Ransomware has transcended the technology industry. Globally, cybersecurity experts are staples on news programs speaking with elected officials, national security experts, and stock market pundits discussing the threat and increase of ransomware events. In many of the panel discussions, experts agree that traditional security tools and practices are not keeping up with how to stop modern ransomware attacks.
The Rise of Ransomware and Societal Importance
The definition of “ransomware” is somewhat convoluted. Many think of ransomware as a type of malware. That’s because the name was coined in the 1980’s when the first examples of malicious software holding systems for ransom were discovered. In the early days, mitigating malware, including the newly minted strain known as ransomware, wasn’t viewed as especially complicated. Anti-malware software, combined with vulnerability management and other established security hygiene best practices, were generally effective in mitigating the bulk of malware that businesses faced for decades.
Originally, the attackers’ strategy was different too. Ransomware attacks used to rely on luck, impacting victims effectively at random. Potential victims would only be exposed to the malware if they happened to visit a malicious website, downloaded a malicious file, or open a suspicious email attachment. Anti-malware software was therefore built into browsers and installed on operating systems by default. Combined, these mitigations resulted in a business model for ransomware attackers that was closer to playing the lottery than the targeted paydays we read about today. Then in 2017, the WannaCry ransomware attack which targeted vulnerable Windows PC’s, provided a new blueprint and the business model changed.
The ransomware we now see disrupting hospitals, oil pipelines, and your local neighborhood restaurant, is not the category of malware that started in the 1980s. It now refers to a very deliberate business model using a wide range of technologies to extort money from entities. These actors use a variety of tactics to gain unauthorized access to their victims’ data and systems, including exploiting unpatched vulnerabilities (as seen in the case of WannaCry), taking advantage of weak or stolen credentials, and using social engineering methods. Access to the data and systems is then restricted by the bad actors, and a ransom demand is made for the “safe return” of these digital assets. In some cases, even after data access is restored, bad actors have demanded a “second ransom” promising that its payment guarantees the deletion of victims’ sensitive data. These modern-day ransomware attacks are anything but random. They are highly targeted based on the victims’ assumed ability to pay large ransom demands. They are also more often executed by human attackers, no malware required. Unfortunately, this also means that traditional ideas of malware detection are no longer sufficient to protect against the current generation of ransomware attacks.
Two notable evolutions have lowered the barrier to entry for would-be bad attackers. First, deep technical skills are no longer required because Ransomware-as-a-Service (RaaS) provides bad actors with a professional set of tools to carry out an attack. The second is cryptocurrency, which provides an anonymous payment mechanism for criminals and allows for the extraction of much larger sums of money than they could get by demanding to be paid in gift cards. The use of cryptocurrency was another tactic made popular among criminals by WannaCry in 2017.
This evolution of ransom attacks requires an equally dramatic shift in approach by security teams. Some organizations opted to make ransomware a focus of their organizations’ cybersecurity strategies by layering in more point solutions and detection tools. Others have come to realize that treating ransomware as an acute threat misses the point. What they’re really fighting is a criminal business model as old as time; extortion. Therefore, guarding against such a broad threat requires a holistic cybersecurity strategy.
This realization is also starting to make its way to the board room. Ransomware attacks can be extinction events for businesses so boards of directors are getting more serious about providing proper oversight. They’re requiring security leaders to show exactly how they plan to keep the company from becoming the next front-page ransomware victim. Many of those security leaders have come to recognize that the cloud provides unique capabilities to help security teams take a holistic approach to protecting, detecting, responding, and recovering from modern-day attacks like ransomware.
Amazon Web Services, Inc. (AWS) gives businesses two modern differentiators to help mitigate modern-day attacks. The first is visibility, resulting from the fact that AWS is fundamentally API-driven. An API is an Application Programming Interface (API) that allows people and services to interact with each other in a very secure way. Every API call can be logged, making it exceptionally hard for attackers to conceal any nefarious use of APIs to navigate a system. The second modern differentiator is automation. Security teams use automation to constantly inspect API logs and other threat signals, then act in near real-time when indicators of compromise are identified. This use of Artificial Intelligence (AI) and Machine Learning (ML) based automation can track massive amounts of signal to quickly identify and respond to threats in a fraction of the time it takes a traditional manual process.
Enterprises that are serious about mitigating ransomware need a holistic cybersecurity strategy that takes full advantage of the cloud. It’s a choice the board can appreciate too because with the cloud, you only pay for what you use versus the large up-front capital expenditures and long-term commitments that come with on-premises IT environments. People choose AWS for its rapid pace of security innovation, ability to give customers fine-grained control over the security of their environment, and architecture that allows AWS to take on much of the heavy lifting of patching and system maintenance that are so often the root of vulnerability for on-premise environments. Ransomware has evolved well beyond the classic ideas of malware. Smart businesses are doing the same and turning to the cloud for modern protection.