Over the last decade or so, ransomware has come of age. What started out as a relatively simple virus on a floppy disk now has the potential to cripple global healthcare systems, interfere with fuel supply chains or disrupt transport infrastructure. Its appeal to bad actors lies in its simplicity. Ransomware attacks don’t need to be particularly sophisticated to cause a lot of damage – and potentially result in lucrative ransom payments for criminals. For that reason, the number of these attacks continues to increase at a rapid pace.
Recently, GCHQ has disclosed that UK organizations have been targeted by twice as many ransomware attacks in 2021 than last year. Part of the danger of ransomware attacks is that they constantly evolve. This piece explores three ways ransomware will become even more dangerous and disruptive in the years to come, and what organizations can do to best protect themselves against these attacks.
Ransomware will use IoT as entry points
IoT devices are everywhere these days and Gartner predicts that there will be over 25 billion of them before the end of the year. That’s a lot of devices bad actors can target as a gateway for nefarious purposes. In many instances, IoT misconfigurations like unchanged default settings or unwanted services still being enabled, leave devices vulnerable and exposed to attacks. Our own Project Memoria research has found dozens of IoT vulnerabilities over the last 18 months, affecting millions of devices globally. The risk of IoT being used as entry points for attacks is therefore a very real one.
organizations that want to properly protect themselves against these threats need to make sure they have full visibility over all their devices and understand the risks associated with them. After all, organizations cannot protect something they can’t see. They can then ensure corrective actions are taken, like changing default settings, including passwords, and disabling unneeded services to protect themselves against common vulnerabilities. Additionally, network segmentation is one of the most powerful and effective ways to ensure that, in the event of a breach, bad actors can’t exploit the vulnerabilities of one device to cause havoc across a whole organization.
Ransomware will increasingly target third-party software
Bad actors won’t necessarily always attack organizations or their systems directly. Increasingly, hackers will target supply chain software, including remote monitoring and management software, as in the case of Kaseya and SolarWinds, or by exploiting widespread TCP/IP stack vulnerabilities that our own research has uncovered. Some of these underlying vulnerabilities in third-party software have remained unpatched for decades and hackers will continue to exploit them to disrupt and control devices.
The risk of falling victim to such an attack is high. Yet, because the responsibility to address these vulnerabilities is shared between the third-party device or software manufacturer and the company that uses them, it can be difficult for organizations to adequately protect themselves against these threats. In an ideal world, vendors would include software validation in their product development cycles and have clear processes in place for addressing any newly discovered vulnerabilities that bring risk to their customers. In reality, organizations, as the end-users of these products, need to display a great level of proactivity and use powerful device visibility and control tools to protect themselves against these vulnerabilities and mitigate the fallout in the event of a successful attack.
Ransomware will focus on Operational Technology
For many organizations, operational technology (OT) has mostly flown under the cybersecurity radar in the past. But the cyberattack against Colonial Pipeline in 2021 has dramatically changed this. The company was forced to completely shut down its OT environment to prevent hackers spreading across its devices, resulting in a major petrol crisis in the US and negative press coverage around the world. In the end, Colonial Pipeline was forced to pay about five million US dollars to regain access to its systems, making this both one of the most disruptive and lucrative known cyber attacks in recent years.
While IT systems under attack are bad, compromised OT systems are even worse as they allow bad actors to halt operations and almost instantaneously bring organizations to a complete standstill. Once companies get locked out of their systems and ransom demands are made, there is very little organizations can do to reverse this, other than to pay up. So, in the case of ransomware, prevention is significantly better than cure. To properly protect their OT and keep hackers at bay - should they manage to break into a network - organizations need to double down on their network segmentation and visibility efforts to neutralize an attacker’s ability to move laterally across a network and contain the breach ideally just within the affected device.
What the future holds
The reality is that the future of ransomware is very much here already. The number of attacks on IoT devices, third-party software and operational technology will only continue to grow, given the success bad actors have seen in recent years. But the good news is that organizations don’t have to be sitting ducks. There are several clear and highly effective steps every company can take to minimize the risk of a successful cyberattack wreaking havoc on their systems.
organizations need to ensure they have full visibility over all devices connected to their network in order to identify where their cybersecurity blind spots might be. They then need to ensure they bring those devices in line with the latest security guidelines, changing default settings and disabling services that aren’t needed. Companies should further put in place stringent cybersecurity policies that are regularly reviewed and updated to offer the best protection. And, finally, organizations should embrace the power of network segmentation to limit the fallout of a potential attack.
While there is no crystal ball to tell us what the cyberattacks of the future will look like, if companies are proactive and boost their cyber defenses today, they will be well-equipped to deal with the inevitable ransomware attacks they will face in the future.
Daniel dos Santos, Research Manager, Forescout Research Labs