- Michael Jones
It seems we cannot escape the continued headlines: A huge company hacked, a critical utility crippled by ransomware, a government agency’s data breached. The frequency and scale of cyber attacks is growing and so are the damages to commerce, identity, privacy, even national security.
While there are many attack vectors—brute-force attacks, code injection, cross-site scripting (XSS), phishing, and distributed denial of service (DDoS) are notable threats—the ability of attackers to install malware and either shut down systems, control systems, or hold systems ransom are among the most damaging.
“Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable,” claims the Cybersecurity and Infrastructure Security Agency (CISA) “Malicious actors then demand ransom in exchange for decryption.”
Historic detect-and-respond approaches to ransomware leave organizations far too exposed to outages, theft, and long recovery times. “Even if there is no evidence that confidential information has been leaked, organizations can still suffer significant damage,” writes the National Law Review in a recent article. “The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.”
“The average total cost of recovery from a ransomware attack has more than doubled in a year,” notes Sophos, a cybersecurity company in findings from a global survey. “Increasing from $761,106 in 2020 to $1.85 million in 2021… The average ransom paid was $170,404.”
Worse, CISA warns that “ransomware incidents have become more destructive and impactful in nature and scope. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.”
More than 90% of all cyber attacks begin with phishing and ransomware is often brought into a network from remote or mobile devices. However, “ransomware gangs have been shifting their focus to managed service providers (MSPs), a platform that serves many clients at once,” says Varonis. “This means that if a hacker gains access to one MSP, it could also reach the clients it’s serving as well. Most of the time, MSPs are hacked due to remote access tools that are poorly secured.”
While securing endpoints is critical to defending against phishing and ransomware attacks, the vulnerability of MSPs means any centrally managed database could be compromised if its hosting MSP is hacked.
Once breached, ransomware typically “displays an on-screen alert advising the victim that their device is lock or their files are encrypted,” notes the U.S. Secret Service Cybercrimes Investigations unit. Yet “paying the ransom does not guarantee regaining access. In some cases, a decryption key was not provided in return to a paid ransom. In other cases additional ransom was demanded.”
Blockchain Cybersecurity Against Ransomware
Blockchain’s architecture, originally built for zero-trust environments and further secured in private, permissioned blockchain configurations, gives organizations a compelling alternative to centralized databases and a strong protection against ransomware attacks.
Blockchain’s distributed ledger technology (DLT) provides two means of preventing and/or ameliorating the threat of ransomware attacks: First, by decentralizing the data set itself; and second, by giving endpoints a quick path to recovery, even if they are themselves breached and access ransomed.
Unliked centralized databases—which can be breached at unsecure endpoints (users and devices) or even at MSPs hosting them, giving attackers complete control once they gain central access—blockchain technology distributes data across geographically separate nodes. By decentralizing data storage, blockchain effectively prevents any one endpoint (even if compromised) from gaining control of the full data set.
This distributed nature so defeats any attack seeking to breach a system and holistically encrypt the data files stored therein: A single endpoint node might be breached and its files held for ransom, but the larger data set cannot be controlled by any one endpoint (or central authority) and so attackers cannot capture the full data set for encryption, ransom, and shutting down the network.
Further, with private, permissioned blockchains, each endpoint node (or user) has a unique encryption key to access and write to the distributed ledger. If any one of those endpoints is successfully attacked (presumedly compromising their access key), the private blockchain can simply remove distributed ledger access for that compromised key, issue the endpoint a new key, and allow that endpoint to quickly regain distributed ledger access (effectively as a new endpoint).
This unique recovery process effectively maroons any ransomware on the endpoint it attacked—ending its access and threat—while allowing the endpoint to re-engage the larger data set: With a new key and without needing to pay any ransom to the attackers for restored access.
To learn more about blockchain as cybersecurity and how ZorroSign employs a private, permissioned blockchain, visit https://www.zorrosign.com/z-forensics/secure-blockchain-technology/
NOTE: CISA strongly advises victims of ransomware to report such attacks to federal law enforcement via IC3 or a Secret Service Field Office. Victims can request technical assistance or provide information to help others by contacting CISA. If your organization becomes a victim of ransomware attacks, visit CISA’s reporting links at https://www.cisa.gov/stopransomware/report-ransomware-0