Ransomware remains one of the biggest threats facing organizations worldwide. You’ve only got to read the constant news headlines to figure this out. Despite being a fixture on the threat landscape for decades, tenacious cyber-criminals continue to find new ways to put it to devastating use.
Here in the UK, the threat of ransomware is so pressing that the National Cyber Security Centre (NCSC) has warned that it presents a bigger risk to national security than online espionage by hostile states. Across EMEA, we have recently seen a number of high-profile, household name ransomware targets, bringing the issue to the attention of a broad audience.
Changing tactics is a crucial factor behind ransomware's resurgence, with today's attacks far more sophisticated than traditional iterations. Rather than the blanket approach often used in the past, modern cyber-criminals spend more time researching targets and tailoring their approach for greater chances of success.
Just as threat actors hone their skills to get results, so must cyber-defense teams. Unfortunately, this does not appear to be happening yet. According to recent Ponemon Institute research, just 13% of IT experts feel equipped to prevent ransomware. It's unsurprising then that over two-thirds consider themselves vulnerable or very vulnerable to an attack.
The situation needs rectifying, and quickly. Ransomware costs large organizations $5.66m every year. With such rewards on offer, we can be sure it will remain a popular method of attack.
Organizations must stop thinking ‘respond’ only, as this is too late. Cyber-criminals already have a foothold in your networks – so more must be done worldwide to prevent such attacks.
The Anatomy of a Ransomware Attack
To determine the best way to defend against ransomware, cybersecurity teams must fully understand the nature of an attack – how access is gained and what activity to look out for once defenses are breached.
Attackers don’t hack in now; they log in. In most cases, cyber-criminals get through perimeters via phishing emails containing malicious URLs. Credentials are then stolen and used to access legitimate systems. Password reuse also poses a significant threat as credentials exposed through an unrelated data breach can be used to access company networks.
Another method of entry that is fast gaining popularity sees ransomware delivered as a multi-layered payload. Here, access is gained via a malware downloader, with ransomware delivered later. In some cases, the initial attacker may sell access to the system to a third-party threat actor who will then initiate the ransomware attack.
Once inside your defenses, cyber-criminals move laterally to infect as many devices and critical systems as possible. The more data at risk, the higher the ransom they can potentially demand.
"Once inside your defenses, cyber-criminals move laterally to infect as many devices and critical systems as possible"
The final step in the attack chain is the ransomware itself. Once cyber-criminals deem that enough prized systems are infected, the payload is dropped.
This action destroys backups, encrypts as much data as possible and delivers a tailored ransom demand based on the size and vertical of the victim.
Response: Too Little, Too Late
Despite an awareness of the threat posed by ransomware, organizations worldwide continue to have difficulty keeping it at bay.
For most organizations, their ransomware mitigation strategy relies heavily on their detection and response capabilities – but of course, this kicks in once the malware is already on the box, which is too late.
Organizations must try to identify the presence of a threat that could lead to a ransomware attack by using detection technology and be in the position to trigger an incident response as soon as a threat is spotted. Following this, containment processes can be activated by the security team, isolating endpoints, people and systems. Incident response teams can then be activated to assess the impact and activate recovery.
If or when the ransomware threat successfully lands, organizations must also consider using isolation to ensure this does not spread laterally throughout employees. If users are opening websites and attachments in an isolated environment, they are still protected and the malware does NOT land on the box.
Every time a potential threat is detected, this response is triggered. That carries a cost and a variable impact, depending on how far a threat has spread and what systems are affected. In addition, not all organizations have the people resources to respond to all 'potential' ransomware alerts. They can quickly get overwhelmed, and threats may well slip through.
Organizations must also keep in mind that most ransomware starts with phishing. That's why any effective ransomware defense must start with email. Adopt a better email gateway, and you will stop more phishing attacks before they arrive in your employee’s inbox. Less phishing in the inbox will mean the detection and response processes will trigger fewer times.
Ransomware Protection Beyond the Tools
When it comes down to it, ransomware is simply another form of malware and often rides on the back of other malware attacks. Therefore, organizations must do everything they would normally do to protect their networks from such attacks, with additional controls specific to ransomware.
As with all such attacks, technology and tools are not enough. When ransomware arrives via email, your people are under attack, and they must also form a vital part of your defense.
Every member of your organization must know how to spot an attack and their role in defending against one. This is only possible through targeted and ongoing security awareness training – an approach that has been shown to reduce successful phishing attacks by up to 90%.
Training must go beyond the basics of security hygiene and multiple-choice tests. Only when every user understands the consequences of poor cybersecurity practices does behavior change. With your people posing the greatest cyber-risk to your organization, that behavior change can make a world of difference.