This blog was written by an independent guest blogger.
As the number of remote working arrangements rose substantially in the last year, cybercriminals were quick to take advantage of these new opportunities. Spam and phishing emails increased in number even more rapidly than telecommuting, and company cybersecurity officers found themselves struggling to keep up.
Phishing emails often came with a sinister sidekick - a ransomware attack. It is not surprising then that a recent survey of IT and cybersecurity officers revealed that ransomware attacks are the primary security concern for these professionals in 2021.
Organizations have good reason to be concerned about ransomware attacks. Not only are they highly effective, but often companies find that it is simply easier to pay the ransom than try to rectify the problem. This is far from the best solution as it encourages the criminals to continue their attacks, fails to provide any long-term sense of security for the organization, and may incur liability for the organization.
This article provides an overview of the rise of ransomware attacks and discusses how security professionals can prepare for and prevent attacks.
The anatomy of a ransomware attack
Ransomware is essentially a virus that loads onto a user’s computer, where it scans connected drives for files that it then encrypts. The user is also typically locked out of their machine and can only view a screen showing how to make a ransom payment.
Ransomware attacks can take many forms, although the most common is to prevent a user from accessing encrypted files or using their machine until the ransom is paid (cryptocurrencies preferred). More malicious ransomware attacks threaten to release sensitive data to the internet broadly (doxware) or to delete data permanently.
Ransomware can reach a user’s machine using a number of vectors, the most common of which is a phishing attack. However, malicious websites or popups may also provide access for ransomware attacks. Ransomware attacks can also be directly injected into an organization’s network through unsecured network connections (i.e. if no VPN is used). Or, even more simply, criminals may simply use brute force to hack weak passwords and directly insert the ransomware themselves.
Ransomware can also attack vulnerabilities in applications arising during the software development process. It is therefore important to use testing methods, such as static and dynamic application security testing (SAST/DAST), that identify these security vulnerabilities continuously while your applications are running.
The prevalence of ransomware attacks
Overall ransomware constitutes a small portion of all malware attacks; however, they are also some of the most damaging forms of malware-based attacks as the financial and operational consequences can be devastating.
The FBI saw a 37% increase in the reporting of ransomware attacks from 2018-2019, and an associated increase of 147% in financial losses. Average ransom demands also soared, reaching nearly $200,000 by the end of 2019. And the total average business costs resulting from a ransomware attack (post-attack costs, lost business costs, new cybersecurity investments, etc.) reached nearly $4.5 million as of early 2020.
Exacerbating the ransomware concern is the fact that cybercriminals are now offering ransomware-as-a-service (RaaS) and ransomware kits. Not only do the cybercriminals provide the actual ransomware, but they also provide consulting on how best to use it as part of sophisticated marketing campaigns (for example, by suggesting the use of fake dating apps around Valentine’s Day).
Both the U.S. Government and cybersecurity organizations want organizations to just say no to paying a ransom, as payment only emboldens criminals for future attacks. Moreover, there is no guarantee that the cybercriminal will honor their side of the bargain if the ransom is paid. And there may be other consequences for an organization, even if they successfully recover access to their data.
Organizations that pay a ransom or “facilitate ransomware payments” (e.g. banks) may also unknowingly expose themselves to sanctions from the Office of Foreign Asset Controls (OFAC) if the criminal turns out to be OFAC’s list of designated malicious cyber actors.
Effective prevention of ransomware attacks
There are a number of steps organizations should take to minimize the risk of a compromising ransomware attack:
Educate users about ransomware risks
Perhaps the most important effort is to educate employees about ransomware risks. Uneducated employees are one of the weakest points of any organization, and attacks are frequently targeted at these individuals.
Education should not only include how to recognize potential malware, but should begin at a more fundamental level, with user passwords. Organizations can no longer afford to place user convenience over the security afforded by strong passwords and the use of multi-authentication protocols.
The more users understand about the reality and the magnitude of cybersecurity risks to the organization (and thus potentially their own employment), the more likely they will get on board with protective measures.
Use email filters and website blocking tools
Sometimes, despite an organization’s best efforts, employees continue to engage in risky behavior. It is therefore important for the organization to limit employees’ ability to do so. Proper implementation of spam filters and website blocking tools can significantly reduce the number of opportunities for employees to interact with ransomware.
Use of artificial intelligence and machine learning to train filtering algorithms can also increase the robustness of an organization’s ransomware defense.
Update software quickly
While failure to update software in a timely manner has exposed innumerable individuals and businesses to hacking risks, and software vendors have torn their hair out trying to get compliance with applying patches, failure to update remains an all-too-common problem.
Organizations often have legitimate concerns about reliability of updates, but they must balance these concerns against the substantial security risks of out-of-date software. Software patches should be applied as they are made available, particularly when the patches address security issues.
Have multiple redundant data backups
While redundant backups will not prevent a ransomware attack, they can prevent the need for an organization to respond to a locking-style ransomware attack. In the worst-case scenario, a device can be wiped and reinitialized, as long as the data is recoverable.
Unfortunately, backups have no utility against doxware attacks where the criminal threatens to release the data it acquired access to in the attack.
This is by no means an exhaustive list of anti-ransomware efforts, and prudent organizations will include outside cybersecurity professionals in full planning of their cybersecurity program. Organizations that have suffered a ransomware attack should also report it to the proper authorities.
IT professionals are rightfully concerned about the potential impact of ransomware on their organizations in 2021. But taking a few basic steps such as educating users, securing networks, implementing spam filters, and updating software can go a long way towards minimizing the risk. Use of more advanced tools, including AI and machine learning, can also reinforce these efforts, further reducing the burden on professionals.