Ransomware has been on the radar of many security professionals for years. After all, ransomware is one of the most common and destructive forms of malware. It’s highly recommended to protect your organization by taking measures against the threat. In this article, we will take a closer look at ransomware developments and defences.
Ransomware has been a top common malware type for years. Since ransomware attacks are very lucrative, that shouldn’t come as a surprise. By successfully infecting and possibly paralysing an entire network, ransomware attackers can collect tons to millions. As long as they earn large sums by locking computers and files, this form of attack will continue to occur frequently.
Attackers go further
The ways in which ransomware has changed throughout the years demonstrate that ransomware remains a severe threat. Previously, cybercriminals would attack many devices and demand a few hundred to a few thousand euros for freeing an infected endpoint and its files. Together, the payments summed up to a nice amount of money for the criminals.
In the current landscape, ransomware has been fine-tuned to such an extent that converting a single target can generate vast sums of money. Among other things, fine-tuning is based on the threatening messages that attackers send. Though some companies have always been willing to pay in order to recover access to endpoints and data, threatening to publish company data online proved much more effective. Cybercriminals can even take this a step further by threatening to immediately publish all files and throw away the key if the victim informs the authorities.
Cybercriminals also increasingly focus on specific targets. To increase damages, some organizations are deliberately hacked at an inconvenient time. The cybercriminals get in, disable security software and remove copies to increase the chance that a company pays up. These efforts contribute to the fact that the percentage of paying organizations is growing. More than four out of five victims are now said to meet the requirement for a ransom payment.
Innovation brings ransomware to everyone
Though cybercriminals are clearly getting smarter and more effective, innovation doesn’t end there. Cybercriminals have started looking to broaden their activities and successfully arrived at an as-a-service model for distributing malware. Experienced cybercriminals, who know how to create and deliver malware, are now developing so-called Ransomware as a Service (RaaS). RaaS operators develop ransomware, offer support to attackers and provide resources for handling ransom payments. RaaS is spread through dark web and forums, which is relatively simple.
Thanks to RaaS, customers don’t have to worry about writing the ransomware and solving complex infrastructure issues. They spend most of their time executing attacks. The revenue from successful attacks is often shared among the creator and the customer, making sure that both parties benefit. Offering RaaS through licenses is another revenue model. Cybercriminals who purchase RaaS are usually encouraged to earn some extra money by bringing the service to the attention of potential customers.
Cybercriminals have grown accustomed to spreading malware via new models through underground forums. Professional attacks can now be ordered via these channels. Thus, the number of people carrying out or directing ransomware attacks seems to grow continuously.
To cause damage to companies, cybercriminals also spend time developing hybrid variants. These attacks use different malware elements, such as a Trojan and ransomware. In this way, cybercriminals combine ‘the best of all attacks’: the Trojan can download malicious components and proceed to install ransomware on the endpoint. Successful malware families such as Emotet and Ryuk are regularly used for this purpose. These combinations have the potential to cause more damage than ransomware could on its own.
Every company an interesting target
Precisely these types of innovations and their enormous profit potential make virtually any company an interesting target. Company size is irrelevant due to massive damage potential. Small companies are just as much at risk, as they are willing to pay for decryption too. However, large organisations can be more attractive to cybercriminals because of the collateral consequences. For example, in 2021, the entire oil pipeline network of the largest oil transporter on the US east coast was taken down by ransomware. The company paid out millions, citizens hoarded fuel and fuel prices rose. By attacking, cybercriminals disrupted an entire community.
All in all, the chances of becoming a victim of malware are increasing. Cybercriminals are increasing the frequency of attacks, which increases the risk. Security professionals tell us that IT professionals and the general public only see the tip of the iceberg.
Putting minimal security in order
Although the risks are undoubtedly increasing, this does not mean that your organization is defenceless against ransomware. By thinking carefully about what you can do against the threat, you are already taking major defensive steps. Everything starts with getting the basics right. Although this might seem natural to you, many incidents occur due to a lack of basic security. The majority of cyberattacks can be prevented with a good security system and security policy.
Therefore, many security experts advocate ‘cyber hygiene’: implementing the minimum security requirements and continuing to follow them. Below, we briefly explain the basics. Afterwards, we will be going into detail, starting with the subheading ‘Hypothesis moves organizations forward’.
Software and system updates are released monthly to fix security problems. Ideally, all patches should be installed, as this keeps solutions secure. In many cases, patching is simple but involves lots of manual work. Unified Endpoint Management (UEM) solutions allow IT administrators to remotely control most system updates. At the very least, UEM provides automatic updates that respond to more sophisticated ransomware.
Several solutions can be used to protect devices. At a basic level, traditional antivirus is an interesting measure. These solutions detect the first malicious steps of cybercriminals by monitoring suspicious behaviour. This way, ransomware can be blocked before becoming a real threat.
For large organizations, it is recommended to embrace a variety of endpoint security solutions. For example, Extended Detection and Response (XDR), provides an improvement over traditional antivirus features. XDR delivers more visibility into threats, partly due to strong AI models used to detect suspicious behaviour. XDR is also a centralized solution, which allows endpoint prevention to be more closely aligned with network security, among other things.
Access to data
You can ensure that valuable data remains well protected by regulating access to data. Administrators can achieve this by only providing access to individuals that actually need them. Doing so keeps the number of access points as small as possible. Additionally, multi-factor authentication is a useful double-check that prevents the immediate loss of data in case of stolen passwords. Biometric authentication — using a fingerprint or face scan — offers even more security.
Should these steps prove insufficient, strong encryption is one of the last resorts. Encrypted data is unusable for intruders that don’t have a decryption key. Make sure you have a fitting encryption policy and plan ahead for all solutions across the organization.
Hypothesis takes organizations further
Once the security foundation is in place, it’s important to review whether your organization’s mindset is right. Naturally, we’re referring to the mindset on dealing with ransomware. Though most of the basic measures suffice to protect against and prevent an attack, additional attention is needed for detection, response and recovery. You can boost these final steps by assuming your company is or will become a victim of ransomware. Doing so truly prepares for the worst-case scenario.
Backups, a necessary line of defence
To prepare for the worst-case scenario, you do well to review the backup policy of your organization. Data can reside on-premises and in the cloud, and software solutions generate data as well. Even if all areas feature security measures, there’s no guarantee that all data is safe. As such, for years, organizations have been recommended to make lots of backups. A proper backup and disaster recovery policy ensures that data remains available in every application and infrastructure.
Sadly, cybercriminals are well aware that many companies create backups as a means of defence. Consequently, malware campaigns regularly focus on encrypting, modifying or deleting backups. To prevent this from happening, backup technology providers have found a trick: immutable backups. After the backup has been written, it is no longer accessible to outsiders. Even people within the organization are denied access. Backup access is subject to strict requirements and permissions. Once the data has been written, it cannot be modified. The data is returned to production only after ransomware attacks are eliminated.
Draw up a scenario
Essentially, backups are made based on the thought that an organization might become a victim one day. As an extension, there must be a consistent plan for dealing with an attack. Think of a scenario containing the steps to be taken in the event of ransomware. A workable plan reduces the damage of an attack and speeds up the recovery process.
Broadly speaking, an effective scenario consists of the steps to be taken and the people to carry them out. To get started, map out which employees and external partners need to be brought in during a ransomware attack. Proceed to note their contact information in the plan. Clearly lay out the responsibilities of each individual to prevent people from blaming each other during an attack. Furthermore, it can be useful to make a graphic representation of the steps to be taken. For example, through a diagram, which makes everything clearer.
Ultimately, the scenario is intended to provide clarity about who must perform which actions. If this is clearly pictured, your organization can carry out the plan fictitiously. Doing so allows you to find out what truly happens if ransomware strikes.
On a sidenote: cyber insurance and ransom payments
Taking all the steps above leads to a solid wall of defence. Yet, more and more companies are opting for cyber insurance as a final lock on the door. As we indicated earlier, in the event of an incident, the ransom demanded can be just as disastrous as the consequential damage of an attack. Think of liability and recovery claims, forensics and legal fees. In the worst case, the financial impact leads to bankruptcy. Insurance can offer just that extra bit of certainty. Moreover, companies seeking insurance are presented with a list of security requirements. A company that meets the requirements simultaneously demonstrates its resilience.
On the other hand, the market has serious concerns about the negative consequences of cyber insurance. Companies are said to use the insurance to pay ransoms. These payments provide cybercriminals with a form of sponsorship, inadvertently encouraging them to increase their activities. Although many security professionals advise against paying for ransoms, it’s a tricky discussion. After all, as we pointed out at the beginning of the article, attacks are getting smarter and more sophisticated. In the case of a successful attack at an unfavourable time, refusing to pay can result in serious revenue loss. Yet, paying does not guarantee that data will be released, because cyber criminals typically cannot be trusted. There are exceptions, as some criminal groups strive for a sustainable business model by building a reputation of cooperating upon payment.
Ransomware will remain dominant
With the proper measures, an organization can be set up to reduce the risk of a successful ransomware attack significantly. Yet, despite these solid defensive options, everything indicates that ransomware will remain a major threat in the years ahead. Cybercriminals continue to innovate in order to eventually raise a substantial amount of money with attacks. Therefore, it is recommended to prepare your organization for one of the worst cyber incidents around.
This article is part of the Techzine security dossier, in which we take a closer look at several current and relevant security developments. Make sure to read our first article on the state of cyber threats and the third article on how to secure the home workplace.