Ransomware A how-to guide for overcoming ransomware attacks
Within the span of merely six years, Cybersecurity Ventures estimates that the global damage costs of ransomware will increase 61 times from $325million in 2015 to $20 billion in 2021.
Recently, fears sparked by the COVID-19 pandemic have motivated bad actors to target hospitals and medical services, keeping them “digitally hostage”. As a consequence, Interpol has issued a ‘purple notice’ to forewarn police forces stationed around the world. Even industries such as manufacturing, which may once have been considered low-risk, are now subject to cyber attacks as they begin to adopt ‘smart’ technologies, expanding the threat landscape exponentially.
The 2017 NotPetya and WannaCry attacks are evidence of this. From the logistics and supply chain conglomerate, Maersk, to automotive companies such as Renault and Nissan, as well as the mail service FedEx, thousands of organisations have had their data compromised and held for millions of dollars in ransom.
However, one should not assume that big corporations are the only ones being affected. Indeed, according to Datto’s ‘Global State of the Channel Ransomware Report’, 85% of managed service providers confirm that ransomware is the most common malware threat to small and medium-sized businesses.
These statistics and anecdotes clearly demonstrate not solely the ruthless nature of cybercriminals, but also their persistence and widespread tactics; making it, justifiably, a major cause of concern among CISOs.
In order to truly prepare for when such an incident inevitably transpires, CISOs should formulate a strategy with both reactive as well as proactive elements.
On the one hand, cyber security teams need to take initiative to prevent the infiltration of ransomware into their network. On the other hand, in the case that an organisation regrettably falls victim to an attack, they should be equipped to respond appropriately. But how does one do this?
The time-worn adage, an ounce of prevention is worth a pound of cure, could not ring more true than in the field of cyber security.
As such, the first phase of any strategy should confront the root cause; particularly when businesses across the board appear to be unprepared. Indeed, in one report, 50% of 582 cyber security professionals admitted that their organisations are unprepared to repel a ransomware attack.
The first key issue to consider is how ransomware initially infects companies, which can typically be narrowed down to two main avenues: exploiting vulnerabilities in public servers, or through social engineering. With view to the former, ensuring that all endpoints utilise antivirus protection software and that these are frequently updated, is crucial. It should be noted that these two come hand-in-hand, as without the updates to account for exposed vulnerabilities or changing threats, the antivirus protection software would be made redundant.
It is fundamental to have in place an efficient and continuous risk assessment and management plan to keep servers safeguarded. Specifically, priority should be given to any vulnerability that can either be used remotely, or allows remote code execution, as attackers frequently exploit these openings.
Finally, all employees should be actively trained and regularly reminded about the various shapes and forms that social engineering tactics can take.
Before considering the unfortunate scenario of a successful breach, another proactive measure that organisations should have in place is the completion of regular backups. While this will not thwart a ransomware infection, it will help in lessening the impact of one.
In fact, this characterises an important step in the next ‘reactive’ phase; that is, what to do if the organisation has been compromised?
Whether an organisation does or does not have a backup, could determine the next plan of action. In the case, that there is no backup, a company may be left with no choice but to pay for the recovery of its data.
While there is significant debate surrounding this matter, I would say that what the business decides to do is dependent on their own judgement. Although it is preferred that cyber criminals remain unrewarded for their malicious acts, the company itself needs to weigh up the costs of losing the data compared to the ransom value.
However, in the ideal situation, whereby the company has backed up its data, it would just be a matter of using an antivirus or similar tool to clean the system, before restoring the data. In this scenario, there is no reason to speak, let alone negotiate, with the cyber criminals.
Undoubtedly, on occasion, an organisation might find themselves in a more ambiguous situation where there is a backup but it is not up-to-date. Once again, the company will need to make a judgement between losing some data or paying for full data recovery.
Nevertheless, no matter the route taken, the affected organisation should make every effort to fix the holes in its system. That means performing a forensic analysis to review how the virus infiltrated in the first place, and applying the necessary patches. Attackers are likely closely monitoring your actions, and if at first they don’t succeed…they will try and try again.
Sebastian Bortnik, Director of Research at Onapsis.