Ransomware evolving from ‘spray and pray’ to more targeted attacks

Ransomware gangs are evolving from ‘spray and pray’ campaigns to more targeted attacks that threaten use of distributed denial of service (DDoS) attacks to interrupt specific business services.

DDoS attacks are not only effective in disrupting business operations, but they can be launched in seconds without even having to launch a phishing attack or breach the target’s network security perimeter. Their efficacy has made them useful to cybercriminals who want to push victims to fork over ransoms quickly.

August 2021 “was a month where DDoS attack records were challenged and broken across three major continents,” states Radware’s Q3 DDoS Attack Report. It notes that Radware blocked more malicious incidents between January and August of 2021 than during the entirety of 2020.

Cloud increasing exposure

That surge in DDoS attacks reported by Radware corresponds with an increase in use of cloud applications during the pandemic. Radware estimates that 70 percent of production web applications are running in cloud environments.

“The transition to the cloud provides scalability for organisations because they can go very, very fast based on demand,” pointed out Radware vice president of APJ Yaniv Hoffman, “But as applications become more public-facing and user-centric, those applications also become more vulnerable.”

Cybercriminals have adapted their attack methods in line with changing business trends, shifting from network-level attacks to application-level attacks.

This creates new challenges for security staff, because conventional network-level tools don’t provide the visibility to applications needed to detect and deal with these attacks.

That has left ransomware gangs free to hector their victims, Hoffman said, noting that in many cases the gangs would tease victims with a short DDoS attack “as an example of what they can do.”

“In 24 hours, if victims don’t pay, they will threaten to launch the full force of an attack for every day that they don’t pay the ransom,” Hoffman said.

“Being hit by a ransom DDoS impacts business continuity and availability – and in turn, the credibility of these organisations. Many organisations pay just to avoid that.”

Radware also found that adoption of hybrid environments increased in 76 percent of surveyed companies – further complicating cybersecurity.

Building a frictionless defence

Companies face five critical challenges in securing hybrid environments, Radware noted, including:

  • Emerging threat vectors that expose applications and cloud environments to attacks
  • A broader threat surface where both the cloud-based application surface and application infrastructure are exposed
  • The need for an Agile software development and DevOps culture that integrates security
  • The challenges of multi-cloud deployments across on-premise, hybrid, and public clouds – each with their own capabilities, APIs, management, and reporting
  • Ownership of security budgets and strategies by non-security stakeholders, whose disengagement with security practise impedes their ability to drive meaningful security improvements

A DevSecOps practise, which embeds security into DevOps, can be challenging – not least because it challenges long-held notions of system and application ownership.

In 92 percent of organisations, Radware reported, security staff have no say regarding the structure of the organisation’s continuous integration/continuous deployment (CI/CD) processes. Hoffman said this was not acceptable because of the potential for business interruption.

He said that progressive companies are working through these conflicts to implement ‘frictionless security’, which extends across cloud applications and hybrid environments.

“Because applications are rolling out very fast, you need to make sure security is not creating a bottleneck for that,” he explained. “You don’t want to disturb processes.”

Effective frictionless security requires companies to step back and reconsider the way they secure applications, Hoffman said. Automation is invaluable for continuously monitoring application development and deployment, as well as user activities, for anomalies.

Cybercriminals often disguise and stagger their attacks or use volumetric DDoS attacks to hide low-and-slow application and encryption attacks. So, anomaly detection can be all but impossible with manual cybersecurity processes, Hoffman said.

Hardcoding security policies into applications was an intrinsically limited solution, he argued: “Only by automating algorithms can you identify the changes in applications and automatically adapt security policies.”

“If you base your algorithms for security on machine learning, you learn the behaviour of the users – and the algorithm by itself can learn what is good and bad. That’s how you don’t interfere with the rollout of the application, while adding frictionless security.”