When cyberattacks are detected too late: 2021 could become the record year for ransomware-related transaction payments!
by Svenja Koch
In the US, ransomware payments after ransomware attacks amounting to $590 million have been reported for the first half of 2021, according to Zeit.de. According to a report by the US Treasury Department, this is 42 per cent more than the number of suspicious payments reported for the whole of 2020. If this trend continues, there could be a "higher ransomware-related transaction value" in 2021 than in the last ten years combined.
Defending against cyber-attacks is one of the major challenges facing businesses and IT security. An essential aspect that is still neglected in many organisations is early attack detection. In many cases, too much time passes before IT security detects unauthorised activities of intruders in one's own network. Time that hackers use to get their extortion Trojans in place and launch devastating data encryption.
Cyber attacks - no longer an unknown scenario for most companies
The times when many companies still believed that cyberattacks would only represent a secondary security risk for them are long gone. The reality is now quite different: Every company is a potential victim and especially organisations with gaps in IT security are popular targets for hackers.
Many companies in Germany have already experienced cyberattacks with extortion Trojans and other APTs (Advanced Persistent Threats). According to a study by the IT industry association Bitkom, nine out of ten companies were directly affected by a cyber attack by 2021. In the last two years, dangerous attacks with extortion Trojans and malware in general have increased - almost 50 percent of the companies stated that they had experienced such scenarios.
The consequences of attacks with ransomware and other cyberattacks discovered too late
When attackers gain access to foreign networks and operate there undetected, this poses an enormous threat to the affected companies. In the case of an advanced persistent threat, i.e. a complex and targeted attack, the hackers take a lot of time to prepare the actual attack. These attack preparations take days or even weeks. During this phase, the attackers spy on the network structures, expand their access to servers, platforms or systems and bring the ransomware into position. Only when the hackers have identified all the desired targets and compromised these areas of the network does the data encryption take place. This then overruns large parts of the network within a very short time, sometimes seconds.
The Bitkom report shows that 86 percent of companies that have been victims of a cyberattack have suffered damages from such incidents. The financial damage of such attacks is growing ever faster. In 2020/21, the damage to the German economy will amount to almost 225 billion euros, according to Bitkom. Compared to 2019, the amount of damage has doubled. According to the companies affected, the damage is caused by theft, espionage and sabotage, i.e. also by ransomware. 29 percent of the attacks in 2021 are due to organised crime. This is a significant increase compared to 2017, when only seven percent of cyberattacks were attributed to organised crime.
The concrete consequences of such cyber attacks are devastating. Data encryption causes particularly high damage and long work stoppages. Depending on how large the proportion of affected systems is, sometimes the entire production in affected companies comes to a standstill. Real-life examples in which the course of a cyberattack with an extortion Trojan was reconstructed clearly show the vulnerabilities and the danger. For example, the company Pilz from Ostfildern, which manufactures automation technology, was the victim of an attack with ransomware in autumn 2019. The actual attack and data encryption began on a Sunday. IT Security disconnected all IT systems from the network. For three weeks, the entire production was at a standstill and it was only six weeks after the attack that normal everyday life was largely restored. In the meantime, the company worked with paper and documented everything by hand, as no secure IT systems were available. During the forensic processing, the IT experts discovered that the hackers had already had access to the internal network for months and had gained access to all areas of the globally active company.
Companies thus struggle with the effects of such cyberattacks for a very long time. In its Cost of Cybercrime Study, the Ponemon Institute analysed how long it takes on average for companies to fully overcome the effects of various cyberattacks. The results show that it takes an average of 23.1 days for ransomware, and 55.2 days for malicious code attacks. Recovery is significantly faster for attacks with malware (6.4 days on average) and botnets (2.5 days). This shows once again how dangerous blackmail Trojans are and how long companies suffer from the after-effects.
On the trail of the intruders - this is how much time passes before IT security detects hackers in one's own network.
Theoretically, IT security has enough time to detect the activities of hackers in one's own network before they cause damage. As mentioned, days or even weeks pass before the actual cyberattack starts. However, in the absence of appropriate detection measures, IT security has no means of uncovering these attack preparations. Figuratively speaking, the IT security department finds itself unarmed in a battle and consequently has no chance of deciding it in its favour.
This is impressively demonstrated by the results of IBM Security's "Cost of a Data Breach" study from 2021. In this report, IBM puts the time that passes until a company's IT security identifies illegal activities by unauthorised persons at an average of 151 days. These 151 days give hackers time to exploit undisturbed access to an internal network, spy on the structures, obtain further passwords and finally carry out the attack with ransomware and data encryption.
Which cyber attacks remain undetected for a particularly long time?
There are significant differences in the detection rate as well as the time that elapses until IT security identifies the various data breaches. In this context, it is also important to mention the high number of unreported cases. It is still common, especially in the area of industrial espionage, for data theft to go completely unnoticed. In some cases, hackers are active in company networks for months or even years without being detected and siphon off information. In the case of so-called Advanced Persistent Threats (APTs), the attackers act incognito for such a long time until their preparations for data encryption with the extortion Trojan have been completed. Often, the network is then accessed via the Remote Desktop Protocol, for example. Such activities are noticed with conventional defence techniques at most when the attackers fail in their login attempts. However, since they have found regular access to the network, for example through phishing or discovered IT security vulnerabilities, firewalls and other security tools do not identify the accesses as conspicuous. For this reason, hackers have plenty of time in networks to prepare the attack with the extortion Trojan as well as the final data encryption.
These measures are elementary to detect cyberattacks more quickly
The central challenge in defending against attacks with ransomware and similar APTs is the early detection of the activities in the network. To do this, it is important to first learn about the attack techniques.
A cyber attack with ransomware is successful if the data encryption is as extensive as possible. The hackers therefore target all central servers, the data backup and a high number of workstations. This is the only way to effectively disrupt a company's operations and give the blackmail a chance to succeed. Such a cyber attack thus takes time and the attackers carry out some activities in the network after access has been gained. These activities can be found, for example, in logs of servers, operating systems or the Active Directory log. The challenge is to identify the activities of hackers among the thousands of entries that are constantly created.
This is where early attack detection comes in. This part of IT security focuses on the preventive defence against cyberattacks. Thus, there is a focus on log data and the analysis of this information. In the meantime, there are software solutions for this that are able to monitor the entire network including all log files in real time. If the system detects a potentially illegal action, a warning is issued. In addition to this software, companies need employees who are tasked with the targeted analysis of the warning messages. The best early warning system will not be effective if no one reacts quickly to the alerts. IT Security receives an indication of the specific action and then checks the corresponding log entry(s). In this way, it is possible to find out from which IP the action originated, whether an employee of the company is behind it or an external attacker. As a consequence, it is then possible to initiate countermeasures immediately.
In this way, early attack detection provides companies with a means of defence with which they can detect security breaches and emerging cyberattacks with an extortion Trojan at an early stage. Potentially, then, there is an opportunity to reduce the detection time of unauthorised activity on one's network from an average of over 150 days to seconds or minutes.
Large companies implement their own Security Operations Centres (SOC), which are exclusively tasked with monitoring network activities around the clock. For small and medium-sized enterprises, such a SOC is far too big a financial outlay. Nevertheless, there are options for SMEs to achieve the same level of security and implement early attack detection: External service providers take over the control and evaluation of their own logs. The ACD service from secion, for example, offers precisely these functions. The software monitors logs of operating systems, servers, databases, routers and other systems in the network. An evaluation is carried out in real time. If the system finds conspicuous actions, the ACD SOC team immediately informs the company's contact persons, which enables an immediate reaction. For example, this service prevents data encryption that is threatened by a successful ransomware attack.
The IT security situation in 2021 continues to worsen. Ransomware attacks are on the rise, with a particular increase in organised crime. Every company is a potential target and the number of specifically affected companies is growing. The amount of damage to the affected companies is also increasing. Only part of the costs are due to the extortion sums of the ransomware. A large part is caused by IT failures, which are sometimes unavailable for weeks and thus paralyse the company.
As defence measures against data encryption with ransomware, solutions for early attack detection are necessary. In this way, the time in which the hackers are active in the network and place the extortion Trojans can be significantly shortened. Decision-makers have a responsibility here to set up an effective and, above all, comprehensive IT defence in order to prevent cyber attacks on their own company.