When discussing ransomware – which, for good reason, has emerged as Topic A for cybersecurity – we should take a closer look at what happens during a typical incident. A ransomware attack starts when an adversary enters an organization’s cyber ecosystem, encrypts systems and data, and demands payment for decryption.
If the organization still refuses payment, the adversary may launch a denial-of-service (DoS) attack to bring down critical systems. In some cases, attackers may threaten to modify key files such as payroll documents or files containing essential source code.
All of which means we should be calling ransomware what it is – extortion. While the term “ransomware” implies that it’s all about weaponized technology, what we’re really dealing with is the criminal, malicious intention behind the weaponized technology.
To get a better sense of the frequency and impact of ransomware, CBI and Ponemon Institute recently released a research report, “The Cost & Consequences of Ransomware for Small to Large-Sized Enterprises,” for which 659 IT security professionals were surveyed. Following are some of the more revealing findings:
Clearly, organizations must take a proactive stance in responding to these developments. Relying on cyber insurance is not enough – two out of five companies are seeing decreases in ransomware coverage while still paying more than $17,000 annually in average premiums. Companies should also implement industry best practices into their ransomware detection/prevention/mitigation strategies:
As defenders, we know the general approaches – the tactics, techniques and procedures (TTPs) – of these criminals. They usually gain entry via phishing or insecure web applications. Once inside the network, attackers move laterally using relatively common techniques in search of valuable targets, all the while escalating privileges to increase their capacity to harm. With an understanding of the established, proven anatomies of the adversaries’ TTPs, companies can better align their detection, alerting and prevention tools and procedures.
In addition to anatomy-based tools and procedures, organizations need a ransomware playbook that addresses how the organization will respond to everything from data leakage and DoS attacks to compromised systems integrity. A playbook should include legal and compliance considerations, as well as policies and procedures for third-party security assessments and employee training.
While backing up data is a highly recommended practice, it’s no longer enough as a mitigation strategy – backups won’t stop hackers from leaking sensitive files or going after critical business dependencies such as microservices and software as a service (SaaS) integrations. Given this reality, security teams should strive to gain comprehensive visibility over all digital assets that are likely targets, putting them in a much better position to protect those assets.
Once compromised, companies often make the mistake of immediately deciding whether to pay the ransom or not, without considering the possible consequences of each path. Most are inexperienced in ransomware negotiations, where saying the wrong thing can result in attackers increasing the ransom demand. What’s more, a sense of panic can result in bad decisions. Involving third-party experts who specialize in ransomware incident response will ensure incidents are dealt with in a measured, strategic way. Seven of ten companies, in fact, are hiring third-party experts to remediate ransomware incidents, up from 59 percent in 2017.
All in all, ransomware is a modern form of extortion, an offense perhaps as old as humanity. Today, cybercriminals use ransomware to forcefully extract huge payouts from organizations – but the good news is, companies don’t have to be defenseless. Armed with the right knowledge, preparation, tooling and third-party expertise, companies can get ahead of adversaries before they strike – to minimize if not eliminate their capacity for damage.