Five Reasons Why Ransomware Still Reigns

Originally published by CXO REvolutionaries.

Written by Ben Corll, CISO in Residence, Zscaler.

Ransomware – malicious software that encrypts data until a ransom is paid for its return or is leaked without its owner's consent – remains a persistent threat despite ongoing efforts to combat it. Even with the billions of dollars spent to defend against it, it remains a lucrative business for attackers. The Zscaler threat research team ThreatLabz tracked a nearly 40 percent rise in ransomware incidents in its 2023 report.

While cybersecurity solutions are constantly evolving, a confluence of stubborn factors continues to hamper defenses against these expensive and destructive attacks.

Let's delve into five key reasons why ransomware still holds an unfair advantage and what you can do to help protect your organization.

1. Outdated legacy technologies

Many organizations, particularly smaller businesses, continue to rely on outdated software and operating systems for their cybersecurity. These systems often lack the robust features and regular updates found in their modern counterparts to shore up vulnerabilities, making them prime targets for attackers. Prompt patching is crucial, yet many organizations struggle to keep up with the constant flow of security updates, leaving them susceptible to known exploits. Even large organizations struggle to consistently deploy protections, which leave them vulnerable too.

The fix: Regularly updating software and operating systems with the latest security patches is square one. When planning for an app refresh or upgrade, consider how important any newly added advanced security features should impact priority and timeline. Also, ask yourself if the application or system is still needed. If not, remove or decommission that service or application. If a patch isn’t available, are there other remediation steps that can be taken to provide mitigating controls or to bring the risk to an acceptable level? If a patch is available and appropriate, by all means, implement it.

2. The local network loophole

Ransomware doesn't require an internet connection to spread. Once a device on a network is infected, the malware can easily jump to other connected devices, potentially paralyzing an entire organization. This "lateral movement" capability highlights the importance of network segmentation, where internal networks are divided into smaller, isolated portions to limit the potential spread of infections. However, implementing and maintaining network segmentation can be complex and resource-intensive, deterring some organizations from taking this crucial security measure.

The fix: Implement security measures to limit the lateral movement of malware within a network. While you can use traditional network segmentation and micro-segmentation, it is an uphill battle to keep it current. Zero-trust-based application segmentation entails dynamic adjustments for precise access control. This approach also contains an attack’s blast radius and applies uniform security protocols across IT environments.

3. The security vs. user experience balancing act

Businesses often prioritize user experience and ease of access over robust security measures (despite regulators’ best efforts). This could mean allowing unrestricted access to external drives or implementing weak password policies. While these practices may be convenient for users, they also create exploitable vulnerabilities that attackers can leverage. Striking the right balance between security and user experience is a constant challenge, and organizations must carefully evaluate the trade-offs involved in implementing security measures.

From experience, users are willing to tolerate security protections and controls. In fact, they might make them feel more, well, secure. From a physical perspective, users are okay with gates, guards, cameras, and key cards to access physical premises. Yet, for some reason there is a pervasive misconception that users won’t tolerate digital security controls, or that an MFA-protected password will prove unacceptably cumbersome to users. This is where organizations give way to the user experience at the expense of security.

Unfortunately, this is a situation in which CISOs are likely to shoulder the blame when something inevitably does go wrong. Management may even fire the top security executive for failing to better "influence the business" or "institute a pervasive security culture."

The fix: No surprise here, but you always need to improve your security awareness training. Since potential threats keep evolving, regularly arm your users with the best practices for safe online behavior. Share public examples of unfortunate successful attacks that are carried out through channels such as video, phone, SMS, and email, as well as how they could be avoided. Explain lessons from inside your own organization. This makes learning relevant close-to-home. In turn, users will better appreciate the importance of guarails already in place.

4. Improper deployment or configuration

CISOs aren’t solely responsible for the effectiveness of the tools they use. There are times when the people, products, and technologies are seemingly all in place. Yet, if products are not adequately configured or improperly deployed, they can fail to issue alerts (false negatives) or issue excessive alerts to the point where they are commonly ignored (false positives). Security solutions can also fail to perform for some other reason pertaining to their setup. Furthermore, believing protections are in place that actually are not can lure security teams into a false sense of security.

The fix: There are three ways to overcome the complexity of solution deployment configuration. First, ask how well your security teams are equipped to configure and deploy security tools effectively. If there’s room for improvement, invest in training so that your teams can minimize the risk of false negatives, false positives, and other performance issues. Second, regularly audit and assess your security tools and configurations. Put it in your calendar and don’t just imagine doing this someday. Third, set up monthly or quarterly syncs between your security teams, IT operations, and other relevant stakeholders and test your security solutions so that they’re working as expected to meet organizational goals.

5. Cybercriminals are increasingly savvy

Contrary to the image of a lone hacker in a dark basement, today's cybercriminals often operate as complex and sophisticated cells. They have dedicated teams specializing in different aspects of the attack, from initial infiltration to negotiation, and even customer support. This level of organization allows them to constantly refine their tactics and exploit vulnerabilities.

The fix: The “professionalization” of cybercrime is a disturbing trend. Anonymity, remoteness, technology, and low barriers to entry are attractive aspects drawing new recruits to the field. At the same time, more is being automated and more code is finding itself across the world and into cars, power grids, and other infrastructure, leading to more exploitable vulnerabilities. This potent combination calls for more protectors, budget, regulations, and tools to outsmart attackers from carrying out breaches with ransomware objectives.

Ultimately, ransomware continues to thrive when it finds its way into landscapes shaped by outdated technology, unpatched vulnerabilities, and the prioritization of user convenience over robust security. By acknowledging these factors and taking proactive steps to address them, organizations can significantly bolster their defenses against the ever-present threat of ransomware.