Why Paying Ransoms Won’t Help You Win the Battle Against Ransomware

First, they locked up company systems. Then they shut down websites and leaked trade secrets and sensitive customer data. Today, they’re even calling employees and business partners to harass and extort them.

Ransomware gangs have become a serious threat to companies’ operations and the welfare of their customers. Criminals are targeting businesses big and small, resulting in billions of dollars in losses; the cost of rebuilding IT systems—and company reputations—often exceeds the ransoms paid. Damages are primed to rise as criminals demand larger payouts and more businesses comply, even though that’s no guarantee that their data will be recovered or secured.

Source: Sophos State of Ransomware 2021 Report

This crime wave might never have crested if it weren’t for cryptocurrency. Cryptocurrency buffs say that the ease and privacy of cryptocurrency transactions will usher in a new era of frictionless global finance. But in the meantime, criminals have found much to like about cryptocurrency, too.

Traded on a decentralized ledger, cryptocurrency makes fraudulent transactions virtually impossible to unwind, says Chester Wisniewski, principal research scientist at leading global cybersecurity firm Sophos. Identifying the anonymous parties in a cryptocurrency transaction is, likewise, extremely difficult. And ill-gotten gains can be transferred across borders quickly and easily without detection.

“You couldn’t design something more custom-tailored to facilitate crime than cryptocurrency,” says Wisniewski.

Cryptocurrency’s role in the evolution of the ransomware industry

Ransomware 1.0 was carried out by dispersed gangs that concocted their own software and used distinctive methods that made it easier to identify who they were. Today, ransomware is an industry, with ransomware specialists leasing their products to cyberattackers. “Ransomware-as-a-Service” has helped attackers obtain tools to penetrate even well-defended networks, according to the Sophos 2022 Threat Report.

Cryptocurrency has played a vital role in the growth of the ransomware ecosystem. Criminals can transfer funds anonymously among themselves by using newer currencies like Monero, rather than Bitcoin.

“The smart criminal prefers that no one knows their true identity—not even other criminals,” Wisniewski says. “You never know who has been turned by law enforcement, or who is posing as someone else.” Recent criminal investigations have been stymied because suspects can’t identify their cohorts, he adds.

Cryptocurrency’s disconnection from the traditional banking system has also stalled investigations. Most cryptocurrency exchanges that convert digital currency into cash have not been complying with anti-money laundering (AML) laws, according to a recent report from the Institute for Security and Technology. Financial policy experts say stronger regulation can turn the tide. Last September, the Biden administration sanctioned a cryptocurrency exchange that U.S. officials say has allowed ransomware activity to flourish.

With cryptocurrency facilitating the ransom process, businesses must detect attackers earlier in the game—before their files are stolen or encrypted.

How threat hunting can prevent ransomware attacks

Today’s ransomware gangs aren’t just relying on automated attacks—the worms, bots and viruses that can be stopped with updated security software. Instead, they’re taking a hybrid approach, using automation to find the best angle of attack, then bringing in people to penetrate and explore the network. The human hackers often lurk there for months—long enough to locate a company’s most sensitive or valuable data to hold for ransom.

The best defense, known as threat hunting, also takes a hybrid approach. Security systems use automation to detect and neutralize countless threats each day but can’t always discern which threats are precursors to a serious attack. Threat hunters understand the latest techniques employed by the most sophisticated criminal gangs. They sift through data to find precursors and patterns, then locate and lock out the criminals. Threat hunters can also be effective in identifying and patching vulnerabilities.

“When something knocks over a flowerpot, do you write it off as just the wind, or do you investigate?” asks Wisniewski. “The organizations that monitor their networks carefully and investigate alerts are the ones that can detect criminals early enough to prevent damage.”

Threat hunting may be finally making a dent in ransom attacks. Two years ago, 24% organizations surveyed by Sophos said they were able to stop an attack before it culminated in encryption. In Sophos’ most recent survey, that number increased to 39%.

Remote-access systems have become a big vulnerability for companies during the pandemic, Wisniewski notes, and these should be secured with multi factor authentication. If criminals do penetrate a network, they should be contained, a practice known as segmentation. This can be achieved through installing firewalls or implementing zero-trust security, which requires continuous validation of network users.

Invest in defense instead of paying ransoms

As attackers grow in sophistication, IT departments can face a serious shortage of cybersecurity professionals. For large organizations with in-house security pros, keeping ahead of ransomware requires extensive and frequent training, Wisniewski says. Many smaller organizations don’t have any security specialists, and they need help from external vendors experienced in battling bad actors across the threat landscape. Threat hunting can be done by external experts aided by machine learning and advanced analytics.

Source: Sophos State of Ransomware 2021 Report

“If you’re buying cryptocurrency for ransoms, I suggest you invest it instead in defending yourself,” says Wisniewski. “It’s not that hard if you put your mind to it and engage with people who understand the problem. And it’s far cheaper than having an incident—even if you pay the ransom.”