Cyber Security

Ransomware Attacks — Trends and Protection Strategies

How do ransomware attacks impact organisations, myths organisations have, and the strategies to protect and respond effectively

Ransomware Attacks — Introduction
Ransomware is a type of a malicious software that takes control of a computer system and prevents the victim from accessing data on that system. The files or the entire system are held hostages through encryption, until the victim pays the ransom in exchange for a decryption key to gain access to their system and data.
Even though the ransomware attacks have been in headlines in the last few years only, the first ever documented ransomware attack was perpetrated much earlier in December 1989, when a distinguished biologist distributed infected computer floppy disks to the international AIDS conference attendees. The ransomware is known as “PC Cyborg”, also dubbed as AIDS Trojan, and a ransom of $189 was demanded through a P.O box in Panama.
Ransomware attacks started small targeting both individuals and organisations, however, these attacks have grown in sophistication and complexity over a period because of their monetisation capability and untraceability.
There are two major types of ransomware attacks that are commonly in use now a days —
• Crypto ransomware — In this type of attack, an attacker encrypts the files on a computer system
• Locker ransomware — In this type of attack, an attacker encrypts the computer system rather than encrypting individual files and denies a victim access to the whole system.
In recent years, the organised criminals have started monetising by offering Ransomware-as-a-Service (RaaS) to cyber criminals with low technical skills. They have developed a sophisticated business model by sharing the ransom payout. The RaaS kits can be found on the dark web, and may include bundled offers, user reviews, and 24/7 support for ransomware operators.
Current Trends and Impact on Organisations
A major worldwide ransomware attack took place in 2017 with WannaCry outbreak, and started a ransomware craze amongst criminals as perpetrators understood that it was possible to launch large scale ransomware attacks for monetisation purposes.
The attacks are growing at a rapid pace ever since. The total number of attacks in the first half of 2022 surpassed the total number of attacks for the whole of 2021, but how many of these are being reported?

European Union Agency for Cybersecurity (ENISA) reported that most of the attacks are going unreported, and in as many as 94.2% cases, it was not possible to confirm if a ransom was paid or not. Most likely the organisations are paying millions in ransom to get their data back without ever talking about it to avoid public scrutiny and reputational damage through bad press.
Some companies are going as far as hiring ransomware negotiators to negotiate a deal with perpetrators and to facilitate cryptocurrency payments.
In some worst case scenarios, the companies have been forced to go bankrupt where they were not able to fully recover from an attack irrespective of paying a ransom.
Organisations are strongly discouraged by government bodies and cybersecurity professionals from paying a ransom, since there is no guarantee that you will be able to recover and become fully operational again. Paying a ransom will only encourage perpetrators to target more organisations and to use the funds to promote illegal activities.
In March 2022, US President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), requiring Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring reporting of cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyse incoming reports across sectors to spot trends, and quickly share information to warn other potential victims.
Myths about Ransomware Attacks
Most of the organisations, esp. the small to medium enterprises (SMEs), believe that they may not be the target of a ransomware attack since they are either too small or do not process any sensitive information, and therefore, may not be sufficiently prepared to deal with such an attack.
Anyone including SMEs and individuals can be a target since these attacks could be targeted at a specific organisation or person, or be indiscriminate.
Some of the myths that the organisations, esp. the SMEs, may have about ransomware attacks:

  1. We are too small to attract attention from ransomware attackers
  2. We are not part of critical infrastructure or do not handle sensitive data, so it may not be worth their while to attack us
  3. Phishing is major cause of ransomware attacks. But, what about weak passwords, stolen credentials, missing patches, zero-days, or any other vulnerabilities in your systems?
  4. If we pay-out the ransom, attackers will go away and will never come back
  5. We have network and host-based intrusion detection systems in place, so we will be able to catch them as soon as they get into our environment
  6. We have an online backup and therefore the recovery will be fast if we’re hit by an attack
    It is worth noting that some threat actors may specifically target SMEs due to their potential for weak defenses, higher possibility of a payout, and to avoid scrutiny from law enforcement agencies.
    One advice from ANISA is that the organisations need to be prepared for ransomware attacks in advance and consider possible consequences before the attack happens.
    After the reality hits, it may be too late to react, or to respond in an effective and measured way.
    Steps Organisations can Take to Protect Themselves
    Recovery from ransomware attacks could be difficult and expensive.
    The Health Service Executive (HSE), Ireland’s public funded healthcare system had suffered a ransomware attack in 2021. The HSE estimated an overall cost of over €100 million to restore network operations, upgrade IT systems, and disruption caused to patients because of this incident. HSE published an independent post incident review conducted by PWC.
    It is only a matter of ‘when’ and not ‘if’ you will be attacked. Therefore, organisations need to take steps in advance to prevent ransomware attacks altogether.
    Steps that organisations can take to improve their cybersecurity posture —
    • Implement Credentials Hardening — Enable multi-factor authentication (MFA) for all users where possible, esp. the remote access to systems, enforce strong and unique passwords, enable password management solutions, enable account lockout features, and prevent credentials exposure within systems, configuration files and logs.
    • Implement Secure by Design Principles — Follow secure by design principles, such as, defense in depth, principle of least privileges, network segmentation, and zero trust model to keep the damage to a minimum through reduced blast radius and preventing proliferation to other systems.
    • Develop Vulnerability Management Program — Develop vulnerability management policies and standards, perform regular vulnerability scanning at infrastructure and application levels, implement centralised patch management system, and prioritise patch management for critical systems and vulnerabilities.
    • Implement Network and Endpoint Protections — Install antivirus software and keep signatures up to date, install host-based and network-level firewalls and IDS/IPS systems. Ensure that management interfaces are not exposed on the Internet.
    • Enable Centralised Logging and Monitoring — Create a centralised log management and alerting system, such as a SIEM. At an advanced level, you may also consider implementing a SOAR (Security Orchestration, Automation and Response) system to automate security operations activities.
    • Develop Backup and Recovery Procedures — Take regular and frequent backups. Along with online backups, keep offline backups at a separate offsite location. This will help with recovery in case the online backups are also encrypted through a ransomware attack.
    • User Awareness Training — Invest in user education to prevent phishing attacks, which is generally one of the main methods to distribute malicious software. Ensure that employees are aware of how to report phishing and suspicious activity.
    Conclusion
    Whether you are a large organisation or an SME, no one is immune to ransomware attacks. Your best defense is to implement protection mechanisms devised above, along with a well thought out and tested incident response and crisis management plan.
    The plans must be regularly challenged and tested to ensure these remain effective in a catastrophic ransomware situation. Ensure that these can support critical business operations for extended periods of time by following out of band operating procedures while recovery is still in progress.
    Further Resources
    [1]. NIST Ransomware Advice, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/ransomware
    [2]. CISA Stop Ransomware Tips & Guidance, https://www.cisa.gov/stopransomware

Published by

Vinod

Vinod is a senior Information/Cloud Security and Technology professional with internationally recognized achievements in technology and cyber security domains across a breadth of industries, including Core technology (Product), Banking (Finance) and Information Security. He possesses over 20 years of experience holding diverse roles in information security, digital transformation, cloud computing and information technology. These roles typically involve handling and researching technology at the bleeding edge of innovation within the Digitech and fintech industries. Vinod has built his expertise and reputation in these fields by working at senior positions at fortune 500 organizations. Vinod has been a part of information security and digital transformational initiatives with internationally reputed banks and digital product and services companies such as Automation Anywhere, Westpac Bank, JP Morgan Chase, Deutsche Bank, UBS, SAP and AT&T, in Singapore and India.

Leave a comment