Keeping up with the evolving ransomware security landscape
Cybercrime is ever-evolving, and is consistently becoming more effective and damaging. While the range of attack vectors available to malicious actors are vast, ransomware remains one of the most prolific forms of cybercrime and has held on to its top spot as leading cyber threat this year.
Hardly a day goes by without reports of another high-profile incident, with large companies and government organisations (particularly in education and healthcare) often at the receiving end – due to weak, legacy infrastructure and poor operational security. Of course, it was also responsible for some of the most damaging attacks ever – with the infamous WannaCry and NotPetya strains that hit headlines in 2017.
As ransomware attacks continue to become more sophisticated, it has never been more important for businesses of all sizes to take a proactive approach to cybersecurity. While this can feel like a seemingly impossible task when you take into consideration the variety of forms and methods of entry that ransomware can take, businesses can ensure they’re adequately protected by reviewing their existing security strategy and ensuring they have adopted a layered approach.
Moving with the times
Cybersecurity must always be a fluid practice, one that is designed to meet novel threats and constantly upgraded and evaluated. However, as security measures are improved and altered, so too is the ransomware designed by cybercriminals to penetrate its protection.
Ransomware is experiencing a tactical resurgence this year; Ryuk, Phobos, Grandcrab and Rapid are the top ransomware families most attacking businesses. As we can see, ransomware can now be custom built for a specific organisation or chosen target in order to cause maximum damage and therefore demand higher ransoms in return for the safe release of data.
Malicious actors continue to force access to a company’s network via a vulnerable computer in order to obtain valuable information about the business. They can then tailor the amount of money demanded accordingly, in the knowledge of what the company can, or will, pay. Even inexperienced hackers have the option to create highly damaging attacks, as it’s relatively easy and cheap to purchase customisable ransomware on the dark web.
However, cybercriminals with fewer resources or less experience are still choosing to cast a broad net to see what they catch so, while this technique is becoming less common, it is not one to disregard completely. This method is often used to secure ‘quantity over quality’. That is, targeting many individuals but demanding ransoms low enough that people will often choose to pay in order to secure the safe return of their files.
Worryingly, the next stage in the evolution of ransomware attacks could see them beginning to destroy files instead of just encrypting them. This means that even if companies choose to pay the ransom demanded, they may not regain access to their valuable data. This threat only highlights the need for seamless and effective cybersecurity defences.
Protect and prevent
Ransomware prevention needs to be a layered operation. Employing just one security tool, no matter how thorough, will never be enough to fully protect the valuable data of a business. IT and security teams need to ensure that they are securing the business from both inside and out.
Patching is the obvious place to start when it comes to security as it addresses software vulnerabilities that most commonly allow hackers to enter the network and plant ransomware. Despite the effectiveness of good patch management, it’s a process that is often poorly or inadequately implemented as it is time and resource intensive. Security teams are turning to automation to help manage the process, ensuring that all workstations and servers are scanned for missing patches and known critical vulnerabilities successfully patched. This is especially crucial at the moment due to the emergence of BlueKeep – a vulnerability in older versions of the Windows operating system with the potential to be exploited in an attack far worse than WannaCry.
There are times where patching won’t be enough, for example it can’t protect against zero-day exploits, which is why a layered approach to a security strategy is necessary. In these instances, it’s important to block what can’t be patched through application white listing.
In addition to putting up external defences by patching known vulnerabilities, it is also crucial to ensure that ransomware isn’t granted access by an internal source. Another common entry point for cybercriminals is through phishing campaigns. These emails use social engineering tactics and human instinct to trick a business’s employees into clicking on a malicious link that will embed ransomware into the network. Employees must be educated about cybersecurity, no matter which department they are situated in, and taught the importance of caution when it comes to suspicious emails, no matter how legitimate they look.
When used in collaboration with anti-virus protections and email filters, education and awareness can be another legitimate and valuable layer of defence against ransomware.
Recovering from ransomware
In addition to preventative measures, businesses must ensure that they have a contingency plan in place should the worst happen. As well as a data recovery plan, such as making sure to store regular back-ups off premise, companies need to decide whether to respond to the ransom demand or not. Obviously, there will be a large financial cost associated with paying the ransom but there are also costs associated with an IT outage, a hit to reputation or the loss of valuable data, that could result in a fine caused by breaching the GDPR.
This situation becomes even more questionable when taking into account whose money is paying the ransom. Councils, governments and local authorities are becoming the targets of increased numbers of cyberattacks; with councils in the UK experiencing a massive 263 million attempted attacks in the first half of 2019 alone. If a government body decides to pay a ransom, they must remember that it is the public’s taxes that are going towards paying off the cybercriminals at play.
In some instances, it can make business sense to pay the ransom demand – for example, if the cost of backlash from a loss of data or an IT outage outweighs the cost of the payment. However, this is not the recommended approach. The FBI states that nobody should pay ransomware demands as it will only encourage continued criminal activity and there is no guarantee that it will even release their data. It stands firm in saying that if a business has properly backed up its files, there is no need to pay.
The bottom line is that if companies are properly prepared and protected, they shouldn’t need to worry about whether to pay a ransomware demand or not because one won’t be able to penetrate its barriers. However, ransomware attacks are constantly evolving and becoming more tailored and effective. Businesses must keep on top of their cyber hygiene in order to stay one step ahead of the malicious actors trying to fight their way in.