Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems and networks. This is accompanied by a demand for a financial ransom payment to restore access to systems, unencrypt databases or return data. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware. Globally, across all sectors, these attacks have increased in scope, frequency, sophistication and the levels of financial payments demanded. It is now a major component of global cybercrime. Combatting these cyberattacks can be complex, especially for the largest businesses and organisations.
A Sophos poll of 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East and Africa found startling results. The total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 USD in 2020 to $1.85 million USD in 2021. The average ransom paid is $170,404 USD. Only 8% of organisations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.
Here are five steps that all businesses and organisations can take to improve their resilience, their offensive capabilities and their defensive success:
- Strategic, Systematic and Regular Backups
Ransomware should be treated at a strategic and existential threat. An attack should be regarded as inevitable. Organisations should create backups to build resilience. These are crucial for recovering data after an attack. The industry standard approach is called 3:2:1. Three sets of backups, using two different media, one of which must be kept offline. Backups should be programmed to be completed regularly.
2. Prevent Malware from being Delivered and Running on Systems
Businesses and organisations can reduce malware and ransomware reaching your devices by filtering to only allow file types that they expect to receive, and blocking known malicious websites. Content can be actively inspected, and signatures can be used to block known malicious code. Network services are used to fulfil these tasks and tools include intercepting proxies, internet security gateways, safe browsing lists and mail and spam filtering. Disabling Remote Desktop Protocol (RDP) if it is not needed, enabling Multi-Factor Authentication (MFA) at all remote access points into the network and using a secure Virtual Private Network (VPN) can provide effective responses to the most modern ransomware deployment practices.
A defence in depth approach should be in place. This assumes that malware will reach your devices. Businesses should take steps to prevent malware from running by using device-level security features. Organisations should centrally manage devices to only permit applications trusted by the enterprise to run on devices and use up-to-date enterprise antivirus or anti-malware products. Scripting environments and macros should be disabled or restricted by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy. Also, systems can be protected from malicious Microsoft Office macros and autorun for mounted (activated) media can be disabled.
To avoid attackers forcing their malicious code to execute by exploiting vulnerabilities in devices, these must be well-configured and kept up to date. Security updates should be installed as soon as they become available to fix exploitable bugs, enable automatic updates for Operating Systems, applications, and firmware (if possible). Using the latest versions of Operating Systems and applications to access the latest security features is advisable. Host-based and network firewalls should be configured to bar inbound connections by default.
3. If Attacked: To Pay, or Not to Pay the Ransom?
A wide range of law enforcement agencies around the world discourage the payment of ransom demands. However, sometimes payments must be made as a pragmatic response and to aid business continuity. At all times, organisations must avoid committing a criminal offence by sending payments to sanctioned individuals, entities or organisations or those involved in money laundering. Companies should liaise with their insurers, lawyers and risk professionals. Even after payments are made, confidential personal data could still be published online, breaching data protection and global privacy laws. There is no guarantee that organisations will regain access to their data, computer systems or networks. An IT system may still be infected long after the ransomware attack. Repairing, recovering and remediating the systems can be expensive and take many weeks or months.
4. Train Staff and Prepare for Incidents
Businesses and organisations should develop a corporate training strategy, on a rolling basis, that is updated to include the latest developments in malware, ransomware and information security threats. Different types of staff will need varying depths of training and awareness.
Organisations should identify their critical assets and determine the impact if these were affected by a malware attack. This is a very important preparatory step. Preparation also includes developing an internal and external communication strategy (including any impacts from collateral third-party malware not intended for the organisation). Incident management plans should be rehearsed and reviewed. This helps to clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. War-games and hackathons to rebuild virtual environments, servers, files, physical servers and rebuilds from offline backups, under pressure, should be included. Developing a plan to continue to operate critical business services or a minimum viable service or product, is also essential.
5. Report and Share Intelligence
There are legal obligations to report certain cyberattacks and data breaches to personal data regulators, governments, information services regulators, financial services regulators and market regulators. These reports should be done quickly, to receive help and to reduce liability. There is a growing drive to voluntarily report ransomware to government agencies and law enforcement. This should be considered because they may hold information that could be useful for the organisation’s response. Reports also help them to better understand the level of the threat and can deploy offensive and defensive capabilities to protect a sector or group of companies. The most difficult and controversial decision will be whether to report ransomware attacks to sector groups, fellow businesses and potential competitors. This is increasingly being encouraged, but will rely heavily on mutual trust, non-disclosure agreements and clear memorandums of understanding to protect each party. The more information and intelligence about ransomware that can be collected and skilfully used, will reduce the impacts and costs of ransomware.
For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy or Information Security Training, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370