Ransomware methods have continued to develop over many years and remain a crucial threat to both SMBs and bigger organisations. Especially when Covid-19 was at its peak, research by IBM found that ransomware incidents ‘exploded’ in June 2020, and saw twice as many ransomware attacks as the month before, exploiting remote workers who had no access to IT support teams when away from the office.
The same research found that ransoms by cyber attackers are also increasing to as much as £31 million, which could be devastating to even large corporations.
Media headlines have been made from ransomware attacks throughout recent months, and with the number of attacks growing, along with the sophistication in distribution methods, companies should prioritise tightening their defences.
By taking a preventative approach, businesses can take on the required processes to secure their cybersecurity posture. This includes a combination of processes, hardware, education, and software to detect, combat and recover from such attacks if they were to appear.
Ransomware today
The ransomware revolution is not a new incident, but its use has grown dramatically and led to new paradigms coming to light, such as ‘Ransomware as a Service’ (RaaS), which is a subscription-based model that allows affiliates to use ransomware tools that are already developed to execute attacks.
With ransomware incidents becoming more advanced and regular, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment, the risk levels to a business rise. These specific attacks can be used in alliance with social engineering targeting, such as phishing emails, without depending on file-based payloads. And unfortunately, ransomware is tough to stop – all it takes is one employee downloading a malicious attachment or clicking on the wrong link.
Organisations, both big and small, can experience a devastating financial impact due to the result of ransomware. The Irish Department of Health and Health Service Executive (HSE) was recently attacked by The Conti ransomware group that reportedly asked the Health Service for $20 million (£14 million) to restore access.
This attack caused a considerable number of cancellations to outpatient services, part of a system already struggling due to COVID-19. Some ransomware gangs operate by a flimsy code of "ethics", stating they don't intend to endanger lives, but even if a small proportion of ransomware organisations gain a sense of conscience, companies are not free from the destruction that can be done from these attacks.
Unfortunately, when under attack, most businesses often pay the ransom. In the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack that took its service down for five days, causing supplies to tighten across the US. Luckily, some of the money Colonial Pipeline paid was later recovered by the American Department of Justice’s Ransomware and Digital Extortion Task Force. However, successful ransomware attacks can be re-used against many organisations, and if they pay once, they will pay multiple times, turning an attack into a cash cow for criminal organisations offering ‘Ransomware as a Service’.
This has created an ongoing debate around whether it should be illegal for businesses or an individual to pay a ransom in order to try and deter the attackers, as a minimum, they should at least report it to the necessary regulators.
Crisis plan
It is important that if a ransomware attack were to take place, the organisation communicates this with the local authorities to try to rectify the issue and follow their guidance, as a lot of criminal power lies in the underreporting of ransomware attacks.
Damage limitation and containment is crucial from the beginning, as prevention is always better than dealing with the aftermath. In the United States President, Joe Biden’s recent letter to business leaders around ransomware, he highlighted: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.”
Most organisations have an in-depth crisis recovery plan set out, and if they don’t, they need to correct this as soon as possible. The success of every emergency recovery plan is having a backup in place, as once the breach has been contained, businesses can return to normal proceedings quickly and efficiently allowing optimum business continuity.
As soon as the main threat has passed, it is advised that all organisations conduct a full retrospective report, ideally without blame or scapegoats, and relay their information and plan of action globally.
Full disclosure is beneficial – not only for client or customer reassurances but also for other organisations to know how they can stop an attack of this type from being successful again.
The aid from technology
The significance of getting security foundations right must be amplified when it comes to ransomware. These attacks are likely to be persistent for the foreseeable, however, their success can be controlled with the correct security armoury.
It is vital to have secure endpoint protection in place to mitigate the threat of ransomware, as this protects the application, network layer and file across various devices and responds to security alerts instantaneously.
The ongoing pandemic proved how significant this is, as employees were dispersed and working from home, and by having this in place, organisations could ensure all devices are protected and comply with the same standards.
Furthermore, solutions such as URL sandboxing and email attachment are also key, as these digital solutions provide crucial protection against malicious emails. By examining and quarantining dangerous links, attachments, or forms of malware, these can be restricted from entering the user's inbox.
Businesses can therefore maintain greater control over email and the access points to the network by filtering out this traffic and automatically limiting malicious content.
The human barrier
A key part of any security strategy is the users. Those who know how to spot threats and take key measures in an event of supposed breaching are those who have been educated about the types of threats they might face and remain a valuable and critical asset to any organisation.
To do this, employees need to be trained to be attentive, aware and take on their role as the last line of defence when all else fails. Just one click could mean the whole organisation falls victim to a ransomware attack and this decision lies in the fate of a human.
The key is to adopt the mindset where everybody is accountable for the security of a business, rather than relying solely on IT support.
Security awareness training and learning must be performed across the board to strengthen a business’ human layer protection. These programmes are designed to teach users about the responsibility they have in helping to combat attacks and malware. As part of the wider security strategy, using phishing simulations, for example, will provide employees with insight into real-life events they may face at any point.
This was reiterated in Joe Biden’s ransomware letter, which displayed the significance of testing your human firewall: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”
Conclusion
By investing in cybersecurity and ensuring workforces are aware and informed of the dangers they face, businesses of any scale can safeguard themselves and their data from these types of attacks. Both detection and prevention play an important role in reducing ransomware, but it shouldn’t be one or the other.
The key to a secure cybersecurity strategy is a multi-layered defence that includes, at its most basic, endpoint detection and response, advanced threat protection, web security, a business-grade firewall for the security of your network and email security.
However, even with the most complex software, hackers are determined to remain ahead of the game with IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practices, can provide a fortified strategy for users to mitigate the threat of a cyberattack.
Cybersecurity is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people to the tools we give to the users.
