Ransomware is not the hottest topic around right now. But that may be deceptive as to its proliferation, because figures show it is still very much alive and kicking.
It only takes a quick glance at the rest of the world to see the devastating effects ransomware attacks can have on public and private sector organisations. Attackers are continuing to increase the precision of their targets, particularly homing in on key businesses and government entities. This has resulted in countless organisations being driven offline, resulting in ineffective operations and huge financial losses for businesses. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) has even called it "the most visible cybersecurity risk" attacking American IT systems.
This level of “visibility” is, in part, because a simple click of a button from just one employee could disable thousands of servers and cause weeks of disruption for millions of customers and service users.
For example, an incident with the Baltimore City government last year demonstrates the after-effects of a successful ransomware attack only too well: two weeks of function loss in systems and a ransom of $100,000 to cough up. Similarly, New Orleans City systems were down for weeks in December 2019 following a successful ransomware attack. Elsewhere, more than 20 local governments in Texas were targeted in a similarly effective and coordinated attack back in August 2019.
The reason local governments are under fire is simple. Safe online services are essential for small borough councils meaning they’re a valuable bargaining chip for hackers. And despite differing approaches to tackling and reporting on the issue, public organisations in the UK are clearly facing similar threats. Last month, a ransomware attack on Redcar and Cleveland council’s systems kept them offline for nearly three weeks.
Although safe online services are vital, the resources or budget rarely exist to adequately protect them. Those with rudimentary operations and budgetary constraints are on shaky ground.
Respect the risks of ransomware
It may be tempting to submit to a ransom, but it is not advisable. Hackers will often come back for more as a result, promoting a culture of acceding to demands. Either way, the cost of a ransomware attack is potentially huge: you’ll either be paying the attackers a king’s ransom in Bitcoin, throwing away vast sums of money in order to get access your organisation’s vital systems, or coughing up millions to recover from the damage.
Despite the far-reaching and devastating consequences of this kind of attack, it is important not to lose sight of the basics. Public sector organisations must implement some key steps if they are to confront ransomware head on. These include:
- Leave no cybersecurity stone unturned. Cybercriminals are masters of locating and taking advantage of weaknesses. If there is an unstable link in a chain, they’ll find it. Smaller councils might have limited budgets, but strong cybersecurity measures are necessary, and they must cover every possible angle of attack. Organisations that cut corners will only end up paying a hefty price further down the line, wishing they had invested more scrupulously earlier on.
- Multi-factor authentication for multi-layered protection. Locking down internet-facing logins with robust authentication is the first step to protecting against ransomware. Multi-factor authentication is recommended above all else – being one of the most effective first-level of security currently available. At the very least, make sure default passwords and known leaked credentials are immediately addressed. Times have changed, and these types of lapses in security will no longer go unnoticed, or unexploited, by marauding cybercriminals.
- Always have a Plan B. Backups must cover all critical systems and areas of personal data. They should also be kept ‘offline’ to safeguard against ransomware infection. Regular disaster recovery simulations are advisable to ensure that you’re prepared for the worst-case scenario.
- Network topography. Networks should be assembled and structured like a staircase, with each step providing an extra layer of security. Networks designed with flat structures will end up more like travellators aiding the movement of a cyber-attack, allowing hackers to swiftly move from system to system using the same access controls for all.
- Raise awareness. According to the F5 Labs 2019 Phishing and Fraud Report, as many as 71 per cent of analysed phishing sites use HTTPS to appear more legitimate. The most impersonated brands and services are Facebook, Microsoft Office Exchange, and Apple. Arm your workforce with insight on ransomware attack consequences and the red flags to look for. As a priority, raise awareness on phishing techniques. Employees should always question attachments and links as a matter of good practice and habit. All it takes is one individual to click a loaded link, and the whole system could be compromised.
- Scanning and filtering internet traffic. Malware is mostly hosted on well-known sites. It is therefore critical to decrypt SSL/TLS traffic to ensure security controls can assess and view the content. Measures like this can be the difference between blocking an attack or allowing it to infiltrate the network. Having visibility provides control. Having control strengthens defences. Better defences decrease the chance of successful attacks by securing your organisation’s functions.
Ransomware has long disrupted local governments and councils both in the US and the UK, and attackers are showing no sign of slowing down. As long as a specific method or technique is continuing to turn profit effectively, cybercriminals will continue to make use of it.
Whether a number one threat or not, we know that ransomware is a significant enough problem to warrant consideration in most organisations’ risk analyses. In fact, considering the direct financial costs associated with operational downtime, the costs of ransomware defensive controls should be easier to justify than protections against more nebulous attack impacts, such as reputation loss from data breach. In the end it all comes down to prioritisation.
It always pays to be ready. Keeping everything safe requires several dissimilar, overlapping barriers in place to slow down or stop known attack vectors. However, the first line of defence is always to stop an attack from landing on any system in the first place.
David Warburton, Senior Threat Research Evangelist, F5 Networks