Deceptions Everywhere

Insights on threat and cyber risk trends, use cases for deception technology and strategies for combatting targeted attacks

Why Are Ransomware Attacks Still Happening?

Here we go again: this past Thursday, officials from three US federal agencies issued a statement warning about an “imminent cybercrime threat to US hospitals and healthcare providers.” The threat in question comes from a Russia-based cybercriminal gang preparing to disrupt information technology systems at hundreds of hospitals and medical care facilities all over the US with ransomware. The attackers will make devices on the hospital networks unusable unless a sizable payoff is made, and indeed, at least five US hospitals already seem to be under attack. With patient populations surging in the wake of another wave of coronavirus cases and a presidential election on the horizon, the imminent threat could prove catastrophic without the proper security measures to fight back.

It goes without saying that this ransomware is not like the attacks of yore. The “spray and pay” method of scattering ransomware all over the internet and hoping to hit paydirt through the numbers game has given way to highly targeted strains pointed at specific victims. Advanced Ransomware Threats (ARTs) are more like the Advanced Persistent Threats (APTs) attacking organizations with tailored tools, aimed strategically at individual organizations with precise vulnerabilities. The evolution of ransomware is similar to the way that phishing evolved from mass-produced emails with spelling mistakes intended for whoever got fooled to single messages crafted over months to sound exactly like the writing of a certain C-suite executive. In both cases, the attacks rely on significant dwell time and lateral movement to reach well-guarded, high-value assets.

Organizations without proper ART protection have no choice to pay the ransom to avoid further disruptions to their business. In many cases, attackers using ransomware are looking for the same intellectual property or user account data as in an APT attack, and the end effect if the ransom goes unpaid is the same as a data breach that an APT enables. In the case of hospitals, this can be a matter of life and death; to cite just one example, a woman in a German hospital passed away last year after being turned away at another hospital in a different city that had been incapacitated by a cyberattack.

Ransomware Is on the Rise


Despite all the myriad solutions deployed by organizations to defend against cyberthreats, ransomware is increasing at a rapid rate. Ransomware attacks have risen over 700% over the past year, exacerbated by the massive shift to working from home that occurred in the wake of the coronavirus pandemic. Employees who once toiled safely behind the office firewall now find themselves patching together workstations from home, using personal devices for work, and conducting more business over email. Each of these remote working aspects expands the attack surface, giving opportunistic attackers more potential vulnerabilities in which to insert a ransomware campaign. The results are expensive whether the ransom is paid or not; according to IBM’s 2020 Cost of a Data Breach report, the average ransomware attack costs an organization over US$4 million.

There is an additional fundamental weakness underpinning the rise of ransomware as attackers’ chosen tactic in the aftermath of the remote work explosion: cybersecurity’s overreliance on behavioral-based threat detection. Let’s face it – precisely nobody is following the same work and personal routine that they were pre-pandemic, and attackers know it. All the baselines created with years of user activity patterns factored in to detect and flag anomalies went haywire in the first few months of 2020. As countries toggle between lockdowns and attempts at the pre-virus status quo, the new normal is that there is no such thing as normal behavior anymore. Without a baseline to compare anomalies with, threat detection based on activity monitoring is generating even more false positives than usual, leading to more wasted investigation time. It’s possible that the ransomware attacks successfully locking employees out of their workstations set off a few alerts on their way to encrypting devices, but when an alert can only tell you the probability that an attack might be taking place, how do you know which alerts truly matter?

It’s Time to Make Threat Detection Deterministic


Pattern or behavioral recognition is no longer enough to stop threats like ARTs, not when rapid change throws the calibration out of whack. When an alert goes off, it needs to mean an attack is truly happening 100% of the time, or it will start causing alert fatigue that leads to real attacks getting lost in the noise.

Illusive Networks, founded by former nation-state attackers, uses that battle-won experience to think like an attacker on defense. Today’s advanced ransomware, like any other APT, must move laterally through the network to successfully encrypt workstations and sensitive servers. It is through disrupting that lateral movement that ransomware can be detected with high fidelity and stopped before serious damage occurs.

The three-pronged Illusive approach to paralyzing advanced ransomware is as follows:
  • Identifying and eliminating the extraneous pathways created through legitimate connectivity between devices that should not exist, such as Shadow Admins or RDP sessions that were never closed. This denies ransomware the easiest and most traveled lateral movement avenues that evade security agents and allow ransomware to spread unimpeded.
  • Replacing those extraneous lateral movement pathways with customized deceptive stories that appear authentic to threat actors. In that way, ransomware propagators launch their attacks on deceptive hosts instead of production hosts and are instantly identified when they do so.
  • If ransomware attempts to encrypt a production host, it will be diverted by deceptive data contained on that host. This sends an alert to the organization so they can block the malicious activity on the device before it can be encrypted and the ransomware is able to spread to other hosts.

It remains to be seen how many US hospitals ultimately get affected by the latest wave of ransomware attacks government agencies are warning about. However, the best offense against such threats is an active defense that can truly tell organizations with 100% accuracy when an attack has been detected.

Learn more about Illusive ransomware protection.

Register for our upcoming webinar dedicated to the topic - Stop Advanced Ransomware Now: MITRE Shield’s Active Defense and Illusive Lateral Movement Prevention.

Contact us for a demo today.