This article first appeared in Digital Edge, The Edge Malaysia Weekly on April 11, 2022 - April 17, 2022

Almost daily, ransomware attacks continue to make the headlines. As businesses in Asia-Pacific embrace digitalisation, the region faces a higher threat of cyberattacks due to the evolving pace and growing connectivity. Research revealed a staggering 168% year-on-year increase in the number of cyberattacks in Asia-Pacific including Japan in May last year.

Ransomware attacks have not only increased in frequency, but also in sophistication over the past decade. More threat actors have entered this growing field, bringing innovation, creativity and more complex methodologies, ranging from ransomware-as-a-service (RaaS) to double extortion, because victims are prepared to pay more. 

More than 50% of organisations in Asia-Pacific that suffered a ransomware attack paid the ransom, with 90% of those who paid the ransom suffering a second attack from either the same threat actor or a different one. In other words, ransomware payments are an easy way out, but it does not pay to pay. 

Ransomware is a well-known problem. However, there has been significant progress in preventing these attacks. As cyberattacks become increasingly sophisticated, we need to understand how ransomware has evolved so that businesses may protect themselves from the next wave of attacks.

The first documented case of ransomware emerged in 1989, when 20,000 floppy disks infected with a computer virus were sent to individuals who had attended the World Health Organization’s International AIDS Conference in Stockholm. Once loaded onto a computer, the virus hid file directories, locked file names and informed victims they could only restore access to their files by paying a ransom. 

Cybercriminals then flourished by constantly finding new ways into networks. Almost 20 years later, the first locker ransomware variants appeared on the threat landscape. These early versions targeted users in Russia by “locking” victims’ machines and preventing them from using their computers’ basic functions like the keyboard and mouse. After displaying an “adult image” on the infected computers, the ransomware instructed victims to either call a premium-rate phone number or send a text message to meet the attackers’ ransom demands. 

A few years later, a new ransomware threat called “CryptoLocker” was discovered. The variant was a type of malware that encrypted victims’ documents, spreadsheets, images and other files on computers using the Windows operating system, before displaying its ransom note. Attacks involving CryptoLocker became increasingly prevalent in the years that followed with the US Federal Bureau of Investigation (FBI) estimating that victims had paid US$27 million to CryptoLocker’s operators by the end of 2015. 

By 2018, the FBI observed a decline in indiscriminate ransomware attacks. Its analysts saw those campaigns give way to operations targeting businesses, in particular, state and local governments, healthcare entities, industrial companies and transport organisations.

Many ransomware groups made this shift to targeting large organisations so that they could encrypt high value data, undermine victims’ operations and, thereby, demand an even higher ransom payment. 

Cybereason’s 2021 global research report, Ransomware: The True Cost to Business, mentions some of the impact these attacks can have on organisations, including:

• Loss of business revenue: 66% of organisations reported significant loss of revenue following a ransomware attack

• Brand and reputation damage: 53% of organisations indicated that their brand and reputation were damaged because of a successful attack

• C-level talent loss: 32% of organisations reported losing C-level talent as a direct result of ransomware attacks

• Employee layoffs: 29% reported being forced to lay off employees due to financial pressures following a ransomware attack

Eventually, ransomware groups began to embrace “double extortion” by 2019, demanding two ransom payments from their victims, one for the decryption of their data and the other for the deletion of their information on their operation’s servers. 

In doing so, they gave themselves an edge over organisations with a data backup strategy. They knew that victims could use their data copies to restore infected computers but they couldn’t reverse the course of data theft. 

Today, ransomware has evolved into RansomOps attacks, which are more akin to stealthy advanced persistent threat (APT) operations than the old “spray and pray” mass email spam campaigns.

Ransomware groups such as the Initial Access Brokers (IABs) would lay the groundwork for a ransomware attack by infiltrating a network and moving laterally to maximise the potential impact, while the RaaS operators provide attack infrastructure to affiliates who carry out the attacks.

This level of compromise puts RansomOps attackers in a position where they can demand even bigger ransoms, and RansomOps techniques also commonly involve multiple extortion techniques such as the double extortion tactic discussed above.

It is possible for organisations to defend against ransomware and RansomOps from the earliest stages of an attack. Remember, the actual ransomware payload is at the very tail end of a RansomOps attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be thwarted before there is any serious impact on the targeted organisation.

The key to ending ransomware attacks is to minimise the period between the moment when a RansomOps attack first infiltrates your environment and the moment when the security team can detect and end it. This cannot be achieved using dated technologies that rely on threat intelligence derived from commodity or other “known” attacks. Business leaders, therefore, must start by identifying potential gaps in their networks and solidifying the environment with the right technology.

Many organisations have opted to adopt solutions that can detect unique and highly targeted attacks based on more subtle behavioural signals that can bring to the surface these attacks earlier in the kill chain. As these solutions prove to be more effective than their predecessors, it will be interesting to see how the attackers adapt and continue to evolve their tools and tactics to compensate.

When it comes to ransomware, every second counts. The reality is that cyberattacks are increasing, and the impact of each attack is growing. 

However, a Gartner study found that chief information officers intend to increase cybersecurity investments in 2022, which means organisations are moving in the right direction to prioritise cybersecurity and data protection, putting them in a better position to defend and respond effectively to ransomware attacks. 

Eric Nagel is general manager for Asia-Pacific at Cybereason, an extended detection and response (XDR) company that partners with defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.