Ransomware continues to remain a serious and evolving threat, with cybercriminals continually adapting and finding new ways to extort money from unsuspecting victims. Though there is no way to prevent or avoid ransomware attacks completely, there are a few steps you can take to safeguard your organization’s digital assets.
What is Ransomware?
Ransomware is a type of malware (malicious software) that infects computers or networks, encrypting the files it encounters and demanding a ransom in exchange for releasing them.
Ransomware costs companies millions of dollars each year, and though companies of all sizes can be targeted, criminals are increasingly focusing on small businesses. Depending on the size of your organization, the data criminals were able to access, and how much money the criminals demand, a ransomware attack can cripple an organization. Responding to and recovering from an attack can be challenging.
How Does Ransomware Work?
Ransomware, like other forms of malware, is typically delivered via phishing. Phishing involves sending an email, text message, or other electronic messages to an unsuspecting user in an effort to get them to either click on a malicious link (which will begin the encryption process) or reveal their credentials so that the bad guys can use them to get into the system and encrypt the files.
Once they have access to your system, the bad guys encrypt your files and lock you out of the system. They then demand a ransom (typically in an untraceable digital currency such as bitcoin). Once the ransom is paid, the bad guys promise to provide the key to unencrypt the files.
How Has Ransomware Evolved?
Ransomware is becoming increasingly sophisticated. Since the end of 2019, I’ve seen more criminals adopting a new strategy: the bad guys break into the network and steal the data before they encrypt it. If the victim refuses to pay the ransom, they use this data to apply additional pressure, threatening to release the documents to the general public unless the ransom is paid.
In the past, many organizations threatened with ransomware could refuse to pay and revert to their backups, leaving the files encrypted. This meant that while any data created since the last backup would be lost, it still gave organizations an out. However, this approach means that victims who refuse to pay up will have their sensitive data released instead, and aren’t always able to rely on backups to save them. Even if your organization can revert to backups, the fact remains that your sensitive data is now in the bad guys’ hands.
Some cybercriminals even go as far as alerting journalists to the breach, so that any organizations that want to keep the incident under wraps or try to ensure competitors can’t access their intellectual property have no choice but to cave and open their wallets. Even though this style of ransomware has only been widespread for a few months, there are several leak sites on the web already.
A Short History of Evolved Ransomware
Maze ransomware was the first attack to successfully leverage this new attack form, targeting Allied Universal in 2019. When the company refused to pay the ransom, the bad guys released 700MB of sensitive internal data online, including digital certificates, contracts, and termination agreements. The blackmailers claimed that this represented just 10% of the data they had stolen and threatened to release the rest of Allied Universal continued to refuse to cooperate.
In December the same year, Maze actors created a website that they used to post not only the names of companies they had victimized but also infection dates, the amount of data stolen, the names and IP addresses of infected servers, and some stolen documents.
Maze was just one of several bad actors, including Sodinokibi, Nemty, and BitPyLock, who encrypted, stole, and threatened to publish sensitive data if ransoms weren’t paid.
A Ransomware Attack Can Cost More Than Just the Ransom
Even if your organization is able to regain access to your files without paying the ransom, the amount of time and effort required to respond to an attack can pull critical employees away from other important tasks.
Other costs a ransomware attack can bring with it include:
- Income loss caused by business disruptions both during the attack and during the recovery phase.
- IT costs, including overtime pay for employees, increased security costs, and the cost of paying any external contractors needed to help address the situation.
- The cost of replacing any damaged hardware or data.
- The cost of a cybersecurity investigation and any forensic services should the ransomware attack be paired with a data breach.
- If a data breach occurs as well, you may need to hire an outside PR firm to help manage your reputation after the incident.
- Any costs associated with additional employee cybersecurity training required after the incident. This may include both the costs associated with bringing in outside experts to conduct training and any lost income as employees are pulled from their regular tasks to attend special training sessions.
What Do I Do If I Become a Victim of Ransomware?
Since this strategy is becoming increasingly popular, any organization that is subject to a ransomware attack should treat the incident as both a ransomware attack and a data breach. You should assume your data has been exfiltrated and breached by a third party, not just encrypted, and act accordingly.
If you don’t have a cybersecurity expert on staff, you should also consider reaching out to a trusted third party expert for assistance.
What Steps Can I Take to Protect My Organization?
Though a ransomware attack can’t always be prevented, there are steps you can take to help keep the bad guys out and limit the damage they can do should they successfully breach your defenses.
Invest in Cybersecurity Training for All Employees
Cybersecurity is everyone’s job, from the executive team down to the most junior employee. Your employees are your first line of defense when it comes to ransomware, so you should ensure that all employees who answer the phone or respond to emails and text messages on behalf of your company know not to give out any personal information.
All employees should receive training on recognizing phishing scams and ensure all employees know who they should report suspicious activities to.
Create Robust Reporting & Tracking Protocols
Robust tracking and reporting protocols don’t help prevent attacks directly, but they do make it easier to trace an attack back to its source. That information can prove invaluable when it comes to protecting your company from future attacks.
Restrict Access to Sensitive Data
One of the best things you can do to help safeguard sensitive data and systems is restrict access. Not every employee needs to access every part of the network to do their job effectively. Employees should be granted access on an as-needed basis. Not everyone needs to be able to access financial records, personnel files, or sensitive R&D data.
Limiting access may help you limit the amount of damage cybercriminals can inflict during an attack if the employee whose credentials were used, or who clicked on the suspicious link, didn’t have access to sensitive systems to begin with.
Secure Your Systems
Any devices (either owned by employees or provided by the company) should also have robust security features enabled, including passwords and PINs, and have their software updated regularly to take advantage of security patches.
Seek Expert Advice
Not everyone is an expert when it comes to thwarting or preventing ransomware attacks, and that is okay. If you are concerned that your organization doesn’t have the tools and knowledge you need to prevent, thwart, or recover from a ransomware attack, you should contact the experts for help and advice.