Ransomware is big business. Recent research has found that in response companies are piling significant resources into disaster recovery (DR) solutions. The ransomware threat is undoubtedly real – with a Sonic Wall 2019 report finding that the UK is subject to the largest volume of threats, experiencing around 13 million attacks each year.
Among those falling victim to attacks are small and medium businesses but also enormous national and international organizations. The list of organizations targeted varies wildly, from universities such as Oxford and Newcastle to household brand names such as Travelex and Canon. In a world where companies big and small are targets for extortion by ransomware attackers, it would make sense to ensure that a company has a Disaster Recovery solution in place – but not to the exclusion of all other precautions, including prevention.
One of the ‘best’ things about being the victim of a ransomware attack is that if you pay the ransom, you’re overwhelmingly likely to get your data back. According to Sophos only 1 percent of organizations that cough up don’t get their data back. But the flip side of the coin, is that paying the ransom usually doubles the cost of dealing with the ransomware attack. Indeed, Sophos’ 2020 State of Ransomware report calculated that the average cost to resolve a ransomware attack – including downtime, people-power, device cost, network cost, lost opportunity, ransom paid, etc – averaged out at $732,520 for organizations that don’t pay, rising to $1,448,458 for those which do hand over the cash (bitcoin).
This is not to recommend handing over money to criminals – thus encouraging future attacks – nor to diminish the damage that such cybercriminals can inflict on those who refuse to pay. One heart-breaking case from the US involved a two-person medical office in Michigan, which refused to pay a demand of $6,500 for stolen medical records, bills and appointments including backups. The impact was devastating, and the owners had to sit in their office turning away those showing up for appointments. The doctors closed their doors shortly afterwards. This kind of thing happens to huge corporates too: when Travelex paid its own ransom it cited the damage caused by the attack as a key factor in the company going into administration just a few months later.
Adopting a fatalistic attitude
These examples demonstrate that the road to data recovery post-ransomware attack is a road best left untrodden. With almost half of UK businesses suffering some kind of cyber-attack in the past year, many organizations would be forgiven for adopting a fatalistic attitude. Indeed, for many this focus on disaster recovery solutions betrays a lack of confidence in other methods of stopping this threat as much as a sensible precaution. But – as we have seen – restoring an entire company’s systems and data from a back-up is rarely a quick or simple solution. The reality is that prevention is infinitely better than cure.
In the first instance, good cyber hygiene is the first step to cybersecurity – something which is true for businesses big and small. Think of it this way: would you purchase health treatments for an illness you don’t yet have, or would you improve your diet and take more exercise to try to prevent the problem in the first place? Most cybercriminals trick victims into taking an action that inadvertently undermines their own security – be it via a smartphone, laptop or desktop. These deceits usually involve clicking a link or downloading and opening a file delivered by instant message or email. For many users, remembering the maxim that ‘if you didn’t look for it, don’t install it’ is a good first step to avoiding a ransomware attack.
Once basic cyber hygiene is in place and being constantly reviewed and updated, large organizations should next look to harden their Active Directory (AD) security. A survey this year found that 87 percent of organizations said that AD security is ‘mission-critical’, but more than half had no plan in place to mitigate an attack. In 90 percent of large organizations Active Directory is the gatekeeper to critical applications and data, which is why it’s a prime target for cyberattacks – and specifically ransomware attackers.
Death and taxes
It’s difficult to pinpoint exactly how many ransomware attacks originate in the Active Directory but we know that two of the most infamous ransomware groups – Maze and REvil – are currently working to exploit AD weaknesses. Regardless of where a machine is based (at home or in an office), hardening these endpoints is an important step to mitigating AD risk. For many enterprises though, securing the Active Directory becomes a fearsome task with hundreds, if not thousands, of different user permissions in existence that even the most diligent security team could not stay on top of – at least, not without abandoning everything else on their to-do list. Thankfully, tools exist to track potential weaknesses across a business and its IT estate and pin down any entry points which could be easily exploited by an attacker.
Unlike auto-spreading (indiscriminate) ransomware, such as WannaCry and NotPetya, it is human-operated, targeted ransomware attacks like those discussed above that pose the most significant and growing threat to large businesses. Alongside the fatalism of a business valuing data recovery over protection/prevention, so too we see an unhealthy level of optimism that – like lightning – ransomware never strikes the same place twice. Predictably, this is quite simply untrue. Sophos’ State of Endpoint Security Today report (2018) found that 54 percent of the 2,700 IT managers polled had been hit by ransomware and on average, those businesses were hit twice. Just as a house with poor security becomes a regular target for burglars, the same is true for businesses and ransomware. What’s more, if a company is known to have paid up in the past, that’s a great incentive for a cybercriminal to attack again.
The current Covid-19 pandemic has proven itself to be another golden opportunity for cybercriminals. With most employees working remotely, security professionals are faced with unprecedented new threats caused by the behavior of staff and challenges around enabling and securing remote access. Securing devices and data has never been more challenging. Organizations must focus on hardening and defending their networks and follow best practices and compliance rules to limit entry points. With unusual levels of remote workers in this pandemic, investing in a monitoring tool to alert IT managers to an attack is a better investment than other preventative measures that do not guarantee that they will stop attackers from getting into a company’s IT estate.
The saying goes that nothing in life is guaranteed, except death and taxes. Perhaps we should add ransomware to that list. While DR is a useful and important part of an organization’s cybersecurity stance, it must not be the only line of defense. Cybercriminals are just as happy taking ransoms from family firms as they are from multinationals, which is why all companies need to take active measures to make themselves cyber secure.
Nash Kapoor, VP of Sales for Northern EMEA, Alsid