Cybercrime has become a lucrative industry, and the pandemic has ushered in a new era of cybersecurity threats. Not only are attackers becoming far more organized, but the threat landscape is constantly evolving. Ransomware is now considered one of the biggest threats to organizations and presents a continuous challenge to their IT teams – attacks are growing more sophisticated by the day. Just last year, IDC Survey reported that over a third of companies worldwide have experienced a ransomware attack or breach that blocked access to systems or data, affecting their operations.
How Ransomware Attacks Start – A Threat Analysis
Phishing is still one of the key ways in which ransomware attacks begin. Many phishing techniques are designed to be effective, as many individuals’ environments have changed, they are more susceptible to attacks. These attacks use tailored techniques, dynamic websites and regularly updated methods to remain undetected to those mostly untrained and working from home. The result is a series of attacks with an alarmingly high success rate yet a relatively low detection rate.
Once a network has been compromised, it is penetrated further, with the internal network using exploits and automatic USB infection to encrypt files in addition to sending them outwards. A key threat of this malware is its ability to evade detection. It is worth highlighting that these impressive ‘stealth mode’ techniques are adopted by malware to avoid detection. These include frequently checking AV results and changing versions on all infected servers when any detection traces appear. This is in addition to monitoring memory consumption to prevent common server administration utilities from detecting the ransomware processes.
Why Is It So Dangerous?
Ransomware can compromise an entire network. It can spread from device to device across an internal network with powerful exploits, even encrypting data on USB devices. Ransomware typically encrypts important documents on any system or attached network storage device. There are some known keys to older ransomware, but the criminals have increasingly used better encryption which can be almost impossible to break.
Some well-known ransomware includes BadRabbit, Cerber, Cryptolocker, Not Petya, REvil, Ryuk and WannaCry. Ransomware can target any sector, such as finance, health and legal. It can also use sophisticated techniques adopted by malware to evade detection and create even more damage.
Cybercrime has gradually become an industry where some groups have cybercrime units typical of any large legitimate business, such as partner networks, associates, resellers and vendors. In fact, they even have dedicated call centers which are typically used to help with requests from ransomware victims. Of course, they use sophisticated methods to remain hidden, such as encryption, dark web forums, virtual private networks (VPNs) and other obfuscation techniques. They also offer franchises that allow other hackers to replicate their botnets and vectors of compromise and even provide training, which is why ransomware is gaining so much momentum.
Methods of Best Practice – Establishing a Line of Defense
IT management must have a more holistic approach to cybersecurity as an organisational-wide risk issue moving forward. This includes identifying which risks to avoid, accept, mitigate and specific plans in each case and communicating this to senior management. The number one preparation for future potential ransomware infection is a proper backup policy. The backups should be serialized, with previous versions of files stored. Of course, these backups should not be stored on network-attached drives as ransomware can infect shared and removable media. Other precautions include deploying firewalls, active attachment scanning and web filtering in addition to IDS and anti-malware.
It is worth pointing out that a technical solution through homomorphic encryption fully encrypts our data while at rest. This can prevent the hackers from publicly exposing data to blackmail victims as all data is encrypted and thus cannot be viewed.
Cybersecurity training for staff is also vital as people are often the weakest link in security. Therefore, it is essential to ensure all employees are well trained on aspects such as cybersecurity best practices such as phishing and data sharing practices, keeping software updated, unique, strong passwords and enabling two-factor authentication.