Over the years, ransomware tactics have continued to adapt, and remain a prominent threat to both SMBs and larger organisations. Research by IBM found that ransomware incidents ‘exploded’ in June 2020 – the peak of Covid-19, which saw twice as many ransomware attacks as the month before, taking advantage of remote workers being away from the help of IT teams. The research also found that demands by cyber attackers have also increased to as much as £31 million, which can be destructive for a business of any size.
Ransomware attacks have been a highlight of mainstream media. With the frequency of ransomware attacks rising, not to mention the innovation in distribution methods, organisations should use this as a wake up call to build their defences. By taking a preventative approach, businesses can deploy a combination of education, processes, hardware and software to detect, combat and recover from attacks if they were to arise.
Ransomware isn’t anything out of the ordinary now, but it’s use has dramatically inclined, and has led to the development of the phrase ‘Ransomware as a Service’ (RaaS), a subscription-based model that allows affiliates to use pre-existing ransomware tools to execute attacks.
The level of potential damage to a business is heightened as ransomware incidents become more advanced, such as the increase in fileless attacks which exploit tools and features that are already available in the victim’s environment. These specific attacks can be used in collaboration with social engineering targeting, such as phishing emails, without having to rely on file-based payloads. And unfortunately, ransomware is extremely difficult to avoid – it’s as simple as one click on the wrong link or opening malicious attachments.
Organisations of any size can suffer financially from the effects of ransomware, as well as inflicting longer-term damage to business reputation. The Irish Department of Health and Health Service Executive (HSE) was reportedly asked for $20 million (£14 million) to restore access by The Conti ransomware group. The attacks caused an already strained service from Covid-19 even further cancellations to outpatient services. Some ransomware gangs operate by a flimsy code of “ethics”, stating they don’t intend to endanger lives, but even if a minority of ransomware organisations are developing a sense of conscience, businesses are not exempt from the damage that can be done from such attacks.
Unfortunately when under attack, a majority of businesses often pay the ransom. In the US, Colonial Pipeline paid the cyber-criminal group DarkSide nearly $5m (£3.6m) in ransom, following a cyber-attack which caused supplies to tighten across the US as they took its service down for 5 days Luckily for Colonial Pipeline, some of the money was later recovered by the American Department Of Justice’s Ransomware and Digital Extortion Task Force. However, a successful ransomware attack can be used various times against many organisations, and if they pay once it is likely they will pay again, turning an attack into a cash cow for criminal organisations offering Ransomware as a Service. There is now an ongoing debate as to if businesses or individuals paying ransoms should be illegal. At the very least, they should report it to the necessary regulations.
Trap and Expose
Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies. If a ransomware attack were to occur, it is crucial that the organisation works with local authorities to try to rectify the issue and follow the guidance.
Prevention is always better than cure, and damage limitation and containment are important right from the outset. As the United States’ President, Joe Biden, highlighted in his recent letter to business leaders around ransomware: “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations, rather than a simple risk of data theft will react and recover more effectively.”
The majority of companies should have an in-depth recovery plan for these types of disasters and they should rectify this immediately if they lack one. The key to every disaster recovery plan is backups. Once the breach has been identified and contained, businesses can get back up and running quickly and relatively easily, allowing for maximum business continuity.
It is also recommended that all organisations conduct a full retrospective audit as soon as the main threat has passed, ideally without blame or scapegoats, and share their findings and steps taken with the world. It’ll be beneficial for customers, clients, and other organisations to have full disclosure of events in order to learn from and prevent future attacks.
The importance of getting security foundations right must be emphasised when it comes to ransomware. Whilst the success of these attacks can be prevented with the security armoury, these attacks are not likely to stop or slow down anytime soon.
It is vital to have secure endpoint protection in place to mitigate the threat of ransomware, which protects at the file, application and network layer across a number of devices, and responds_ to security alerts in real-time. With more employees working from home this has become even more significant in order to make sure all the devices are protected and comply to the same standards.
Additionally, solutions such as email attachment and URL sandboxing are also vital, as these digital tools provide vital protection against malicious emails. They can help prevent dangerous links, attachments or forms of malware from entering the users inbox by examining and quarantining them. Businesses can maintain greater control over emails and access points to the network by managing the traffic and automatically restricting harmful content.
Humans play just as big of a part as the software being used. Those who have knowledge of the threats, know how to spot them and understand the measures to take in order to stop a suspected breach, are a valuable asset to the company.
Employees need to be trained to be vigilant, cautious, suspicious and assume their role as the last line of defence when all else fails. Those who lack knowledge could be the very reason an organisation falls prey to a ransomware attack – all it takes is one click on an email or malicious link. In order to strengthen a business’ human layer protection, security awareness training and education must be implemented across the board. The key is to change the mindset from full reliance on IT to one where everyone is responsible.
These programmes are designed to support users in understanding the role they play in helping to combat attacks and malware. Using phishing simulations, for example, as part of the wider security strategy, will help to give employees insight into real life situations they may face at any point. The importance of testing your human firewall was also outlined in Joe Biden’s ransomware letter: “Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”
Cyber security is a multi-faceted, complicated area, one which needs improvement in each aspect, from the people to the tools given to the technology used. Nevertheless, by investing in their cybersecurity and ensuring their workforces are conscious and informed of the threats they face, businesses big or small can safeguard their data from these types of ransomware attacks.
Even with the most sophisticated software in place, hackers make it their mission to stay one step ahead of IT defences. That is why regular training, in addition to complementary security tools which reinforce security best practice, can provide a fortified strategy for users to mitigate the threat of a cyberattack. Detection and prevention play a significant role in mitigating the threat from ransomware, but it shouldn’t be one or the other. The essence of a solid cybersecurity strategy is a layered defence that includes endpoint detection and response, email security, advanced threat protection, web security and a business-grade firewall for the security of your network – at the most fundamental level.