The tenor for ransomware threats changed as attacks flipped from delivering ransomware through consumer-targeted spam to spreading across networks. The threat of extortion and data exfiltration has yet to wane.
More than half of CISOs said they were hit by ransomware at least once in 2021, according to a Black Kite-sponsored survey of 250 CISOs. More than two-thirds expect at least one ransomware attack this year.
Though business leaders are more confident employing tactics to prevent ransomware attacks, confronting risk requires an internal commitment starting from the C-suite down to interns. "Businesses must take acceptable and calculated risks each day — the same applies to cybersecurity," said Theo Zafirakos, CISO of Terranova Security.
As 2022 unfolds, here are three ransomware mitigation tactics to watch and employ:
Train, train and train again
Whether negligent or malicious, insider threats are a leading cause of security incidents. Leveraging human behavior is a favored tactic for threat actors, especially when they find loopholes in technological safeguards.
Companies will continue to invest in their employees, working to evolve their behaviors to become more cyber-aware.
"To succeed, organizations must invest in processes and people," said Zafirakos. Companies have put more resources toward training employees on ransomware awareness. This includes ensuring employees know how to report suspicious messages.
Back to basics
Despite the growing sophistication of ransomware, security controls largely remain within security basics, no matter the tools a company adds.
Up against more security measures, threat actors pivoted their tactics to turning off mitigation capabilities to deploy ransomware, said Jon Clay, vice president of threat intelligence at Trend Micro.
This means the security basics have had some modifications. Companies are implementing multifactor authentication for administrative accounts and mission-critical business application accounts. Companies are revisiting patch management strategies so they're based on risk, which takes into account "any vulnerabilities with public proof of concepts and any actively exploited vulnerabilities being patched at once," Clay said.
Vulnerabilities from ProxyLogon, ProxyShell and PrintNightmare drew ransomware actors last year, according to research from Tenable. Basic VPN vulnerabilities remained a top attack vector, with the potential to linger as forgotten flaws among other highly publicized vulnerabilities disclosed and exploited last year.
Funds might be recovered
U.S. and international law enforcement pursued one of the most prolific ransomware gangs, REvil last year, and partially recovered funds paid by Colonial Pipeline. Law enforcement will likely become more intertwined in incident response for businesses this year.
"In fact, this will be the theme for the rest of the decade," said Zafirakos. And given the onslaught of high-profile attacks lately, "the stigma of being victim to ransomware has reduced."
Industry wants to see more action taken against cybercriminals or nation-state threats, but "they fail in their general deterrence effect to the cybercriminal undergrounds from which they operate," said Ed Cabrera, chief cybersecurity officer at Trend Micro and former CISO of the U.S. Secret Service. This is most obvious in the constant rebranding of threat groups.
"This is not to say [law enforcement] operations are futile or not effective but rather incredibly effective in developing criminal threat intelligence across the broader criminal underground ecosystem," he said.
Companies are not federally required to report incidents, which leaves gaps in intelligence for law enforcement agencies. "The vast majority of incident reporting today happens due to legal and regulatory requirements rather than the idea that law enforcement can immediately assist in mitigation," Cabrera said.
Moving forward, industry wants more collaboration with regulatory agencies in developing realistic cybersecurity mandates. Government needs more insight into how regulations could impact businesses.
For example, "requiring organizations to disclose an attack before they have a better understanding of the situation may put their networks at risk of other attackers targeting them," said Clay.