We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Ransomware attacks last year included a significantly larger emphasis on leaking stolen data as a way to pressure victims to pay ransoms, CrowdStrike said in its 2022 Global Threat Report.
Data leaks related to ransomware surged 82% in 2021 compared to the previous year, the cyber vendor said in the report, which was released today.
While other findings in the report also pointed to a worsening ransomware epidemic — the average ransom demand grew 36% to $6.1 million last year. For instance, the massive growth of ransomware-linked data leaks points to a changing tactic by cyber criminals that all businesses should pay attention to, said Adam Meyers, senior vice president of intelligence at CrowdStrike.
Ultimately, the expansion of ransomware-related data leaks is an indicator that the “weaponization of data” has become a key strategy for cyber criminals, Meyers said in an interview.
“The threat actors have identified that this is a way to increase the pain to the victim and to make it more of a problem for them — which they believe will compel them to pay more and faster,” he said.
Typically, the data leaks occur as part of the negotiation process: If the victim shows an unwillingness to pay the ransom, or they ask for more time, the attacker will post some stolen data on the internet to apply more pressure, Meyers said.
Ultimately, such tactics are all about control, he said.
“You’re taking the narrative away from the victim. You’re taking the control away from the victim,” Meyers said. “And that is really powerful for a threat actor. Because typically in years past, if an organization was breached, it was up to them to determine when they notify their customers, when they notify their shareholders, their employees. And it’s been up to them what they want to detail.”
This does change the calculus around whether or not a victim chooses to pay, he said. While many companies can now restore their data from backup — making them less likely to pay the ransom — the threat of having data leaked can alter their thinking, Meyers said.
For instance, regulatory and compliance issues will often result when sensitive data is disclosed, he said.
“It makes it more complex,” Meyers said. “The second that data leaves your control, now things can get really expensive for you beyond the ransom payment.”
Ransomware breaches that resulted in data leaks last year included the attacks against the National Rifle Association, Accenture, and Quanta (though in the latter case, the leaked data actually belonged to Apple, a partner of Quanta).
CrowdStrike has also been tracking other cyber activities that fall into the realm of the “weaponization of data” — including Iranian groups that use a ransomware tactic that the company calls “lock-and-leak,” CrowdStrike said in its report.
“Lock-and-leak operations are characterized by criminal or hacktivist fronts using ransomware to encrypt target networks and subsequently leak victim information via actor-controlled personas or entities,” CrowdStrike said. “Through the use of dedicated leak sites, social media and chat platforms, these actors are able to amplify data leaks and conduct IO against target countries.”
Zero trust security
By all accounts, the global ransomware problem became much worse last year. For the first three quarters of 2021, SonicWall reported that attempted ransomware attacks surged 148% year-over-year, for instance.
But while companies are now well aware that they need to protect against ransomware, the expanding threat of ransomware-related data leaks should change how companies think about protecting themselves, according to Meyers.
First and foremost, companies need to recognize that more than just antivirus and anti-malware protection are required, he said.
To truly prevent attackers from gaining access to sensitive data, zero trust security architecture and strong identity authentication is critical, Meyers said.
“When you have a human with hands on keyboards, stealing data, and leaking it out to the internet, anti-malware and antivirus are not going to necessarily be able to help identify and stop that. Zero trust and strong identity management — that will,” he said. “Zero trust and identity are the new things that organizations really need to be thinking about in terms of how they defend their data and defend their business.”
‘Antivirus is dead’
Detection and response technologies that leverage machine learning are another important area for businesses to consider in order to defend against this threat, Meyers said.
“Antivirus is dead. The legacy antivirus products that are out there — the signature-based antivirus tools — are not effective anymore,” he said. “What is necessary are [tools] that use machine learning, in addition to signatures, to identify malicious activity.”
This can be machine learning (ML) for detecting anomalies, Meyers said, or it could be “file-based machine learning — where we’re looking at features of a binary and determining if it’s good or bad based on those features.”
Deploying ML-powered detection technology such as this is “absolutely table stakes at this point to even think about defending an enterprise,” he said.
Other key security investments that companies can make to help counter the threat of ransomware-related data leaks include threat hunting; tabletop exercises to prepare for potential scenarios involving leaked data; and threat intelligence, Meyers said.
However, if a company had to choose just one area to invest in to help counter this threat, “I think identity would probably be where I would put that [investment],” he said. “Because that’s where I’ve personally seen a huge difference in outcomes.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.