Ransomware made a comeback in 2023… and not in a good way.
A study released by blockchain analysis firm Chainalysis calculated that ransomware extortion payments topped $1 billion for the first time in 2023. This increase follows a relatively low period for cybercriminal gangs carrying out these malicious attacks, with payments falling from $983 million in 2021 to $567 million in 2022 before this recent increase.
The report also notes that the $1 billion number only calculates payments made to criminal gangs, and does not include the financial damage done to victims who do not pay—such as MGM Resorts, which sustained about $100 million in damages following an incident in 2023.
The Chainalysis survey uncovered several reasons ransomware payments fell in 2022, including the war between Ukraine and Russia, which disrupted some cybercriminal gangs’ operations, while malicious groups focused more on political activity than crime.
In other cases that year, significant cybercriminal gangs, such as Conti, fell apart. At the same time, the FBI disrupted the prolific Hive ransomware group, which may have saved more than $130 million in extortion payments.
But all that changed in 2023 as ransomware groups began exploiting more zero-day vulnerabilities to target victims. In addition, criminals increased their so-called “big game hunting” activities to target victims who can pay out much more money. There has also been increasing use of ransomware-as-a-service (RaaS) operations, which allows smaller groups to profit from extortion schemes.
“Despite targeting smaller entities and demanding lower ransoms, the RaaS model is a force multiplier, enabling the strain to carry out a large quantity of these smaller attacks,” the report noted.
While ransomware is one of the best-known threats to organizations, industry experts noted that the Chainalysis report must serve as an additional wake-up call for tech professionals to upskill and continue learning about security as attackers refine their techniques.
“What is clear is that ransomware continues to be the leading threat to businesses and governments around the world and this means we must continue to invest in ransomware mitigation and resiliency,” Joseph Carson, chief security scientist and advisory CISO at security firm Delinea, recently told Dice. “We must not become complacent in the threat from ransomware, and security professionals must prioritize best practices that make it difficult for criminals to be successful.”
As tech pros think hard about these implications, cybersecurity experts noted there are steps to take to help better prepare organizations for ransomware attacks and skills that can help make a difference. Here’s a look at three lessons that must be learned.
Communication Is Key
While there are numerous technical issues associated with ransomware—such as patching vulnerabilities and identifying phishing emails that precede an attack—several experts note that tech and security pros need to polish up their communications skills most of all.
The reason is ransomware remains a business problem that can affect the bottom line and involves C-suite decisions. At the same time, employees need to be aware that they are potential targets for emails and malware that give attackers a foothold within the network.
“To communicate the risk of ransomware to executives, security and tech pros need to pull back on technical jargon and highlight the business risks associated with ransomware attacks, including monetary losses, reputational damage, and operational disruptions,” Eric Schwake, director of cybersecurity strategy at Salt Security, told Dice.
“Among employees, security pros need to communicate how the employee can be part of the solution in preventing ransomware attacks,” Schwake added. “Knowledge sharing between IT and security teams is important to share best practices and learnings. These teams also need to work closely together to build comprehensive incident response plans in case the organization is impacted by ransomware.”
Through good communication, tech and security pros are better able to explain the risks associated with ransomware, which can better help inform C-Suite decisions and make rank-and-file employees more aware through education and training, said Matthieu Chan Tsin, director of threat intelligence at Cowbell, which provides cyber insurance to small and midsized companies.
“Successful ransomware attacks still overwhelmingly rely on human error. Thus, effective, periodic and assessed awareness training and professional development remain an enterprise’s best tools to avoid the initial compromise that can lead to a ransomware attack,” Chan Tsin told Dice. “Actors evolve, and training must keep pace. Also, cybersecurity must be built in-depth and include fail-safe processes.”
Planning and Knowing the Basics
For tech pros thinking about the dangers of ransomware, developing a plan with executive sign-off is critical to addressing the risk. This includes understanding that the organization and its leadership may decide to pay the ransom and avoid a costly standoff.
“You need to have a response plan in place,” Hen Amartely, director of product marketing at DoControl, told Dice. “Know if you will pay, and at what thresholds you will pay versus fight. Have a means of paying via bitcoin or other cryptocurrency if you intend to pay.”
At the same time, understanding the basics of cybersecurity, such as securing applications with protections such as multifactor authentication (MFA), is critical to ensuring an attack can be stopped or at least isolated before widespread damage occurs.
“Though a ransomware attack may be inevitable, don't make it easy. Keep up the basics: Patching, MFA, routine audits visibility, user training and education,” Amartely added. “Many RaaS groups are looking for easy entry points and low-hanging fruit to make a quick buck. Be the target that's too much trouble to be worth their while for them to penetrate. As with all crimes of opportunity, if the score is too difficult, the criminal is very likely to move on to an easier mark.”
Delinea’s Carson agreed that knowing and implementing best practices is crucial. This requires knowledge of privileged access management (PAM), identity and access management (IAM), MFA and other tech techniques.
“We must not become complacent in the threat from ransomware, and security professionals must prioritize best practices that make it difficult for criminals to be successful,” Carson added. “This includes the use of strong identity and access management, multifactor authentication, privileged access security and a strong ransomware-resilient backup strategy.”
Creating Back-Ups to Protect Data
One of the long-held tenets of ransomware defense is to have corporate and company data backed up and stored off-premise or in a separate cloud environment to ensure IT teams can restore systems following an incident.
“Few companies are adequately protecting their ability to restore their systems in the event of a breach. Because, as the research suggests, the volume is increasing—and breaches are more destructive than they were in years prior—ensuring backups are immutable, redundant, resilient and all pathways to them are secure is paramount,” said John A. Smith, founder and CSO at Conversant Group.
For these reasons, tech and security teams need to understand how cloud storage systems work, what data SaaS applications contain as well as details of what service providers offer when it comes to backing up and protecting company data.
Ransomware actors are using this Achilles’ heel against organizations by crippling these vulnerable backups, providing the organization with few options once attacked,” Smith told Dice. “Additionally, many organizations have blind trust in SaaS and cloud providers’ security and restoration capabilities, but this trust continues to be proven ill-afforded. Cloud and SaaS security must be shared as attackers are finding and capitalizing on security vulnerabilities lost in the gap.”
Understanding where data is stored and who within the organization has access to it is critical to creating a better defense posture. More tech pros should focus on this aspect of cybersecurity, suggested Claude Mandy, chief evangelist for data security at Symmetry Systems.
“Organizations should start with visibility into your data, identifying which identities can access your data, and proactively reducing the blast radius from every identity at risk,” Mandy told Dice. “With modern data security tools, organizations can also verify their data is backed up and monitor for suspicious activity before the ransom event occurs.”
Another skill in demand is for those who know how to implement a zero trust strategy that helps reduce access to data and helps better identify those accessing applications and other resources within a network.
“A zero trust security model with least privileged access and strong data back-ups will limit the blast radius if a cyberattack occurs,” Patrick Tiquet, vice president for security and architecture at Keeper Security, told Dice. “All humans and devices must prove that they are who they say they are before they can access the network, and are strictly limited to the resources they need to perform their individual roles.”