Colleagues having meeting in boardroom showing ransomware issue

Ransomware: A Perfect Storm

In a speech given at RUSI’s annual security conference by Lindy Cameron, Head of the National Cyber Security Centre, the UK government said that ransomware attacks are now considered a greater threat to national security than hostile states. Data unearthed by researchers at Checkpoint corroborates this revealing that ransomware attacks have increased by 102% in the first trimester of this year when compared with the beginning of 2020.

But why are we seeing this surge now? It’s partly due to the emergence of ransomware-as-a-service making these attacks easier to execute, and partly because payment methods are now much more friendly to criminals. Skilled bad actors have begun acting as consultants to other criminal groups, selling their skill set, enabling bad actors with no expertise to carry out damaging attacks.

In parallel with this, businesses have become  increasingly reliant  on digital infrastructure and more willing to pay ransoms which increases the incentive. Over the last 12 months, the average cost of a ransomware attack has doubled, reaching almost $2 million for businesses in 2021, according to industry data. Yet, according to Cyberreason, 80 percent of businesses that paid the ransom suffered a second attack and of those hit a second time, 46 percent believed it came from the same group that did the first attack.

With ransomware-as-a-service seemingly having found its stride and payment of ransomware being considered commonplace, we find ourselves in the eye of the storm. Understanding how to protect businesses is reliant on understanding the issues behind the evolution of ransomware and how to effectively implement strategies for prevention and remediation.

Changing mindsets

All too often, ransomware becomes a consideration when it’s too late – an attack has already happened and companies are faced with a data breach, costly downtime and their reputation is under threat. Larger companies have worked with cybersecurity companies for some time but it’s now time for companies of every size to ensure they are taking proactive measures to protect against ransomware attacks.

Recent high-profile attacks targeting the Colonial Pipeline and food supplier JBS highlight that paying a ransom doesn’t necessarily solve the issue, in fact, both companies ended up recovering data from backups despite paying. The old adage, defense is the best offense, doesn’t apply to everything. In this situation, the top priority must be to stop ransomware before it gets into your network.

Managing security teams

By ensuring that networks are segmented and segregated and implementing a principle of least privilege authority to all entities, including users and network services, it’s possible to contain the spread of malware. Additionally, organizations should look to their endpoints to strengthen their security posture which will minimize the success rate and effectiveness of such attacks. This visibility also leads to catching the attacks earlier and limiting their impact.

The only way to keep a company’s defense up-to-date is with constant proactive activity from well-engineered cybersecurity teams. This isn’t just a case of following set procedures – professionals need to apply their own knowledge of how attackers operate, which can only be gained from regular adversarial training, to establish threat hunting and tactical analytics capabilities.

Fighting back

Avoiding a ransomware attack is at best difficult and sadly becoming more and more unlikely but there are things you can do to try to prevent one and to be ready with a recovery plan should one hit:

  • Conduct regular penetration testing on your networks to uncover blind spots and weaknesses in your defenses – before they are exposed.
  • Ensure IT and security staff are trained in offensive security techniques, and empower staff from elsewhere in the organization with training on best practice to keep the business safe from attacks.
  • Maintain a record of employee security access levels and having staff use additional software that protects the logging of data is a really useful way of reinforcing pristine cybersecurity hygiene.
  • Design your network so that you are able to isolate anything that is impacted by ransomware quickly, when an attack hits.
  • Have proper backups that are capable of restoring from a specific date and are not accessible to the attackers.

What does the law say about ransomware?

The law hasn’t yet caught up with all the complexities of cybercrime but working together to share insights into attacks and enable other organizations to benefit from the learnings is a key step in combating ransomware.

As an individual company, you may or may not be better off if you pay the ransom but as an ecosystem, we all lose. Putting more money into the criminal economy enables bad actors to develop more sophisticated techniques which are then used indiscriminately against everyone.

Whether or not this is the right thing to do has been widely debated with law enforcement trying heavily to discourage the practice. The US Department of Treasury has declared that paying ransoms is illegal and violates OFAC regulations and the EU has invoked similar laws.

While regulators work hard to catch up, organizations must do their best to protect themselves by having a well-trained and attack-ready workforce. A workforce that identifies a threat before it becomes real. Until every part of an organization, including non-technical staff, can understand and identify ways that they could be tricked into handing over information or access, your defenses will constantly be undermined.