What can my business do to combat ransomware?
From small local businesses to large international enterprises, all businesses are at risk of falling victim to a ransomware attack. For the uninitiated, ransomware is a form of malware that blocks access to a file, system or device until a ransom is paid. Typically, ransomware spreads throughout a network, and encrypts files, resulting in large-scale damage whilst making remediation particularly difficult.
Most businesses have taken steps to reduce their cyber risk, however, there is more that can be done. In this article, we will delve into the current state of ransomware, common entry points, and what businesses can do to combat this adversary.
The Current State of Ransomware
There have been some major ransomware attacks throughout the UK and the Republic of Ireland in recent years. Some of these include an attack on the Irish Health Service Executive, with recovery costing $442m, and an attack on the Hackney Borough Council costing approximately £10m to recover from.
Whilst ransomware attacks have steadily increased over the past 5 years, from 2020 to 2021 ransomware related data leaks increased by 82%. Ransomware in itself is financially devastating for most businesses, however, this increase in data leaks is particularly harmful to a business’s reputation and public image. This concept is known as double extortion, whereby if the company can recover from a ransomware attack through backups, without paying the ransom, the attackers will exfiltrate the data and either leak it online or sell it to the highest bidder.
As double extortion has become the new normal for ransomware, the way businesses protect against ransomware has also changed, with backup and disaster recovery no longer being sufficient.
Ransomware Entry Points
Phishing has consistently ranked as the number one threat vector for many years, with 83% of all cyberattacks in 2022 being some form of phishing attack. Whilst some phishing ransomware attacks are low-effort spray-and-pray attacks that can be prevented with technologies such as DMARC, SPF and DKIM, or with cybersecurity awareness training, there are also some highly sophisticated phishing attacks.
These attacks are known as spear phishing, where the cybercriminal researches their target business and individuals and then tailors the phishing attack to them. These phishing emails typically look as though they are from a trusted individual or company but contain a malicious link that if clicked will download the payload or take the victim to a malicious site where they enter their password, which can be used for a different attack method.
Credential stuffing is a form of cyberattack where the attacker collects stolen account credentials, typically usernames/emails and passwords, in order to gain access to other accounts. These credentials can be purchased on the dark web through previous data leaks, potentially due to other ransomware attacks. This is only effective if individuals reuse a password across different systems, however, this is a common practice. Some systems that are commonly targeted by credential stuffing include email clients, Remote Desktop Protocol (RDP), Virtual Private Networks (VPN), and Microsoft 365 accounts.
Exploiting Vulnerable Systems
Businesses that are running systems, applications or services that do not have the most recent security updates are at risk of a ransomware attack through the exploitation of a known vulnerability. For some businesses, this may be an old computer or server that is not often used but still connected to the network. If a hacker exploits the vulnerability and gains access to the computer, they can move laterally across the network and infect other machines with ransomware.
Ransomware Protection Methods
When businesses are considering what they can do to combat ransomware, it is essential that they take a multi-layered approach. There is no single technology that can protect against ransomware, but rather several technologies working together to protect each attack surface.
As phishing is the number one threat vector, businesses must secure their email systems. Similar to protecting against ransomware in general, businesses should take a multi-layered approach to email security.
To begin, all businesses should have DMARC, SPF and DKIM implemented within their domain. The next layer should be an email security solution. Many email security solutions use AI to block potential phishing emails before they even land in a user’s inbox. Finally, in the case that a phishing email gets through the security system, all employees within a business should have adequate security awareness training, to be able to accurately detect and report any potential phishing emails.
Password Security and MFA
To protect against credential stuffing, users should follow password best practices. All passwords should be long and complex, including numbers, symbols and uppercase letters, without using dictionary words or names. Users should also use a unique password for each system, service and application. There are solutions available to help individuals with password security, such as password managers, and passwordless authentication. Businesses should also implement multi-factor authentication on all accounts to prevent account compromise attacks.
Update and Patch Management
Although up to date machines and applications can have unknown vulnerabilities or zero-day exploits, it is not a common occurrence. For this reason, businesses should run all updates and patches as soon as possible. Unfortunately, many employees will delay updates, due to the inconvenience of restarting their device. However, important updates can be forced using a Mobile Device Management solution, such as Microsoft Intune.
Endpoint Detection and Response (EDR)
With double extortion becoming more commonplace, businesses need to invest more in protecting ransomware entry points. If a phishing email gets through email security, and a malicious file is downloaded, an EDR solution will detect and stop the execution of most ransomware variants. Such a solution is also beneficial as it addresses the common issue of the constantly expanding attack surface. Businesses should consider an EDR solution as the second last line of defence, as it is only effective when ransomware has reached a machine.
Backup and Disaster Recovery
Whilst a comprehensive backup and disaster recovery solution will not prevent a double extortion attack, it will enable businesses to recover if they are the victim of ransomware. When businesses are implementing a backup and disaster recovery solution, they need to consider the Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
The RPO defines how often data is backed up, for most businesses this is once every 24 hours. The RTO defines how long it takes to for data to be restored after a disaster, such as a ransomware attack. Some disaster recovery solutions have automatic rollback after a ransomware attack, to maintain business continuity. Businesses should consider this the last line of defence.