IBM has recently discovered that the number of ransomware attacks in the second quarter of this year more than tripled compared to the previous quarter. According to the report, ransom demands are increasing exponentially from an average of $1,200 per attack just a few years ago to over $40 million today. The reality is that any organization – whether large or small – might fall victim of attackers. In fact, small businesses can be even more vulnerable than enterprises. Due to weaker cyber security defenses SMBs can become an easy target for cybercriminals. Furthermore, once hackers get them on the hook, organizations can feel they have no other option but to pay; yet, paying the ransom is offers no guarantee that an organization will get its data back.
New reality brings new risks
One of the reasons why ransomware is growing is that malicious actors have changed their tactics. Today, they not only hold data hostage but also threaten to expose it publicly, which, in most cases, leads to draconic GDPR fines and loss in customer trust. Another reason why such attacks are becoming widespread is increasing availability of 'ransomware-as-a-service' which enables more and more “wanna-be-threat-actors” without technical skills to conduct attacks in exchange for a royalty to be paid to the malware owner.
Additionally, malicious actors have learned to take advantage of the uncertainty surrounding the pandemic. The growing use of digital communication tools has opened doors for malicious actors with the dramatic increase in receiving instructions and requests via email or chat that could be spoofed or compromised. Consider an employee receiving an email from someone that they believe to be their manager asking them to install an “essential software patch” prior to an important meeting that morning – many employees would feel compelled to complete this action so that they don’t let their boss down. You can imagine the disaster that would ensue if that “patch” was actually malware.
Another issue that arose due to Covid-19 is the need to balance the trade-off between security and availability arising from the requirement to move employees to work remotely while ensuring business continuity. In fact, a recent Netwrix 2020 Cyber Threats Report found that 85 percent of CISOs stated that they sacrificed cybersecurity to enable employees to work remotely. Such security gaps (e.g, vulnerabilities in VPN appliances), if left untouched, can easily be exploited by attackers.
Mind cyber security fundamentals
While no technology can guarantee 100 percent protection against ransomware, paying attention to the fundamentals of cyber security and applying a holistic approach is the most efficient strategy. Sometimes this requires focusing on the mundane, such as: vulnerability management and patching, network segmentation, endpoint security, anti-malware technologies, email security, and employee training. The key point here is to perform the above-mentioned activities with thoroughness and integrity. For example, simply setting email spam filters is not enough – it is necessary to understand and fine-tune them based on the types of spam that is specific to the certain organization. Similarly, formally arranging cyber security awareness training for employees is not enough. Rather, it is important to ensure that training is relevant to job function and everyone understands the scope of damage that a single mistake might bring to an organization’s business if a certain account is compromised. Also, it is important to consider the specifics of remote work and to establish a secure remote access connection as NCSC claims that insecure RDP configurations are frequently used by ransomware attackers to gain initial access to victims’ devices. All in all, only a combination of processes, technologies, and communication can help organizations minimize the risk of ransomware attacks.
Stay vigilant and be ready to respond
The conventional wisdom among cyber security experts is that the secure enterprise is a myth. The goal of any program is simply to ensure that your enterprise is more secure today than it was yesterday. Given the increased costliness of ransomware during recent months we can now assume that this risk has regrettably become even higher than before. Therefore, organizations should employ additional security controls to be able to identify an attack at an early stage and have a detailed plan to minimize the damage.
Since the introduction of GDPR, personal data has become one of the main targets of cybercriminals, it is essential that an organization is able to reduce its attack surface by limiting access to sensitive data and regularly revoking excessive privileges. For that, an organization needs to identify what types of data it stores and where it resides with the ability to easily reduce data overexposure. This will save an organization from significant damage when ransomware breaks into the systems as it will only be able to access smaller amounts of data limited to the permissions of a certain hacked account, and will not compromise the entire network and data storage.
One of the key aspects that enables an organization to react quickly to security incidents and to mitigate them is enforcement of auditing. In fact, any ransomware intrusion attempts are accompanied with anomalies in user behavior. This can include a variety of activities from erroneous logon attempts through to large scale file copies or modifications. Other types of anomalies that are worth noticing, especially during the remote work era, are VPN logon attempts from untypical geographical locations and access attempts during non-working hours - a combination of both being a significant warning. It is important that an organization is able to flag such anomalies so the IT Security team can react immediately.
It is also essential that organizations make frequent and comprehensive back-ups to support the ability to wipe their systems and then reinstall from a known and trusted source. Maintaining a secondary offline backup copy can also be useful as even the most severe ransomware attack will not be able to affect storage on hard drives that are disconnected from other systems.
Yet, although backups are indeed important, with the new attack scenario that includes blackmailing they are not a silver bullet. Therefore, organizations must work on a remediation plan in the event that sensitive personal data is made public. This plan must include the immediate notification of authorities, investigation of root cause, and communication with the affected individuals. The ability to quickly communicate with all involved parties and provide clear answers will play in favor of organizations when the Information Commissioner's Office (ICO) applies the fine – which, sadly, always follows after such a breach.
Organizations can expect that both attackers and defenders will continue to build up their arsenals. However, disastrous breaches start with basic gaps in an organization’s cyber security posture. While it is important to have an up-to-date toolset, organizations still need to address the cyber security essentials. As the IT environment becomes more and more challenging organizations will eventually find themselves in constant response mode; this will drive their need for solutions that are able to make response easier, faster, and more thorough.
Michael Paye, CTO, Netwrix