Holding a business’s systems and information for ‘ransom’ is an increasingly common form of cyberattack. Kaspersky research shows this type of malware attack has risen 25 percent in the past three years. Verizon’s investigations agree. Their 2019 Breach Investigations Report notes, “Ransomware has become so commonplace that it is less frequently mentioned in the specialized media unless there is a high-profile target.”
This ‘so common it’s boring’ phenomenon means ransomware can slip off the radar. Now’s the time to plan for what your business will do to prevent and handle these common attacks.
What is business ransomware?
It’s not those spam messages that claim to have your personal data. Ransomware is a sophisticated attack that involves a series of steps.
First, a cybercriminal finds a way into an endpoint, usually using social engineering or phishing to get account credentials, or by infecting a USB memory stick. Next, they insert malware, which encrypts files and directories. Finally, the malware warns the user their machine is infected and demands a ransom to decrypt data.
To heighten the sense of crisis, ransomware usually gives the user a limited time to pay.
The attacker has often studied the target’s infrastructure to understand which databases and directory services are most critical. They tie together malware products and hack in a determined order. Attackers not immediately paid now sometimes publicly post data they’ve taken.
Industries especially vulnerable to ransomware
No one has perfect security. Someone might have already penetrated your company’s IT infrastructure, but not yet attacked. Every business is a potential target.
Breach by ransomware is not usually an isolated incident. Often, there have been a series of IT security errors or less-than-ideal practices. If your business isn’t offering enough cybersecurity awareness training or you have delays in patching and system updates, your risk may be higher.
High-profile ransomware attacks
Cybercriminals have used ransomware to attack some prominent organizations in recent years.
Worming the data away
Estimated to be the most costly ransomware attack to date, NotPetya (also known as ExPetr) hit both Maersk and FedEx, taking down their systems for weeks. It worked by way of a worm that wiped data, causing hundreds of millions of US dollars of damage.
Now you see it; now you don’t
File-encrypting ransomware LockerGoga attacked Norwegian aluminum and renewable energy company Norsk Hydro. The malware had advanced features such as deleting itself when it detected virtual machines to prevent researchers analyzing it.
Norsk Hydro said their good backups meant the attack wasn’t as bad as it could’ve been, but it still cost them around 90 million US dollars.
A tale of 174 cities, and counting
Ransom attacks on city governments are on the increase. In 2019, cybercriminals attacked some 174 municipal organizations with ransomware – about 60 more cities than the year before. The City of Baltimore suffered two attacks in 2018 and 2019 that together cost an estimated 18 million US dollars.
One of the Baltimore attacks took down the city’s emergency response dispatch system.
Not all patients recover
Californian healthcare provider Wood Ranch Medical announced it was going out of business in late 2019, as a direct result of a ransomware attack. The ransomware had encrypted both patient records and backups.
How to avoid a ransomware attack
1. Have the right tools to understand your vulnerabilities
Your IT security practice needs tools to investigate what happened in an attack and what parts of your infrastructure need updating or replacing. Are you running a rogue app or access point? Do you have unmonitored and open network ports? Are privilege escalations being tracked? Are they expected and appropriate? Understanding root causes like these means you can know your defensive posture (the security status of your networks and information, and your capability to defend it and react to changes) and monitor your incident response.
2. Be vigilant about patching and installing updates
Attackers now scour the internet looking for outdated servers and applications. Many ransomware attacks happen within days of discovering a vulnerability.
To delay is to invite exploitation. Make sure your patching program covers all endpoints, both on-premises and in the cloud.
3. Regularly test your data recovery and emergency response procedures
Back up critical data and ensure backups are intact and recoverable. Practice recovery and develop the correct order for restoring data. Identify your most valuable assets and make sure they’re backed up. Regularly review the list to make sure you haven’t missed something.
Data backups and recovery drills should be the start of an overall emergency response plan. The plan should include regular, scheduled practice exercises, both ‘table top’ (organized meetings with role-playing) – to iron out organizational issues, and attack simulations – to find weak links and show-stoppers that could prevent infrastructure coming back online.
Your response plan should also include getting cyber insurance to protect you in case of a breach. Investigate carefully to make sure you have the right coverage.
4. Start or improve your cyber awareness program and improve your overall password portfolio
Weak passwords might have caused a third of 2019’s ransomware attempts. Conducting regular cybersecurity awareness training helps users improve their password hygiene. Install a business-wide password manager or single sign-on tool, and put in place multi-factor authentication (MFA) for users handling private data and money-related tasks.
What to do if ransomware hits your business
By strengthening your cybersecurity, you’ll make it harder to be held to ransom. But you can do your business a favor by planning for if it happens.
1. Plan alternative communications
Ransom victims are often immobilized because communications like corporate email, phone calls or texts may not be available. Include using alternative communication such as WhatsApp, Skype and group SMS as part of recovery drills, but bear in mind these systems may be less secure.
2. Decide if you will pay a ransom
The case for paying
In the US, the FBI has softened its earlier “don’t pay, ever” position in its most recent guidelines. Two cities in Florida voted to pay ransoms of 500,000 to 600,000 US dollars – likely less than the cost of restoring its systems.
The case against paying
Your attacker may not honor their promise. You may receive further demands. The virus may already be installed in your system.
While the term ‘ransom’ suggests physical threat, unless you’re operating critical care facilities, it’s unlikely ransomware will lead to loss of life. And it may be cost-efficient the first time, but it increases the likelihood you’ll be hit again.
The No More Ransom project, whose members include Europol and Kaspersky, advises those attacked with ransomware not to pay. It works to reduce ransomware’s impact by providing free decryption tools.
Despite the growing threat, with tight security and planning, you can avoid the worst impacts of ransomware, or even getting hit in the first place. Understanding ransomware’s dimensions and having regular planning exercises will mean you’ll know your protective measures are up to scratch.
This article was published in March, 2020.
