might happen anyway, and you need layered defense. You need to have a lot of checks to make sure you don’t end up being a victim. Have backups and a plan, and practice them. Adversaries are going to target us. But Cynthia is hopeful. There are some really cool tech things coming out that can help a lot. It doesn’t have to be a never-ending battle. She’s hopeful there will be an end someday. Connect with Cynthia Kaiser on LinkedIn , where she is active and available. Learn more about Halcyon at halcyon.ai , or visit the Ransomware Research Center at halcyon.ai/ransomware-research .