Ransomware has evolved into a significant threat for all types of organizations. How and why is it such a pervasive issue, and how can organizations better defend themselves against it?
Organizations face a variety of cyberthreats, from phishing campaigns to malware to Distributed Denial of Service (DDoS) attacks to brute force attacks and more. But ransomware seems to strike a special type of fear among victims. Perhaps that’s because an organization hit by ransomware suffers on many different levels—loss of critical data, financial repercussions, loss of trust among customers, damage to reputation, and an overall sense of embarrassment at being victimized this way.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
Ransomware can affect any organization, large or small, including businesses, schools and educational facilities, hospitals and healthcare providers, government agencies, and non-profit entities. Further, cybercriminals who deploy a successful ransomware attack do so in phases, many of which require planning, stealth, and cunning.
There’s the initial step by which an attacker gains access to a network through phishing emails or some other form of compromise. There’s the analysis of an organization’s network and assets to see where it’s vulnerable. There’s the actual attack in which files are infected and encrypted to render them inaccessible.
Next, there’s the ransom notification that threatens the organization unless payment is made. There’s the wait to see if the criminals actually decrypt the data even if the ransom has been paid. And, increasingly, there’s a final step where the attackers publicly reveal the compromised data to further punish and humiliate the victim.
How widespread a problem is ransomware?
This question is difficult to answer accurately, according to SecurityHQ analyst Mohsin Khan Mahadik. That’s because many victimized organizations don’t report a ransomware attack for fear of losing money, business, or private data. Victims often just quietly pay off their attackers without notifying anyone. For 2019, Statista recorded a total of 187.9 million ransomware cases worldwide. But the actual number is likely far higher.
In a document on “How to Protect Your Networks from Ransomware,” the US Department of Justice reported that more than 4,000 ransomware attacks have occurred each day since Jan. 1, 2016. That’s a 300% jump over the 1,000 attacks seen daily in 2015.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
But more important than the actual numbers are the ways in which ransomware is increasingly affecting its victims. Because of the damage that ransomware can inflict, it’s considered one of the most widespread and destructive forms of cyberattack.
The average ransom payment is slightly higher than $110,000, according to Digital Shadows threat researcher Kacey Clark. But demands can range from a few thousand dollars to several million. And the financial costs go beyond just the ransom payment itself.
In 2017, FedEx suffered a loss of $300 million as a result of the NotPetya ransomware attack. In 2018, the city of Atlanta spent more than $2.6 million to recover from an attack by the SamSam ransomware. And in 2019, the city of Baltimore was forced to spend more than $18 million to rebuild its IT network following an attack in which it refused to pay the ransom.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Why has ransomware become such a major threat?
Ransomware began to emerge in the early 2010s in large part due to the rapid improvements in the processing power of computers, according to Mahadik. Computers are now so powerful that they can encrypt their own files in just a few hours, which means that criminals can carry out an attack relatively quickly without getting caught.
SEE: How to defend your organization against the surge in ransomware attacks (TechRepublic)
Further, ransomware goes far beyond just a few sophisticated criminal groups who level attacks at large organizations, according to Daniel Norman, senior solutions analyst at the Information Security Forum. Anyone in the world can now buy and deploy different strains of ransomware designed for various operating systems, technologies, and products.
“The market for ‘ransomware-as-a-service’ has boomed over the last few years,” Norman told TechRepublic. “Anyone with access to the Dark Web can buy readily available ransomware kits for less than $100. With ready-made packages available to any cybercriminal, it’s no surprise why this attack technique has proliferated.”
Other niche players have paved their own roads to ransomware, according to Norman. Initial access brokers acquire and advertise access to compromised networks. Ransomware affiliates help ransomware operators expand their capabilities. Ransomware groups have also posted messages on Dark Web forums looking to recruit people with network access or penetration testing skills.
SEE: End user data backup policy (TechRepublic Premium)
How are organizations vulnerable to ransomware?
Among the 187.9 million ransomware attacks reported by Statista for 2019, 67% of them were initiated by spam and phishing emails, according to Mahadik. Some 36% occurred due to poor cybersecurity training, 30% because of weak passwords and ineffective asset management, 25% due to poor user practices, 16% because of malicious websites, and 16% due to clickbait.
To pay or not to pay?
Organizations hit by a successful ransomware attack have a key decision to make—whether to pay the ransom. Paying the ransom may sometimes seem like the quickest and easiest way to mitigate the problem, especially if there are no reliable data backups or other means of recovery. But as Mahadik points out, victims would do well to remember that there is no honor among thieves.
SEE: Ransomware attacks continue to dominate the threat landscape (TechRepublic Premium)
“Once they have your data, there is no guarantee that if you pay them off, that your data will be given back or decrypted,” Mahadik said. “There is also no guarantee that you will not be a target a second time around. Often, once an attack is made, the bad actor will sell the details to their associates to come after the victim again after deployment, because the payload can still be there, activated and deactivated.”
How can organizations better protect themselves against ransomware?
User training. User training is a key area. Users should receive security awareness and education about the threat of ransomware and the ways it can be delivered, Norman said.
Patches. Making sure all your systems are patched and updated can help counter a ransomware attack.
Security solutions. A robust antivirus and anti-spam solution should regularly scan devices for malware to assist in preventing a ransomware attack.
The right team and plan. An organization should also have an incident response or crisis management plan for ransomware events that describes which employees to contact and what to do, Norman said. This plan should be rehearsed regularly so the right people know how to respond.
“Organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority,” Clark told TechRepublic. “Restricting (remote desktop protocol) RDP behind an RDP gateway and enabling Network Level Authentication can provide security benefits if RDP is required to be internet-facing. Additionally, organizations should prioritize patching based on the impact a vulnerability has on their data.”
Mahadik also offered the following tips to help prevent a ransomware attack.
- Back up your computers and servers regularly.
- Secure mapped network drives with a password and access control restrictions.
- Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
- Run software with the least privileges.
- Monitor your endpoints 24×7 by deploying EDR technology to detect advanced cyberattacks.
- Associate insurance policies that cover the cost in case of an attack.
SEE: 5 more things to know about ransomware (TechRepublic)
“Additional steps to be considered when planning for a possible ransomware attack include 1) identifying what kind of information is stored on backups, how they’re stored, and if reverting to backups is feasible during an incident; 2) conducting cybersecurity risk analysis; 3) training staff on cybersecurity best practices; and 4) performing penetration testing to evaluate system security and fortify defenses,” Clark said.