For cybercriminals using ransomware as their weapon of choice, 2018 was a great year. In fact, the overall number of attacks that specifically targeted businesses went up, and the last part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded. There’s no doubt that the use of ransomware continues to evolve. As a result, small and medium-sized businesses (SMBs) are particularly vulnerable: during the final quarter of 2018, 71 per cent of ransomware attacks were on SMBs. Some commentators suggest that by the end of 2019, a business will be hit with ransomware every 14 seconds.
Not all ransomware attacks are successful, but those that are can be catastrophic for victims and can easily cripple a business. Ransomware locks and/or deletes data, which is now the lifeblood of most organisations. Victims are left unable to function and even those who pay the ransom may never see their data again — some ransomware is coded in such a way that recovery of the data is impossible.
Financial losses through downtime, ransom payments and data loss are not the only penalties: some ransomware is accompanied by trojans to hack banking and login credentials, while reputational damage can deter potential customers and clients for years after the attack.
So, with ransomware criminals now playing a high-stakes game of cat and mouse with their targets, where do businesses go from here?
Tackling ransomware head-on
Businesses cannot solve problems they do not recognise, so the first step in tackling ransomware is greater awareness. Ransomware is a moving target, with threats and points of entry changing regularly, so it’s important to develop an understanding of the subject and keep up to date.
This applies not only to management but to all staff: e-mail attachments, links, insecure websites, downloads and malicious ads are all vectors through which ransomware enters systems, so everybody in the organisation must know how to handle them.
Operating systems and all software must be kept regularly patched and updated, and all data regularly backed up. The 321 rule is helpful: have at least three copies of data, stored in at least two locations, of which at least one should be offline.
It is also a good idea to keep an eye on account privileges: malware tends to operate at the level of the user who launched it, so limiting account privileges cuts the risk of ransomware spreading.
To RDP or not to RDP?
Remote desktop protocol (RDP) is a helpful way of deploying software to remotely function on work computers, and generally safe — if it is secured properly. Left unsecured, RDP can easily become the cybercriminal’s point of entry.
It is sensible for businesses to consider whether they need RDP, and if not, to disable it (RDP comes pre-installed on Windows and is available for other operating systems). If RDP is essential, it should be used as safely as possible. That means enabling network level authentication, mandating strong passwords, securing the network from internal and external attacks and limiting the use of RDP to those users who really need it.
However, while RDP is a popular entry point for ransomware, it is not the only one. Most malware attacks, via RDP or any other means, are brute force attacks, so the usual precautions (safe passwords, use of multi-factor authentication, restricting the use of untrusted devices, minimising user levels, particularly for accounts connecting to the internet, etc.) are more important than ever, for RDP users and non-users alike.
Every ransomware cloud has a silver lining
With high-volumes of data migrating to the cloud, and an increasing use of Software-as-a-Service, it is easy to think of the cloud as a safe haven for data. This is true up to a point: the cloud is a great repository for part of any data backup (according to the 321 rule, described above). But malware attacks the cloud, too. Syncing local files (especially shared files) from an afflicted machine to the cloud may allow the ransomware to spread. At that point you may be able to restore an earlier version of your files, but probably little else.
Furthermore, cybercriminals are attacking cloud services directly: in 2016, Cerber ransomware attacked the Microsoft Office 365 cloud service, and in 2017 Microsoft acknowledged a huge increase in attacks on its cloud-based provision. That’s why it is as important to scan and secure cloud-based systems and services as it is to secure local networks and machines.
Organisations can install security provision on cloud servers and cloud storage but often, particularly at SMB level, they may have outsourced these services. In which case, the organisation must make sure it is working with a partner that provides a suitable level of protection, asking them to provide details of the systems used, detection rate, the speed at which the tools deployed detect ransomware and their file loss rate. If the provider cannot answer these questions satisfactorily, it may be time to look elsewhere.
Ransomware is an evolving threat to organisations of all sizes, but particularly SMBs, which are currently being targeted and are even more vulnerable to the financial ramifications. Ransomware causes catastrophic damage and has been known to bring SMBs to their knees. SMBs must employ the 321 rule for regular data back-ups and continue to enforce the traditional rules of security: use strong passwords, restrict untrusted devices, only use administrator accounts to access the network where this can’t be avoided, and use multi-factor authentication.
No rock can be left unturned and the same is true where SMBs use a third party to provide networking services. There must be an open and honest conversation between both parties regarding levels of security, including and not limited to cloud security, so SMBs can be safe in knowing that their security processes and protocols meet their needs both now and in the future. Businesses of all sizes must face the reality that it is not just if, but when, they will be targeted by a ransomware attack. As such, security is no longer a nice to have, it is a must.
Thorsten Kurpjuhn, European Security Market Development Manager, Zyxel
Image Credit: Pixabay