Ransomware has matured significantly over the previous decade or so. Initially thought to be a relatively basic virus that could be contained on a floppy disk, it can now damage global business infrastructures, stop healthcare systems dead in their tracks, mess with fuel supply networks, and disrupt transportation infrastructure.

Its simplicity is what makes it so appealing to criminals. The attacks don’t have to be very sophisticated to cause significant harm and extort ransom payments. As a result, the frequency of these attacks is increasing at an alarming rate.

Ransomware attacks are particularly dangerous because they are continually evolving. However, the most troublesome detail about these events is that companies are willing to pay ransom in hopes of keeping their systems and processes safe from further malicious behavior, such as the criminals’ threats to publicize confidential corporate information that was stolen as part of the attacks.

But does this willingness to pay ransom really help businesses ensure the safety of their data? Or is this protection payment having the opposite effect?

How Do Ransomware Criminals Access Enterprise Data?

Recent years have seen the emergence of “ransomware as a service” (RaaS), where attackers pretend to be legal businesses. Through their registered companies, they pretend to help with IT-related issues, but that’s only a front for renting out malware and other services.

Some cybercrime gangs create helpdesks to negotiate ransom demands and royalties, aid the victim in purchasing cryptocurrency and assist them in decrypting the material stolen from them. Others use an affiliate model, in which they distribute the malware, receive the payment from their victims, and then remit a portion of the money collected to the software’s inventor.

Despite the glitzy SaaS facade of the RaaS sector, the fundamental basis of ransomware stays the same: attackers target a victim before demanding payment in exchange for the decryption key that is supposed to return access to the data and systems.

The world witnessed ransom demands that broke all previous records in 2021. The REvil gang attacked Kaseya, and requested $70 million to end its attack. However, despite the increasing audacity of these demands and the magnitude of bounties, the criminal business model has remained virtually unaltered.

Protection Payment in Ransomware-as-a-Subscription Model

In 2022, ransomware-as-a-subscription is anticipated to emerge as a model where corporations pay protection money in exchange for a promise that they will not be attacked and ransomware versions will not be unleashed on their systems.

The United States government is now working on legislation prohibiting ransomware payments or requiring corporations to disclose them to their customers. Protection payments significantly alter the nature of cyberattacks and provide criminals with a reliable source of cash. Unfortunately, they may also put businesses at risk of violating the law due to their actions.

Ultimately, paying for protection can be as futile as paying the ransom itself. The reason why is because it does not guarantee protection in the future. Since there is no established ransomware ‘syndicate’, paying ransomware or for protection to one criminal network does nothing to stop another ransomware attack happening from another criminal operation. It’s a textbook example of how there is no honor among thieves, and more specifically, how there is no way of truly knowing if an extortionist won’t reveal your vulnerability to another perpetrator running a ransomware operation that targets your company.

Protection payment may shield an organization from the original criminal, and the perpetrator may even guarantee that no one else will “muscle in on their criminal territory.” The issue, of course, is that there is no way a perpetrator of ransomware can guarantee that.

Gaps in Security of Enterprises

For security and identity theft prevention, enterprises must develop a solid resistance to ransomware. It’s essential to adopt an “attitude of gratitude” for the advantage that each user enjoys to get a good head start on this objective. A ransomware assault can be launched by an employee who has access to email, documents, the internet, links, or a USB drive.

Unmanaged local administrator capabilities on a workstation allows users to install and run any program anywhere. Because of this, any workstation can be hijacked by an attacker, who can swiftly install infectious or harmful software to obtain access to the organization’s data and network.

It becomes a significant concern when an attacker can bring down a large company by compromising a single employee. Social media makes it simple to locate open-source intelligence. On the Dark Web, credentials can be purchased. Using this knowledge, it is simple to design a malicious email that can deceive people into exposing the defenses and allowing ransomware to access a network.

The Need for Better Cybersecurity Solutions

Ransomware groups have so far been unabated by conventional cybersecurity measures. Ransomware’s unique and rapidly evolving versions make traditional signature-based antivirus solutions ineffective in preventing and detecting these attacks. Criminals aren’t deterred by tried-and-true measures like encrypting data.

Businesses must ensure that one system compromise does not give privileged access to the entire IT environment. Pivot construction and lateral network moves can be prevented by implementing threat detection technologies, network segmentation, and Privileged Access Management (PAM).

At a bare minimum, all enterprises should follow the Multi-State Information Sharing and Analysis Center (MS-ISAC) recommendations and CISA’s guidelines for cybersecurity best practices.

There are a few other things to keep in mind, such as backing up data, patching systems, ensuring safe passwords, and making sure that email macros don’t run without your permission. Other ideas involve implementing a least-privilege strategy and establishing cybersecurity education programs.

Besides reviving your security and financially recovering after an attack, you also need to work on protecting the reputation of your company. A ransomware attack can significantly tarnish your credibility in the market, so the effects are long-lasting.

Enhancing Cybersecurity as an Alternative to Protection Payments

An occasional activity to comply with requirements is insufficient because security is constantly evolving. It should be viewed as a continuous, growing process, requiring frequent security protocols and incident response capabilities testing. A security ambassador should be assigned to each team to assist in communicating security policy, detecting threats, and responding to problems, instead of simply starting cybersecurity classes.

Instead of surrendering to attackers by making protection payments, enterprises need to enhance their cybersecurity. Here are a few steps they should take:

Integrate Automation

A round-the-clock approach to security must be extended to all elements, including regularly auditing privileged accounts for signs of exploitation

Automation makes it possible to run tests more frequently and quickly than human intervention. Ransomware activity should be a primary goal of testing and audits, designed to detect reconnaissance efforts, and to keep these threats out of the network.

Be Proactive

Enterprises must have a strong endpoint data protection strategy and system security in place. In addition to antivirus protection, approved software can be specified, restricting access to only those apps that have been authorized after testing. Businesses should employ both proactive and reactive measures to keep themselves safe.

Adopt Zero Security        

Companies should increase and implement better security practices, such as the zero-trust security model, accelerated transition to safe cloud services, and the implementation of multi-factor authentication and encryption.

Distribute Data Backups

Cybercriminals who create ransomware aim to prohibit any escape from paying the ransom. That’s why these attacks target active files, systems, backups, and cloud data.

To fight this, enterprises need to adopt a complete backup and recovery strategy based on the NIST Cybersecurity Framework. It contains best practices such as employing at-rest and in-transit encryption to prevent malicious actors from infiltrating the network or obtaining your sensitive data.  Further protection includes configuring firewalls that limit ports and processes to prevent ransomware from deleting or encrypting backups.

Stay Vigilant

The problem of ransomware isn’t going away. It is like a perpetual arms race, especially when it comes to things that are out of our power. However, you can minimize the damage and get back in operation quickly if you use a layered approach to cybersecurity.

Wrapping Up

Protection payments can only encourage criminals to become more aggressive because paying a ransom doesn’t mean that the criminals won’t reveal your vulnerabilities to other criminals (or that the criminals won’t attack anyway).

Instead, organizations must create resilience against these new revenue approaches coming from the ransomware groups. Criminals cannot profit if victims build up their resistance to attacks. Ransomware criminals are persistent, resourceful, and committed to a long-term strategy. Hence, defenders must analyze their approach and act accordingly.


About the Author: Isla Sibanda is an ethical hacker and cybersecurity specialist based out of Pretoria. For over twelve years, she’s worked as a cybersecurity analyst and penetration testing specialist for several reputable companies – including Standard Bank Group, CipherWave, and Axxess.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.