Skip to main content

Understanding the ransomware threat in times of the Covid-19 pandemic

(Image credit: Pixabay)

The pandemic has undoubtedly affected the security posture of businesses today and in the future. Partly resulting from the need to shift workloads to the cloud, there has been an increase in the number of ransomware attacks and resulting damage to businesses over the past year. According to a recent survey conducted by Datto, 42 percent of European managed service providers (MSPs) said remote working due to Covid-19 had resulted in more ransomware incidents. The surveyed MSPs agreed that the fast adoption of cloud applications, and working from home during the lockdown, both came with increased security vulnerabilities.

Datto’s annual study, the Global State of the Channel Ransomware Report also revealed a growing impact of ransomware on businesses at a time when many organizations are struggling to adapt to the uncertainty caused by the pandemic. While the average ransom demanded has stayed roughly the same year on year, the cost of system and business downtime related to ransomware incidents has nearly doubled since 2019. This figure is, on average, now a staggering 50 times greater than the ransom itself, increasing from $46,800 to $274,200 over the past two years – meaning many small businesses would struggle to survive a major ransomware attack.

Globally, more than 1,000 MSPs weighed in on the impact Covid-19 has had on the security posture of small and medium-sized businesses (SMBs), along with other notable trends driving ransomware breaches.

Ransomware recognized as number one malware threat

Datto’s report highlights how ransomware still remains the most common cyber security threat to SMEs. Over three quarters of MSPs stated that their SME clients had been hit by ransomware in the past two years, with 60 percent saying their clients were affected in the first half of 2020 alone.

At the same time, cyber criminals are increasingly targeting MSPs themselves, too: 95 percent of MSPs saw their own businesses more at risk. Likely due to the increasing sophistication and complexity of ransomware attacks, almost half of MSPs now partner with specialized Managed Security Service Providers for IT security assistance. The purpose of these partnerships is to help protect both their clients and their own businesses.

Perhaps indicating that awareness of the ransomware threat is growing, half of the surveyed MSPs said that their clients had increased their IT security budgets in 2020. However, despite spending more on security, ransomware still manages to bypass antivirus solutions such as email-, network- and web-based anti-malware filtering. In addition, many businesses have failed to close basic security gaps that leave their network wide open to attackers. Often, users remain the weakest link in an organization’s security posture – phishing (54 percent), poor user practices or gullibility (27 percent), lack of end user security training (26 percent) and weak password and access management (21 percent) all continue to be the main causes of successful ransomware attacks.

Most common attack vectors

The Datto survey revealed the top three ways in which ransomware attacks businesses. As in previous years, phishing emails remain the most common entry point. Over half of MSPs reported malicious emails as the most successful tactic used to deliver ransomware. These emails continue to evade defenses because they have become harder to recognize, for example, posing as internal messages. In addition, the social engineering tactics used by attackers to deceive their victims have become so sophisticated that targeted spear-phishing emails can now be virtually indistinguishable from legitimate emails.

Cyber criminals can gather a wealth of information about their victim from posts shared on social media, fake market research phone calls and other easily available data. Armed with this personal information, they custom build spear-phishing emails using spoofed single sign-on pages, and mask phishing URLs with Unicode to make their fake email look entirely real.

Cloud applications under threat

Second on the list of attack types are ransomware campaigns targeting Software-as-a-Service (SaaS) applications. Nearly one in four of the surveyed MSPs reported ransomware attacks on their clients’ SaaS applications, with Microsoft 365 hit the hardest (64 percent), followed by attacks on Dropbox (54 percent) and Google Workspace (25 percent). Businesses will need proper recovery and continuity plans for those collaboration platforms, as the data suggests they present an increasingly attractive attack surface for threat actors.

When it comes to the endpoint systems most targeted by ransomware, the majority of attacks seen by MSPs affected Windows PCs (91 percent), closely followed by Windows Server (76 percent). While ransomware may enter a network via a phishing email, it doesn’t take long before the malware spreads across a company network to infect other systems. A business continuity solution that can recover server workloads locally or in the cloud is therefore critical to minimize business interruption following an attack.

Reducing the risk

With cloud adoption accelerating and cyber criminals constantly refining their methods, it is expected that the ransomware threat will only grow and evolve further. In fact, 92 percent of the surveyed MSPs predicted that ransomware attacks will continue at current, or worse, rates over the next few months.

So, what should IT professionals do to prepare and take action?

The first step is to tighten your security controls. With many businesses still working remotely, ensure you have done everything you can to maintain the highest security standards. This includes understanding how employees are connecting to the company network, and limiting the use of personal devices as well as the use of business devices for personal activities. Adequate defenses must be deployed to workstations and VPNs, so revisit security basics and software patching practices across all endpoints. Additionally, encourage the use of secure password managers or two-factor authentication to remove one of the most common entry points for would-be intruders.

Enhancing cyber security training is of vital importance and must go above and beyond identifying the most basic phishing emails. Every employee should understand their own responsibilities in preventing cyber attacks – including following good password hygiene at all times, not opening suspicious links or attachments, not posting sensitive information on social media, and reporting any signs of malicious activity to the IT department.

Business continuity is key

While security software and training are essential to prevent attacks before they happen, a multi-layered security approach must also include a solid business continuity strategy for when other security measures fail. A business continuity and disaster recovery (BCDR) solution is the secret weapon that enables organizations to resume normal operations quickly.

MSPs agree that BCDR remains the number one tool for combating ransomware, with 91 percent of MSPs reporting that clients with such solutions in place are less likely to experience prolonged downtime during an attack. In addition, restoring from backups has become more prevalent over the last year. In a sign that MSPs have matured their recovery methods, re-imaging a machine from a backup – rather than rebuilding it from scratch – is now the number one ransomware recovery method of choice, as it is significantly faster.

Finally, insider threats are likely to continue to increase – whether deliberate or accidental. To stop the threat of employees willing to cooperate with hackers, identify those staff members who are potentially most vulnerable. If needed, increase monitoring of users’ endpoints, lower the threshold for triggering security alerts and carefully monitor shadow IT to understand where data is entering and leaving your environment.

It is also a good idea to put controls around any tools accessed by employees, including chat platforms that haven’t been permitted for use. Collaboration tools have seen a surge in popularity, but pose a new risk because most users will automatically assume that content they receive and share on these platforms is safe.

The pandemic – and with it, the sea of change in working practices – has brought a multitude of new challenges. For businesses, understanding the possible implications for their own cyber security posture and the change in threat patterns is the first step. With a solid security strategy that tightens every single layer of defense, organizations can adapt and ultimately, minimize damage from ransomware and other threats.

Ryan Weeks, CISO, Datto (opens in new tab)

Ryan Weeks, CISO, Datto.