Fatigue has overtaken the planet in 2021. Across the globe, lifestyle hopes for the year after an unrecognizable 2020 have been tempered, if not abandoned entirely, as flashes of life pop up only sporadically. But among those moments of familiarity and optimism, that fatigue has hit everyone to some degree — everyone, that is, besides the authors, sponsors, practitioners, and affiliates and buyers of ransomware. Nevertheless, 2021 has been exceedingly good to them so far, and it looks like the rest of the year will keep them active and energized.
The Year So Far
Whichever report, statistics, study or survey you come across that examines ransomware, its success rate as judged by either breached systems or ransom payments made has continued on its upward trajectory over the past five years, even beyond the high watermark of 2020. Tragically, in this case, success breeds success. Every good year for ransomware offers encouragement, and the massive shift to working from home last year proved awfully encouraging.
Unprepared security teams, shortages of company laptops and mobile devices, the reliance on the personal computers, tablets, and mobile phones of employees and remote access by all of those to corporate networks and devices through home and coffee shop WiFi hot spots created an environment ripe for ransomware success.
"The collective knowledge of cyber security experts has accelerated but inevitably lags the infinite pathways and clever tools those who develop ransomware imagine"
The collective knowledge of cyber security experts has accelerated but inevitably lags the infinite pathways and clever tools those who develop ransomware imagine. And amidst the chaos and repeated waves of lockdowns, easing of restrictions and alternating work from home and short-lived office stints, the burden on IT administrators and security experts throughout the year so far has taxed their ability to predict and prepare for the imaginations of criminals.
What’s Been Happening
Ransoms will most likely be paid by those entities that find payment less expensive than the losses from inaccessible systems, from IP having been stolen and exposed, from customer claims after personal data having been breached or from remediation and recovery time taken and costs charged by security firms. Effectively, any firm that would face a degree of urgency or desperation in the event of data loss would potentially pay. That leaves a huge pool of potential payers.
That urgency and desperation have been leveraged throughout the pandemic. Healthcare, preoccupied with crowded facilities and short-staffed, has been successfully targeted, as have schools where IT resources have all been shifted to supporting students and staff for remote learning. Similarly, governments have had to impose a work from home policy for their own employees while enforcing lockdowns and other restrictions on commercial firms. That’s left them both vulnerable and desperate enough. Of course, the financial sector remains a prime target, given such a massive attack surface and the vital importance of system stability and no downtime.
In particular, 2021 has seen attackers move upstream. Rather than go after just the end-users, those launching ransomware have found additional motivation and vulnerabilities among those entities with a broad network of downstream users, whether that’s critical infrastructure or large software developers. Attacks against Kaseya, the Colonial Pipeline, and a water treatment facility in Oldsmar, Florida all revealed the skill of attackers in ramping up the desperation of their ransomware victims. Add to that, the more recent trend of attackers going after those managed security service providers protecting multiple customers is alarming.
"In particular, 2021 has seen attackers move upstream"
With cyber-criminals always picking on the weakest link, those working from home remain the broadest target, especially those who continue to use personal devices. Attacks against mobile devices have become more prevalent while the delivery of ransomware through email continues apace. Email remains the most pervasive method of corporate communication, and users and security specialists alike can’t filter out everything malicious through human awareness or technical means.
The Rest of 2021
It’s too cliché to draw the parallel between ransomware and our real-world virus. But it so accurately explains why ransomware will remain both widespread globally and ridiculously profitable: everybody can fall victim while nobody believes they actually will. That mindset keeps IT security as a cost center that receives budget allocations based on either industry standards or minimums for compliance. Moreover, a continued lack of coordinated, cross-border information sharing, investigation, and prosecution of attackers offers relatively free rein to them.
By now, the notion of training users to thwart collective skill and knowledge has been proven unsound in every way. Fortunately, strong digital countermeasures, such as zero trust networks, application allow-listing, and endpoint encryption have gained traction. The more that security experts invent and rely on technical solutions that allow their users to simply do their work amidst a dangerous realm of motivated hackers, the remainder of this year and beyond could see a downward trend in malware successes even if our collective fatigue takes a bit longer to fade away.