As another year comes to an end, it’s clear that one type of cyberattack dominated in 2021: ransomware. The number of ransomware attacks this year increased compared to 2020, which itself saw a 150% increase in attacks over 2019. In practical terms, this means that hundreds of thousands of attacks are now occurring every month, since as early as 2016 there were already more than 4,000 daily ransomware attacks.
But it’s not just the number of attacks that changed this year. Target types have shifted as well. More attacks are now targeting high-profile enterprises - and demanding higher payments. In 2020, the amounts paid by victims increased by 300% compared to 2019. In the first six months of 2021, ransomware payments reported by banks and other financial institutions totaled $590 million.
These developments, coupled with the fact that a rising number of ransomware attacks have been led by nation-state actors, create a clear need for urgent action. In October 2021, the White House hosted a global summit about ransomware to discuss ways to counter ransom attacks. There are also many actions organizations can take on their own to protect against the ransomware threat.
Let’s look at 5 of the top ransomware attacks of 2021 and examine how zero trust security could have helped prevent them or at least substantially mitigate the risks.
In February 2021, Kia Motors America (KMA) was attacked by the DoppelPaymer gang. The ransomware group threatened to leak KMA’s private documents online, unless they were paid 20 million dollars in Bitcoin. As a result of this attack, KMA suffered from system outages, which affected their payment services, mobile apps, owner’s portal, phone services and internal dealership systems.
Zero trust is a security model founded on the principle that no person or system should be granted system access based on inherent trust. Instead, the assumption under zero trust is that the network is already compromised. No user or device can access systems and assets before they are authorized through strong authentication methods like MFA (multi-factor authentication). As an added security measure, users are continuously authorized even when they are already using the systems.
Under the zero trust access model, even if attackers manage the unlikely feat of breaking into systems or servers, they will be prevented from moving laterally and progressing into other systems. This contains the attack and mitigates attackers' ability to access and leak private documents.
The Russian REvil group attacked Acer in March 2021, possibly through a vulnerable Microsoft Exchange server.Then, they demanded that the electronic software hardware giant pay $50 million dollars. At the time, this was one of the largest ransoms known. But, as we’ll see, by the end of 2021 it was not such an uncommon figure (see CNA attack below).
The REvil hackers shared that they had broken into Acer’s system, and they had files and pictures as proof. The leaked images contained the company's financial documentation as well as bank balances and bank communications. Acer negotiated with the attackers, offering them $10 million. The attackers offered a 20% discount if the payment was made by March 17.
More recently, in October 2021, Acer confirmed that it had been hit again with another cybersecurity attack - this time in India.
Zero trust cloaks the system and network from regular users (and attackers), blocking visibility into architecture. This includes Exchange Server. As a result, attackers cannot see the different system components, target them and gain a foothold. Therefore, attackers wouldn’t have been able to gain access to the Microsoft Exchange server, despite its vulnerabilities, because the zero trust access model would have prevented access and exploitation.
The largest meat company in the world was also the victim of the REvil ransomware group. In June 2021, JBS announced that they had been attacked and that they paid $11 million in Bitcoin to the group. The attack halted JBS’s operational processes and impacted their food supply chain, which provides 20-25% of the US’s beef. The company used back up plans to keep operating after the attack, but eventually paid because they could not ensure they wouldn’t be subjected to more attacks.
Once the attack became known to the company’s leadership, the team began shutting down their systems to slow its advance. With zero trust network access, such an action would not be necessary. In a zero trust model, users and devices alike must be continuously authorized in order to see and progress in company systems, which would have halted the attackers' advance.
In addition, zero trust provides auditing and recording capabilities. The JBS technological team could have seen what the attackers had done and reversed their efforts, preventing them from potentially attacking their backup systems as well.
When one of the largest insurance and cyberinsurance companies in the US gets hacked, you can expect to hear about it. In March 2021, CNA Financial Corp paid out close to $40 million to Phoenix CryptoLocker hackers following an initial demand of $60 million. The malware in this case both blocked access and stole sensitive data. As many as 75,000 individuals were notified that their data might be compromised.
Not much is known about the CNA attack, but the malware tools associated with PhoenixLocker use VPN vulnerabilities and IP scanners to perform reconnaissance and gain access to networks. Zero trust solutions provide much more secure connectivity than VPNs because they authorize each identity and user that requests access based on the principle of least privilege. Unlike with VPNs, the originating network is not enough for authentication with zero trust, and users’ identities and permissions are checked continuously. In addition, zero trust reduces the risks of IP scanning because it blackens the entire network, and no IP is waiting for a request.
Zero trust could therefore have prevented attackers from identifying the CNA network, tunneling into it, identifying critical company infrastructure, and accessing valuable information.
This was one of the most high profile ransomware attacks this year, and there’s a reason for it: Colonial Pipeline is responsible for nearly half of the fuel distributed to the United States’ east coast. In May 2021, hackers called “The DarkSide Group” dispatched ransomware into the company’s computer system by attacking a VPN that required a single password for authentication rather than more security MFA. Colonial Pipeline had to shut down operations completely.
Within a few hours, the company paid 75 bitcoins (~4.4 million dollars at the time) to the hackers. Eventually, $2.3 million was recovered by the US Justice Department. As a result of the attack and the six-day shutdown that followed, fuel prices rose and numerous fuel shortages were experienced, affecting not only cars but airlines as well.
MFA is one of the most secure digital means to authorize users and identities. MFA requires at least two authentication factors before providing access. These could include security questions, tokens, certificates, answers to security questions, geographical location, biometric information, and more. Zero trust implements MFA to ensure that a single (vulnerable) factor will not allow users to access vulnerable systems.
In addition, zero trust can replace VPNs as a more secure and agile solution for connectivity, including remote access. It can also enhance VPN security if the two security methods operate together. When zero trust is implemented alongside a VPN, a perpetrator who's allowed into the network via a vulnerable VPN will still be unable to cause serious damage. Read more here.
With the growing number of ransomware cyber attacks, the increased targeting of large enterprises, and the rising monetary demands of ransom takers, it's clear that companies across all sectors need to take action to protect themselves, their customers, their business partners, and their employees. As we've seen, the zero trust model denies attackers unfettered access to corporate networks and critical systems. Even if attackers are inside, they still cannot advance or obtain access to vulnerable data. In addition, their actions are recorded and monitored, enabling security and IT teams to act quickly. This makes zero trust access a secure and efficient solution for ransomware protection.
Cyolo’s proprietary ZTNA 2.0 solution is a unified solution that allows IT and security teams to easily implement zero trust connectivity and create their own distributed cloud with literally no infrastructure change. Cyolo can help businesses in any industry or vertical to access critical applications, reduce their operational security costs, and protect themselves from ransomware attacks.