When it comes to Ransomware preparedness, complacency is no longer an option

If you were to believe the hype in some of the recent press coverage, cyber attacks, and more specifically some of the malicious software (malware), are getting dangerously clever. So clever, in fact, that you might be tempted to rename your web browser and email icons from their default names to “do not click here.” 

In the most publicized of recent attacks, those snarky cybercriminals used software that included functions to set about encrypting the file contents, to then offer to restore them in return for a ransom payment. Ransomware, as it is called, is the most-discussed cyber term in the first half of 2017. 

So, what is the reality behind ransomware? After the WannaCry and NotPetya attacks, ISACA, a global business technology association with more than 130,000 members, set about conducting a micropoll on the topic of ransomware. Around 450 technology-minded professionals responded, and these are some of the highlights: 

 25% of respondents indicated that their organizations are unprepared to tackle ransomware: 

  • 25% of respondents indicated that their organizations are unprepared to tackle ransomware
  • 17% Not sufficiently prepared 
  • 5% Totally unprepared 
  • 3% Unsure. 

Encouragingly, the rest of the respondents did believe that their organizations were either highly or somewhat prepared to tackle a ransomware attack. That sentiment appears to be reflected in discussions at ISACA conferences and within chapters, too. 

  • 27% were in organizations that had experienced a ransomware attack. 

Most information security practitioners, including our ISACA members, are very clear about how high the current cyber threat levels are and understand the basic security measures that need to be in place to reduce the likelihood of successful attacks. However, persuading the executive decision-makers about the level of risk and required countermeasures can sometimes be a problem. Boards are usually very open to investment in cyber security after a major outage, but that is often too late, especially for many small and medium size businesses. 

Do you think your organization would pay ransomware? 

  •  72% No 
  • 6% Yes 

When it came to paying up, only 72% of respondents provided an outright ‘No’, with the remainder of respondents unsure or confirming that the ransom might get paid. Although 6% is a low number, it is in fact still too high and partially explains some of the motivation behind the increase in ransomware attacks. Even if only a few percent of ransomware attacks generate income, that still makes it a very lucrative activity. 

In fact, although someone made off with at least $8,000 in BitCoin payment following the NotPetya attack, it turned out that the software was not really ransomware, anyway. It was instead a wiper, a form of malware designed to make the data on a device unrecoverable (unless you had a secure back-up). Any organization that paid the ransom for either WannaCry or NotPetya never got anything in return. 

The message here is that it is never worth paying any ransomware demand: 

  • It is unlikely you will get your data restored if you pay. 
  • Payment encourages more ransomware attacks. 
  • Organizations that do pay are more likely to get targeted again and again. 

Of the survey respondents, about half stated that their organizations had taken steps to further improve security after the WannaCry attack and 28% had implemented additional precautions after NotPetya. 

If you look at the footprint of the recent attacks, the majority of organizations already had implemented sufficient basic security measures, such as using supported operating systems with the latest software updates in place. Simple measures like this, and also taking regular, secure back-ups of valuable information, meant that most organizations were not at substantial risk from the most recent attacks.    

Just how quickly are organizations updating their software with the latest patches from manufacturers? According to the ISACA poll result: 

  • 23% Within 24 hours of release 
  • 29% Within one week of release 
  • 20% Within one month of release 
  • 10% Between one and three months after release 
  • 4% More than three months after release 
  • 4% We do not routinely patch our devices 
  • 4% Unsure 

It is worth remembering that whenever a new software update is available, whatever vulnerabilities the patch is addressing also becomes known to potential attackers. Cyber criminals, hacktivists and other threat actors usually have access to an exploit kit within 24 hours of the patch being available.  However, the results above look much more encouraging than in the past.  

WannaCry highlighted the reasons that delaying the deployment of software updates can create very high risk, because that attack only impacted unpatched or out-of-date operating systems. One of the improvements that most organizations are now making is to significantly accelerate their patch management processes. 

What was particularly striking about the recent attacks was that the malicious software was loaded with as many basic exploits as possible. Those exploits (both times) included the ability for the attack to spread rapidly through inadequately secured networks.   

With basic security practices improving quickly at most organizations, will that prompt a decline in the use of ransomware? According to the ISACA poll, that is not likely to happen anytime soon. A whopping 83% of poll respondents expected ransomware to become even more prevalent in the second half of 2017. 

The simple reality is that none of us, as individuals or as organizations, can afford to be complacent about out cyber security hygiene anymore. The threat level is extremely high for anyone not following basic security steps.    

And what if you don’t want to follow basic security advice? Well, you could always rename your Internet browser icon to “Abandon Hope, All Who Enter.” 

ISACA (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology by equipping professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations.   

Raef Meeuwisse, ISACA Governance Expert, Director of Cyber Simplicity Ltd. and author of “Cybersecurity for Beginners” 

Image Credit:  WK1003Mike / Shutterstock