The threat of ransomware continues to strike fear into CISOs and cyber security professionals, and with good reason. Aside from the disruption caused by ransomware attacks to critical IT operations and applications, the average cost of ransomware recovery is $2 million.
To get a feel for just how urgently businesses need to take action against ransomware threats, consider some outcomes from some recent high-profile incidents. After a ransomware attack disrupted operations, meat supplier JBS had to shut down plants in several countries. Insurance company CNA Financial forked out $40 million to a ransomware gang to regain control of its compromised network infrastructure. A shutdown in The Colonial Pipeline following a ransomware attack resulted in temporary fuel shortages at gas stations and airports in several US states.
As more ransomware gangs emerge, lured by the profit potential in these attacks, it’s imperative to start taking action now to avoid the significant financial, operational, and legal damages from ransomware. Read on to delve into eight actionable steps to protect your business against ransomware threats.
What is Ransomware?
Ransomware is malicious software that locks files or systems down with encryption and doesn’t return access unless victims pay a ransom. Typically, threat actors infiltrate an organization’s network (for example with phishing emails that trick people into revealing passwords) and install ransomware on multiple IT assets (sometimes, the entire network or data center gets taken down in these attacks).
The history of ransomware stretches as far back as 1989 to a trojan that was spread by a biologist using floppy disks under the illusion of providing introductory information about the AIDS virus. The trojan warned users that they could only get access to affected systems by paying $189.
A notable surge in ransomware across the late 2010s and early part of the current decade can be traced to many factors. Arguably, the biggest driver of the ransomware surge in recent years is increased reliance on digital infrastructure across all sectors of society. From online education to online portals for government services, from telehealth to eCommerce remote work, people and businesses today depend heavily on the proper functioning of digital infrastructure. Threat actors see blocking access with ransomware as an easy ticket to a hefty payday or simply to cause mayhem.
Types of Ransomware
There are two main types of ransomware strain:
- Crypto ransomware strains that lock down access to individual files and important data on systems.
- Locker ransomware strains affect entire systems and prevent users from carrying out basic computer functions.
Today’s ransomware attacks often combine one of these types of ransomware with a concerted attempt to exfiltrate data from an IT environment before locking down files or systems. These attacks are known as double extortion because they provide two ways to extort ransoms from victims; one is by demanding a ransom to unblock encrypted files/systems, and the second is to demand ransoms if victims want to avoid having their sensitive data published online.
As ransomware has become more widespread, dedicated gangs have emerged specializing in ransomware-as-a-service operations (RaaS). These RaaS gangs use a business model that provides ransomware tools to anyone who pays either a subscription or a percentage of any ransom payments they receive. This lowers the barrier to entry for conducting ransomware attacks because any criminal can pay a fee and get access to the necessary files without needing to develop their own malware.
Who is a target for Ransomware?
Any business is a target for ransomware attacks, but some factors increase the likelihood of being targeted, such as:
- Storing highly sensitive data in your environment that threat actors can lock down or exfiltrate in the hopes of receiving large sums of money from businesses desperate to get their valuable information assets back.
- Companies operating in industries/sectors where cybersecurity maturity is low. Examples include transportation, higher education, and oil and gas.
- Small and medium-sized businesses are at risk because threat actors perceive their cybersecurity programs and controls as comparatively weak versus large enterprises.
- The potential to inflict damage is another consideration, given that some cybercrime gangs are state-sponsored rather than being motivated by profit.
Why you should never pay the ransom?
Organizations from cybersecurity industry bodies to federal government institutions specifically advise against paying ransoms to threat actors. The reasons not to pay include:
- Paying a ransom doesn’t necessarily guarantee getting access back to encrypted files or systems or threat actors returning stolen data.
- Giving in to ransomware demands encourages further criminal activity by malicious actors who see it as likely that victims will continue paying up.
- It’s potentially illegal to pay ransoms in certain countries or jurisdictions because this action falls under the definition of funding illegal activities.
8 Steps to protect your business against ransomware
The following steps provide a good platform for protecting your company against the continued threat of ransomware.
1. Regular monitoring and patching
It’s critical to monitor the external digital attack surface that encompasses all possible points of entry into your network. This includes IP addresses, ports, configurations, and applications. Your monitoring capabilities should also extend deeper to cover what’s happening inside the network because it’s still possible to detect and respond to ransomware attacks even if your first layer of defense is protected.
Effective and timely patching ensures any detected vulnerabilities get remediated on time before threat actors manage to exploit those vulnerabilities. Patching should include all applications you use (in-house and third party), firmware on devices connected to your network, and operating systems on endpoint workstations.
2. Educate your employees
Serious gaps in cybersecurity education remain commonplace in most organizations. Ransomware groups know that humans are the weak link. To start closing these education gaps, businesses need better, more strategic cybersecurity education that’s optimized for how people learn. A fully-managed training platform like CybeReady makes it easier to educate employees with a focus on engagement, relevance, and repetition (without boredom).
3. Employ a data backup and recovery plan
Since double extortion ransomware attacks became common, a point of contention emerged about whether data backup and recovery remains a protective tool. After all, if threat actors exfiltrate your data before encrypting the files, then what’s the point in having a backup?
This debate, however, ignores the fact that many ransomware attacks still occur without exfiltrating data. Having the ability to get that data back quickly from a backup eliminates any need to engage in negotiations about ransom payments and minimizes disruption.
4. User account management
Compromised credentials are a significant source of initial intrusion into networks, often resulting from the aforementioned cybersecurity education gaps. But when hackers find their way inside, poor user account management can make things even worse. Ineffective user account management often results in accounts that have privileges far in excess of what those users need to do their jobs. The result is a situation in which hackers find it all too easy to abuse privileges and move laterally to install ransomware across multiple systems.
5. Utilize a Security Information & Event Manager (SIEM)
A SIEM is a centralized tool that provides holistic cybersecurity insights by collecting, correlating, and analyzing log and event data from various security solutions and other applications in your IT environment. SIEM tools can give security professionals detection and response capabilities for ransomware attacks using insights that would be otherwise unavailable.
6. Network segmentation
The idea behind network segmentation is to divide your IT network into smaller sub-networks and limit the traffic between different zones. Network segmentation reduces the attack surface threat actors can work with while also preventing lateral movement between zones. Even if a malicious actor bypasses your perimeter, effective segmentation prevents them from moving into other network zones and ultimately protects your endpoints from being encrypted.
7. Secure DNS
Dedicated DNS security helps to protect against ransomware by both blocking risky domains potentially spreading malware and identifying in-progress attacks. At the more advanced stages of a ransomware attack, hackers often use DNS tunneling to communicate between your environment and their control servers; effective security monitors DNS activity and stops this tunneling.
8. Implement email scanning & filtering
Of all the possible entry points into a network, email is consistently targeted by threat actors. Employees might open an email with a seemingly legitimate Excel attachment that drops a remote access trojan onto their computer and kicks off a ransomware attack. Email scanning and filtering can help to identify and filter out these emails before they ever get seen by employees. Ideally, opt for a self-learning solution that improves its detection accuracy over time using the power of machine learning.
Protecting your business against ransomware with cyber awareness training
Ransomware is a huge risk to businesses of all sizes, and it’s not going away any time soon. The bedrock behind ransomware prevention is cyber-aware employees who are primed to recognize phishing and other tactics used by threat actors.
However, the logistics and resources needed to implement a thorough training program often result in ineffective education, leaving employees uninformed about what they need to know.
CybeReady’s platform helps you run a powerful training program in minutes. You get training modules delivered autonomously to employees, advanced KPIs, and one-click compliance reports. CybeReady removes the IT burden and administrative barriers hampering most efforts to educate employees in cybersecurity.