Ransomware is a simple but effective method for cyber-criminals to make money from cyber-attacks. In the last couple of years, ransomware has skyrocketed, becoming one of the biggest challenges for security leaders. In fact, according to Nuspire’s latest Threat Report, the last quarter of 2020 saw a 10,000% increase in ransomware, the largest spike the company has observed to date.
Cyber-criminals are capitalizing on vulnerable remote work environments and sensitive moments in time. They are attacking at all angles across different industries -- from government agencies and school districts to recent attacks such as the Microsoft Exchange Servers by DearCry and the East Coast fuel pipeline incident. With the rise of ransomware and new threats shaping the security landscape, organizations have to know their opponents and prepare for potential attacks.
Ransomware attacks can be extremely damaging and expensive to an organization and its customers. As we adapt to a world where ransomware seems inevitable, it is paramount to understand the stages of the attack and how ransomware is evolving.
In short, a ransomware attack launches malware into a device to encrypt users’ files and then demands a ransom payment in exchange for the encryption key needed to restore the data. Sounds so simple, and yet it has company-wide implications that go beyond making a large ransom payment. Ransomware doesn’t affect just one device anymore; it can infiltrate deep into the network, encrypting the most sensitive data and disrupting organizational operations for hours to weeks.
Ransomware is increasingly prevalent and sophisticated due to how quickly cyber-criminals are adapting. For example, many ransomware variants today vet victims, scouting for targets with maximum ROI; some are leveraging remote desktop protocol (RDP) vulnerabilities, while others find ways to break into organizations moving from server operating systems to flaws in application frameworks.
What is more concerning is the evolution of the extortion element of ransomware. Cyber-criminals are no longer holding a company’s data for ransom and moving on, instead they are saving the encrypted data and threatening to release it publicly if the victim organization does not pay up. Additionally, ransomware groups are sharing intel, attack strategies and even providing services among themselves with ransomware-as-a-service options.
With costs surpassing $178,000 per ransomware event, organizations cannot afford to take a reactive approach to ransomware. To mitigate the threat of becoming the next headline, organizations and cybersecurity leaders must plan for the worst and implement the following best practices into their security strategy.
- Know the threat landscape. Understanding the type of threats and risks specific to your industry and your environment, how other organizations appropriately dealt with those threats – or what steps they lacked to proactively resolve the situation – can make a world of difference.
- Set up a ransomware playbook. Work out the appropriate next steps when an employee encounters malware and how the IT and leadership team should move forward. Ensure you have a vulnerability management and patching plan, as well as explained roles and responsibilities for all parties – including the internal security team, third-party vendors and (if applicable) your MSSP/MDR provider.
- Create an IT asset management program. When all critical assets are identified in advance, responders can make quick decisions on what systems can or cannot be shut down during an attack and can appropriately choose and apply the controls needed in every situation.
- Understand indicators of compromise (IOCs). Have a plan in place to hunt for the relevant IOCs, from unusual network traffic and anomalies in privileged user account activity to increases in database read volume. Monitoring these indicators improves the time to detection and response.
- Backup critical data and systems. Leaders must know who is responsible for backups, how backups are managed, where they are stored and ensure offline availability. This gives the organization the opportunity to recover compromised information, if needed.
- Train employees. Educate staff to recognize potential risks, share the most common ways they can fall prey to cyber-attacks. From email phishing attempts to scam calls, staff should know not to open files or click on links from unknown sources, leverage approved corporate apps only and stick to new remote work company policies.
Ensuring the basics are covered enhances the security posture of any organization. However, it does not mean they are fully secured.
The global nature of the internet means that ransomware attacks can happen at any time. As these threats rapidly evolve and new variants are discovered, organizations must understand their risks and follow best practices. Taking a more proactive approach to identifying potential threats and monitoring for suspicious activity can help catch ransomware before it takes a toll on company resources.