Ransomware is having a bit of a moment. Check Point revealed that ransomware attacks increased 102% globally in H1 2021 compared to the start of the previous year, with the number of corporate ransomware victims having doubled over that same period. Average ransom payments also grew 171% from $115,123 in 2019 to $312,493 a year later. But those weren’t the amounts originally demanded by attackers. Indeed, ransomware actors wanted an average of $847,344 from their victims in 2020. Some wanted as high as $30 million.
What’s Behind These Findings?
Gartner put it best when it stated the following: “The challenges of ransomware and other forms of malware are the ever-changing tactics and agendas of [malicious] hackers.”
Take the tactic of triple extortion as an example. Apparently, ransomware actors aren’t satisfied with doubly extorting their victims, once for a corresponding decryption key and the second time for the deletion of their stolen data. Why else would they decide to begin demanding payments from the customers, partners, and other third parties for their original victims?
Threatpost described one incident in which ransomware actors succeeded in infecting a Finnish psychotherapy clinic, for instance. The victim ultimately satisfied the attackers’ demands. Even so, that didn’t stop the ransomware actors from informing the clinic’s patients that they would publish their session notes unless they paid up.
The rise of double encryption also helps to explain ransomware’s growth. As noted by Wired, double encryption is a technique where attackers use more than one ransomware strain to affect a victim’s data. Sometimes, double-encryption may involve the use of what’s known as “side-by-side” encryption where the attackers split which systems and data they encrypt between two or more ransomware strains. Other times, it may involve “layered encryption” where the attackers deploy one ransomware strain and then layer other ransomware strains on top of it. Either way, double encryption makes it more difficult for victims to recover their data, and it emboldens attackers to demand more money in a ransomware incident.
FIM and SCM: The Keys to Ransomware Defense
Ransomware actors will always invent new tactics to maximize the profitability of their attacks. Acknowledging that reality, organizations need to defend themselves against the fundamental elements of a ransomware infection. The problem is that they might not know how.
That’s where Tripwire Enterprise comes in. Tripwire Enterprise protects organizations from ransomware using two fundamental security controls: file integrity monitoring and security configuration management. Let’s examine these below.
File Integrity Monitoring
Otherwise known as change monitoring, file integrity monitoring (FIM) is a technology that monitors for changes in files. Organizations can use this security control to monitor for unexpected changes that could be indicative of a digital attack. But that can backfire if their FIM solution reports on too many changes, doesn’t deliver any context around those changes, and doesn’t send over insight on why those changes elevate the levels of risk facing their systems.
Organizations need FIM capabilities that connect these and other dots of a digital attack. That’s especially the case in the event of a ransomware incident. Fortunately, Tripwire Enterprise does all this by detecting changes to files on the endpoints in real-time. It sees when the ransomware creates a new, encrypted file and deletes the original one, thus aiding in the identification of the files affected by the ransomware. It also enables organizations to set up automated alerts that provide crucial insight into what’s going on in their environment, thereby reducing time-to-detection and recovery efforts.
Security Configuration Management
In addition to monitoring their files for unexpected changes, organizations need to monitor the integrity of their products and systems using security configuration management. SCM begins with establishing a secure baseline for each of their assets. (If organizations don’t know where to start, they can look to trusted entities like the Center for Internet Security for standard secure baselines.) They can then watch for configuration drift, instances where an asset’s configuration drifts from a known secure baseline. If they spot such an instance, organizations can remediate the deviation and investigate whether it’s part of a larger security incident.
When it comes to SCM, Tripwire Enterprise’s detection of policy compliance failure can serve as an early warning sign that someone is tampering with server or application configurations. Such is often the case in the early stages of a ransomware attack. Tripwire Enterprise then helps organizations to correct the issue through remediation advice and automated remediation scripts.
Ransomware Defense Is Ransomware Prevention
Once ransomware has a hold on your systems, it’s often too late to undo the damage. That’s why putting focus on the prevention and rapid detection of ransomware is key to shrinking an organization’s attack surface. That way, attackers are unable to gain entry in the first place.
Tripwire Enterprise conducts continuous monitoring using SCM and FIM security controls to keep systems hardened against attacks and to quickly identify indicators of ransomware compromise before significant damage can occur. For more information about how Tripwire can help to defend your organization against ransomware, download this solution brief here.
