There are very few technology companies that successfully pivot their business strategy to adapt to a macro paradigm shift. A classic case study in adapting to changing market conditions is the Netflix video streaming service. Home video rentals evolved from local mom-and-pop video rental stores, to chains like Blockbuster and Hollywood Video, to DVDs-by-mail from Netflix, and finally to digital streaming. Today there are scores of streaming services, but of all of them, Netflix was the only one to successfully pivot from physical discs to digital streaming. It took incredible vision and, based on the company’s market cap, it was clearly the right move at the right time.
Malware has undergone an evolution similar to that of video rental services. Programmers created the first viruses and worms primarily motivated by academic reasons or bragging rights. There was very little financial incentive to attack systems other than to cause mayhem. State-level hacking was always driven by espionage and sabotage. Credit card theft involved too much risk for those trying to sell the card numbers and eventually cashing out. The financial motivation for hacking did not explode until the dawn of ransomware.
Around 2015, a new strain of malware began to rear its ugly head when people's files started getting encrypted, leaving only a direct message behind: pay us a fee or your data is gone forever. There was a particular attraction to this attack method over stealing credit card numbers. The hackers would receive direct payments, often in the form of untraceable cryptocurrency like Bitcoin, in exchange for the decryption key. This model cut out the middleman and also instilled urgency in the victim to pay. The ransom demand would often increase significantly after a specified period and the attackers would delete the decryption key after too much time had passed, rendering the files permanently unrecoverable.
Holding files hostage in exchange for money worked surprisingly well for several years. In 2019, over 100 cities and municipalities got hit with ransomware, resulting in hundreds of millions of dollars paid out in ransom. However, in the never-ending cat-and-mouse game between security researchers and hackers, the ransomware attacks are only getting worse; they never get better. New requirements for organizations to get cybersecurity insurance, improve user-awareness training, and enhance security controls make it more difficult for ransomware gangs to infect organizations and extract ransom payments. In a brilliant business decision, ransomware gangs decided to change tactics and not only encrypt a victim organization's files but also steal the data and threaten to expose it.
Stealing the data before encrypting it pressures organizations to pay the ransom and pay higher amounts, but it also serves as an insurance policy with which to embarrass or expose organizations that chose not to pay. There have been several high-profile breaches in which the organizations decided not to pay the ransom demand and instead were able to recover their systems from recent backups. That did not prevent the attackers from releasing highly confidential information from their high-profile victims. The attackers’ hope is that the next victim will pay the ransom rather than suffer the loss of business reputation that results from a data breach.
This past summer, the first known instance surfaced of an organization successfully stopping a ransomware attack, but still having to pay the ransom. On a statement posted to its website, the company admitted that unknown attackers breached its systems and the attackers attempted to execute a ransomware attack. Security controls and a robust incident response plan stopped the ransomware before it could run. This would typically be a happy ending to an IT security story. Still, the company’s disclosure explains that the attackers first exfiltrated customer data from its servers before attempting to launch the ransomware attack. The robust security controls and incident response plans worked brilliantly to detect and block the ransomware attack but were powerless to stop the data theft. As a result, the company paid the attackers an unspecified ransom in exchange for promising to destroy the data and refrain from selling it.
Mike Tyson famously said that everyone has a brilliant plan until they get punched in the face. The company in this case had planned for the inevitable ransomware attack against its network, but it failed to realize that it would still be on the hook to pay a ransom to prevent the exposure of any data stolen in the attack.
Because today’s ransomware attacks are uniquely crafted for each target, every business targeted with ransomware effectively becomes a new patient zero. Sandboxing approaches that do not operate inline are becoming increasingly useless. That first new unknown file will always be missed, and the typical sandbox can’t hold it for proper analysis.
When considering options to improve your ransomware protection, look to an inline proxy approach to sandboxing: Zscaler Cloud Sandbox. A proxy allows security teams to apply game-changing “quarantine” to inbound unknown files. These new unknown files can be held and fully analyzed before delivery, a vast improvement over traditional sandbox “passthrough” approaches that allow the first file to reach its target and create the dreaded patient-zero. It’s also vital that you perform full SSL inspection on ALL your traffic, so threats have nowhere to hide. Packaging all this up in a cloud-delivered platform guarantees that you can scale SSL inspection without capacity limitations and follow users on and off the network for airtight coverage.
Chris Louie, CISSP, is a sales engineer at Zscaler