The Best Defense Is a Good Offense: How to Beat Ransomware

Since tensions between Russia and Ukraine worsened recently, the National Cyber Security Council (NCSC) quickly warned UK businesses to ramp up their cybersecurity for fear the conflict could spill beyond national borders. This advice follows past warnings from the head of the NCSC that, of all potential threats, ransomware poses the “most immediate danger” to UK businesses in cyberspace.

Over the last 12 months, critical national infrastructure (CNI), healthcare providers, the public sector and enterprises have all fallen victim to a litany of attacks in the UK and globally. To date, much of the discourse around ransomware has centered on how to retrieve any data being held to ransom and the thorny question of whether to pay or not.

As ransomware attacks increase in severity, however, and their implications for national security become ever more serious, the conversation needs to focus more on the early part of the attack chain. Rather than responding after the fact, security efforts should be dedicated to identifying vulnerabilities that could be exploited, spotting the early signs of a ransomware attack, and employing preventative measures. Indeed, this is a sentiment echoed by the head of the NCSC, who warned that not enough organizations were prepared for the threat of ransomware.

Increasingly Urgent Need

Two incidents, both of which occurred in May 2021, highlight the potentially catastrophic implications of a ransomware attack. On May 7, an attack on Colonial Pipeline’s IT systems forced the oil pipeline operator to proactively halt its operations, a move that impacted the delivery of oil to vast swathes of the US.

A week later, in a ransomware attack on Ireland’s publicly funded healthcare system, the Health Service Executive, criminals threatened to publish the network’s data unless they were paid a ransom of $19,999,000. The HSE was forced to shut down its entire IT system, with some hospitals resorting to keeping records on paper – a move described as like “being back to the 1970s."

Two serious and separate attacks on CNI within a week of each other demonstrated the growing frequency and sheer scale of ransomware attacks in today’s world. Colonial Pipeline and the Irish healthcare system were not chosen at random. Both attacks demonstrate that criminal groups are choosing targets that will have the most significant impact on governments and the public, allowing them to apply the most leverage, regardless of any collateral damage.

It’s an increasingly alarming pattern of criminal behavior that demonstrates the urgent need to protect not only CNI but also enterprises and disrupt global ransomware activity. A proactive approach to ransomware is needed, one that removes the option of paying the ransom, which only serves to encourage and fund the criminal organizations behind the attack.

Identification and Elimination

It’s essential that systems are continuously monitored to detect breaches. With a 68% annual increase in breaches in 2021, we can reasonably assume that an organization will be breached at some point. Therefore, detecting and effectively responding to these types of attacks is critical to minimizing their impact and the risk of disruption they represent to that organization.

Identifying and eliminating malware connected with known ransomware attacks makes it far more difficult for criminals to launch such an attack cost-effectively. The ideal situation, then, is for organizations across every sector to identify the patterns of a ransomware attack within network activity before an attack is activated.

Looking at suspicious activity over large datasets, for example, will allow security teams to block anything potentially malicious and intercept attacks early enough in their lifecycle to reduce the damage they might possibly cause. In addition, some tools allow you to block outbound connections to known command and control servers, giving an additional defense layer even if malware finds its way onto your devices. As simple as this may seem, this capability will remain critical as attackers continue to adapt these tools, techniques and processes over time.

Organizations everywhere should pay heed to the NCSC’s recent warning and take urgent steps to increase their cyber-resilience – particularly in light of the ongoing tensions between the Western hemisphere and Russia. They should prioritize identifying and patching vulnerabilities in their software, exploitation of which has traditionally been a vector for large-scale attacks and actively monitor network traffic for breaches or potentially suspicious activity. It’s also important that organizations regularly test any backups they have because as attackers get more sophisticated, no defense is completely bulletproof.  

Ransomware is an effective – and lucrative – threat. While we may never eliminate it completely, we need to reach a point where organizations can identify it before it takes control of their data and brings their services – and, often, the smooth running and safety of the wider world – to a halt. 

What’s Hot on Infosecurity Magazine?