Businesses large and small are under threat from increasingly aggressive and brutal ransomware attacks. Loss of access to critical files, followed by a demand for payment, can cause massive disruption to an organization’s productivity. But what does a typical attack look like?
What security solutions should be in place to give the best possible defense? This blog examines commonly used techniques to deliver ransomware, looks at why attacks are succeeding, and gives three security recommendations to help you stay secure. It also highlights the critical security technologies that every IT department should include.
Ransomware – A Brief Introduction
Ransomware is still one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of highly-targeted file-encrypting ransomware variants delivered through spam messages and exploit kits. The ransomware variants extorting money from home users and businesses alike.
The current wave of ransomware families – or variants/types – trace back to the early days of Fake AV. Since then other variants have been developed, such as “Locker” variants and file-encrypting variants. Locker variants are a type of variant that allows a hacker to block access to an entire computer system. The prevalent variant of ransomware today is the file-encrypting variant. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful and audacious with each iteration, with some hackers now demanding millions. Despite rumors of the demise of ransomware, it is still very much alive and kicking. A Sophos survey of 3,100 organizations found that 30% of cyberattack victims had been hit by ransomware. Additionally, and of concern, nine in 10 respondents said their organization was running up to date cybersecurity protection at the time of the attack.
The Grey Area
An increasing number of business owners and decision-makers seem to think that not all ransomware attacks need to be reported since not all hackers can decrypt the data they have encrypted themselves. They assume that only during sophisticated attacks do hackers possess the necessary skills to encrypt, exfiltrate and misuse data. Only in such cases do business owners and decision-makers accept that a breach has occurred and is, hence, reportable.
This assumption is dangerous for two reasons. First, with enhanced ransomware-as-a-service tools readily available in the market, even a hacker with minimal skills can catch you off guard and wreak havoc. Second, regulatory agencies perceive the situation differently.
For example, as per HIPAA’s Privacy Rule, the U.S. Department of Health and Human Services has advised companies to assume that ransomed data contains Personal Health Information, even in low probability cases. In fact, some state data breach notification regulations mandate businesses to notify customers even in the case of unauthorized access, without the need to prove that personal data was stolen.
Why Are Ransomware Attacks so Successful?
Most organizations have at least some form of IT security in place. So why are ransomware attacks slipping through the net?
- Hacking is becoming easier while attackers are becoming more sophisticated in their approach.
- Exploit as a Service’ (EaaS) programs that take advantage of vulnerabilities in existing software products are increasingly accessible. These kits make it simple for less tech-savvy criminals to initiate, complete, and benefit from a ransomware attack.
While there isn’t a 100% fail-safe strategy to avoid cybersecurity attacks such as ransomware, your business can certainly demonstrate its commitment to preventing security breaches or data loss incidents. This is exactly what compliance regulators as well as your key stakeholders look for – how proactively your business can mitigate risk and handle the aftermath of a breach while also adhering to applicable regulations.
Adopting an inclusive approach that involves the best of cybersecurity and compliance is a step in the right direction. Partnering with an experienced MSP that has a track record of protecting businesses from sophisticated cybersecurity threats and non-compliance risks will greatly benefit your business.
Before Reacting to a Ransom Attack:
- The FBI advises against paying a ransom because spending money does not guarantee the hackers will share the keys to decrypt your data. While the FBI is an American organization, they raise a good point for businesses all across the globe. It doesn’t make any sense to place your trust in cybercriminals who have already demonstrated that they aren’t afraid to break the law and take advantage of you for financial gain. Unfortunately, many businesses find themselves in this situation because they don’t have sufficient security, backup, or compliance measures, and are desperate to get their data back. Keep in mind that another reason the FBI advises against giving in to ransomware demands is that you are encouraging criminals to conduct further attacks. If nobody ever paid ransom, it’s likely there wouldn’t be as many ransomware attacks. Criminals would have to find new ways to make money and would disregard ransomware as a viable venture.
- In case you fall victim to a ransomware attack and have no option other than paying, “ransomware negotiators” are available for hire. In ransomware negotiations, the most crucial moment occurs long before the victim and hackers discuss the ransom. This is because by the time both sides start to discuss, hackers have already gained considerable control over the organization’s network by encrypting access to sensitive business data and other digital assets. The more data they encrypt, the greater the negotiating power they have. So, even before you begin negotiations, you need to know how much data has been compromised and what negotiating methods have been employed in the past by the criminals. Professional ransomware negotiators can help at this stage. Although a ransomware negotiation rarely results in a ransom demand being totally withdrawn, it can significantly bring down the asking price.
- Victims of ransomware should expect the following: The data will not be erased in a trustworthy manner. It will be sold, improperly handled, or stored for future extortion attempts. Multiple parties will have already handled the exfiltrated data, making it insecure. Even if the hacker deletes a large portion of the data once the ransom is paid, other parties who had access to it may have made duplicates to make payment demands later. Before a victim can respond to an extortion attempt, the data may get leaked either intentionally or inadvertently. Even if the threat actor explicitly promises to release the encrypted data after payment, they may not keep their word.