Why are we still talking about Ransomware?

Because ransomware attacks are again on the rise, after a slight dip in part of 2022.

For many business owners, getting attacked in this manner is their worst cybersecurity nightmare. And these attacks can be incredibly damaging. The ransom demand alone - assuming the victim pays - can be in the hundreds of thousands of dollars. That doesn’t even address the other costs that follow in the aftermath.

In this post, we’ll take a look at what ransomware is, how it can impact your business, and most importantly, what you can do about it.

What is ransomware?

Ransomware refers to malicious code that encrypts or otherwise prevents legitimate users from accessing their data. This is almost always accompanied by a monetary demand of the victim in order to decrypt the data.

Although the tactic was first seen in 2005, it rapidly transformed into a global enterprise risk in the late 2010s and early 2020s. Attackers range from individual criminals to large gangs to even ransomware-as-a-service (RaaS) organizations that provide tools, intelligence, and access points to other attackers.

Despite the diverse threat landscape, all ransomware attacks share common characteristics. And defenders can use this information to prioritize their security efforts.

Common attack vectors

To use ransomware against an organization, attackers need some sort of initial foothold in the network before they can begin moving laterally and deploy their payload. Research from Palo Alto Networks suggests the top methods through which criminals are able to achieve initial access are:

Unpatched vulnerabilities

• Risk: Although only a minority of known software security flaws are exploitable under realistic conditions, oftentimes it only takes one for an attacker to begin infiltrating your network.

• Control: Having an effective vulnerability management program that prioritizes exploitable vulnerabilities for remediation first is key to closing off this attack vector.

Brute-force attacks

• Risk: By rapidly guessing usernames and passwords for legitimate users, cyber criminals can sometimes eventually gain access to a network.

• Control: Multi-factor authentication (MFA) is a must to prevent attackers from bypassing weak access credentials.

Social engineering

• Risk: Tricking existing users into providing sensitive information or executing malicious code, often via a phishing email, is an important attack vector for ransomware actors.

• Control: Employee training should be the first line of defense. Layer an email security tool on top of this to help identify and quarantine suspicious messages.

Compromised credentials

• Risk: Since data breaches exposing passwords are so common and employees sometimes reuse passwords between multiple accounts, ransomware actors can try using these old credentials to gain access.

• Control: Require employees to use password managers and auto-generate unique strong passwords for each account. Implement dark web monitoring tools to alert you if any credentials for your network appear to be compromised.

Insider threats

• Risk: Whether merely disgruntled or actively on the payroll of a criminal organization, current employees with otherwise legitimate access (or former ones who still have it but shouldn’t) are also a potential entry point for attackers seeking to encrypt and compromise your data.

• Control: Follow the principle of least privilege to ensure no user has more than the bare minimum access. Ensure offboarding procedures include termination of all network access.

Coping with disruption

Assuming attackers are able to penetrate your network and evade your defenses, they will move laterally to put the ransomware in place. And once they feel they are able to cause enough damage - and often during a holiday or long weekend - they will trigger the malware to encrypt as much as possible.

They will then send a ransom demand, asking for payment. While whether you pay or not is ultimately a business (and legal) decision that we cannot make for you, there are steps you can take to mitigate the damage and improve your negotiating leverage.

Offline backups

• Risk: During the lateral movement phase, ransomware criminals will often look for backups to encrypt, as well as your primary data sources.
• Control: Implement offline or immutable backups that allow you to revert your data to a previous state (prior to the attack).

Incident response plan

• Risk: One of the major ways in which a ransomware attack causes damage is the chaos it causes. If you don’t have a plan to respond, you will be scrambling to figure out what to do without being able to communicate effectively or access your data.
• Control: Have an incident response plan in place, and drill it. Determine in advance who will make what decisions, what the criteria will be, and how you will communicate if your email, instant message, or other systems go down. Consider having an incident response firm on retainer. Check with your cyber insurer as they may specify a “panel” of providers from whom you must choose.

Business continuity

• Risk: On top of responding to the attack, you will also need to continue conducting business. If your operations grind to a halt entirely, you will lose revenue directly from being unable to close sales while also increasing the reputation damage inflicted on your business.
• Control: Develop a plan for how you will service customers with limited or no access to your information systems. If feasible, have a contingency plan for conducting business without access to your data, e.g. process orders manually.

Data exfiltration: dealing with “double extortion”

If throwing your operations into chaos weren’t enough, ransomware gangs will also sometimes exfiltrate your sensitive data and threaten to release it unless you pay the (even bigger) ransom. Whether in the form of customer personally identifiable information (PII) or trade secrets, having your data posted on the internet if you refuse to pay the ransom could cause even bigger problems than the initial disruption.

There are, however, some things you can do to mitigate this risk.

Minimization

• Risk: Over time, your business will likely collect huge reams of information, much of it sensitive. Whether from customer orders, contracts with vendors, or internal deliberations, there is likely a lot of confidential data just sitting around unused.
• Control: Develop and enforce a retention policy. If there is no chance you will use a customer’s home address after a period of time, then delete it at that point. Better yet, don’t even collect this information in the first place if you don’t absolutely need it.

Encryption

• Risk: You might very well need to maintain sensitive data to conduct business, which provides a juicy target to attackers.
• Control: Ensure it is encrypted at rest. While attackers can encrypt over your layer of protection, preventing both parties from accessing it, this will at least prevent them from credibly threatening to expose it.

Conclusion

While you cannot eliminate the risk of a ransomware attack against your business, there are steps you can take to mitigate it substantially. Reducing common attack surfaces like known vulnerabilities and phishing, developing a plan to respond to an incident and its disruption, and deleting or protecting sensitive data can all help.

To manage all of these efforts, you’ll need a comprehensive cybersecurity strategy execution platform, like the one Eneedo’s team of experts has built. If you are interested in learning more about how it can accelerate your cybersecurity program development, don't hesitate to schedule a demo!