Ransomware remains one of the biggest threats businesses face, and in a year of global inflation and huge energy price rises, it's not surprising that the cost of a data breach has reached an all-time high. This Cybersecurity Awareness Month, we look at how cybercriminals tactics have evolved, and what you can do to protect your business.
Ransomware attacks are a successful and highly profitable criminal business model. During the first half of 2022, there were a total of 236.1 million ransomware attacks worldwide, worth an estimated $14 billion to cybercrime groups. Ransomware is a popular attack method because, unlike most forms of crime, it generates direct revenue for the criminal; there's no need for complex money laundering or cashing out.
Ransomware attacks surged with the emergence of cryptocurrencies, such as Bitcoin in 2010. These virtual currencies provided an easy and untraceable method for receiving payment from victims, turning ransomware into a lucrative criminal business model.
That in turn led to the development of another revenue stream for cybercriminals, they further monetize their ransomware products by leasing them out to other criminal gangs, known as Ransomware-as-a-Service (RaaS). The use of RaaS lowers the bar to entry for non-technical cybercriminals and its increased use was noted in a 2021 joint cybersecurity advisory from cybersecurity authorities in the U.S, Australia, and the UK.
The advisory also reported that some ransomware threat actors [are] redirecting ransomware efforts away from big-game and toward mid-sized victims to reduce scrutiny. In August, the UK's National Cyber Security Centre wrote to small business owners to warn of an increased threat of ransomware, a threat that is being realized: Coalition's 2022 Cyber Claims Report noted a 40% increase in attacks on small businesses.
Unfortunately, although ransomware is a known threat to businesses of all types and sizes, many companies have already fallen victim (64% according to a recent survey) and the majority of those paid the ransom to avoid downtime and maintain business continuity. The Ransomware Task Force estimates victim payouts increased 70% in 2021.
Ransomware in 2022
A 2022 survey of over 5000 IT professionals from mid-sized organizations reported a 78% increase in ransomware attacks in the last year, an increase thought to be attributable to the success of the Ransomware-as-a-Service model. LockBit, BlackCat and Conti, all for-hire ransomware families, were behind the highest numbers of attacks in Q1 2022. The FBI has reported that, as of January 2022 the Conti ransomware family is the costliest strain of ransomware ever documented with over 1,000 victims and payouts exceeding $150M. Research reported in an European Union Agency for Cybersecurity (ENISA) threat landscape report from the May 2021 to June 2022 period, also reported that the top 3 attackers were RaaS platforms. The ENISA research found that victims were targeted indiscriminately, with ransomware attacks affecting businesses across all industry sectors and of every size.
Increasingly attacks involve not only double but also triple extortion ransomware. Double extortion ransomware, such as LockBit, not only encrypts the victim's data but also exfiltrates it from the victim, with the threat of it being published on a data leak site giving the attacker additional leverage. With triple extortion ransomware attackers seek a payout not only from the victim organization but also from the victim's associates who might be impacted by the disclosure of exfiltrated data.
Ransomware can result in major disruption for the victim, causing significant damage, financial loss and disruption of operations. For example, in the UK, Advanced, a managed service provider (MSP) to the National Health Service (NHS) suffered a ransomware attack in August. It caused a major outage to NHS emergency services delaying or preventing people getting treated.
Ransomware damages are expected to exceed $30 billion worldwide in 2023, and it's almost impossible to predict when or where attackers will strike. What we can say with confidence is that their tactics will continue to grow in scale and sophistication.
The future of ransomware
It's reasonable to expect that trends noted in the first half of will continue at an accelerated rate: ransomware capabilities will expand, attacks from RaaS will proliferate, and new ransomware groups will emerge. Exploitation of in 2021 and remains so in the first half of 2022. With CVE.org publishing ever increasing numbers of potentially exploitable vulnerabilities and threat actors able to rapidly weaponize new vulnerabilities, businesses will need to prioritize identifying and patching vulnerabilities that have been weaponized in their Internet-facing systems and applications.
Cybercriminals will continue to refine their data-leak extortion ransomware tactics, develop increasingly sophisticated exfiltration tooling that can be deployed widely, and automate data exfiltration by searching for, identifying and exfiltrating sensitive data by keyword. The increasing prevalence of extortion-only ransomware attacks has led some to propose making a clear distinction between classic ransomware attacks, involving data encryption, and data theft extortion-only attacks. Raising awareness of these differences can help organizations better prepare and plan their response. Extortion attacks, while also posing a large threat due to the potential exposure of sensitive data, are not likely to disrupt operational activities or require data backup.
With ransomware attacks on businesses, consumers or devices predicted to occur every 2 seconds by 2031 (up from 11 seconds in 2021), it's no longer a matter of if you'll be attacked, but when. Which raises the all-important question: how can you protect your business?
Defense tactics
Actions you can take to help prepare and protect your organisation from ransomware attacks:
- Have an incident response plan
- Take regular backups
- Reduce and protect entry points into your business
- Identify and address vulnerabilities
- Protect against viruses and other malware
- Capture user and system activity in logs and audits trails
- Help your people practice good security
Have an Incident Response Plan Protecting your business from ransomware starts with being prepared. Make sure you have created and exercise your cyber incident response plan, including how to address ransomware attacks. It is much harder to deal with a security incident if you haven't made a plan ahead of time.
Take regular backups
Being prepared also includes making regular backups of the data and systems that are essential to your business operations, regularly testing them and knowing how to restore them so you can recover quickly in the event of an attack.
Best practice is to have three copies of your systems on two different media with one stored off-site. Many companies choose cloud storage for that off-site copy, but if you want to protect your backups from ransomware attacks, you'll also need to have one stored offline. Ransomware will only infect files it can see, so having a separate copy reduces the risk.
Obviously the more recently the backup occurs, the less time you'll spend rebuilding lost data during recovery. Ideally, you should do a full backup daily to capture frequent changes and updates. However, as reported above, ransomware attacks increasing involve an extortion element, something that having a backup cannot stop this. Prevention is the only way to keep your data out of the hands of cybercriminals.
While the best way to protect yourself against ransomware is to try to detect and prevent attacks from happening, if there is a lack of planning and preparation this will not only slow down your response and potentially increase the impact of any attack it may also delay recovery to normal operations.
Reduce and protect entry points into your business
Top initial ransomware attack vectors for cybercriminals to gain network access are via phishing, through use of or brute force, and by exploiting security vulnerabilities. Therefore, key preventative measures include reducing and protecting entry points into your business, and identifying and addressing vulnerabilities.
Identify and address vulnerabilities
With ransomware attacks increasingly exploiting security vulnerabilities, conduct regular vulnerability scanning, especially of internet facing systems, to identify and address vulnerabilities. Monitor industry and vendor sources for security vulnerability information and install security patches and updates for software and Operating Systems to ensure they run the latest available versions, addressing all known vulnerabilities.
Protect against viruses and other malware
Take steps to prevent malware from infecting devices and endpoints. Install anti-virus or anti-malware software making sure it is running at all times and that your users cannot disable or alter its configuration. This may need you to restrict user privileges on their devices. Enable automatic updates and ensure real-time / on-access protection is enabled, but also make sure regular full scans of each of your devices are performed, e.g. weekly, to detect malicious software that may have got past your protection measures
Capture user and system activity in logs and audits trails
To maximize the value of these logs and enable 24*7*365 alerting, monitoring and response consider engaging a managed services provider (MSP) or managed security services provider (MSSP) to œoutsource what is a time-consuming and specialist task.
Help your people practice good security
Your people are one of your business's most important defences against ransomware attacks so make sure you educate your end users about the threat and how they can help to prevent it. Encourage your users to "take your time and think twice to avoid falling victim and update them as the ransomware threat adapts and changes. And make sure they know how to report security concerns (such as when they realize they have fallen victim to a phishing attack). The sooner a potential or actual incident is reported, the sooner you can take action to contain any breach and minimise the impact.
If you aren't monitoring your systems for security events or asking your employees to report their security concerns, you won't be able to respond to contain and recover from a security incident. Nor will you be able to take steps to improve and update your security measures if you don't know that the effectiveness of those measures has already been found wanting.
By implementing best practice measures, you can defend your business against ransomware attackers, prevent huge financial losses and avoid the average downtime of 22 days.
If you are unsure about where to start, call our cybersecurity experts today to arrange an audit of your threat environment and discuss the best solutions for your needs.
