Ransomware is not what it used to be. What began as a largely untargeted, opportunistic method of extorting money on a small scale has evolved into a complex and sophisticated attack mechanism, used by skilled human actors willing to do whatever it takes to achieve their goals.
This evolution means ransomware is an escalating and unavoidable business issue that leaders can no longer neglect.
Heightened awareness of the risks has resulted in cybersecurity budgets increasing, but the question remains as to whether companies are actually doing enough to protect themselves.
Recent research from Bridewell discovered only a minority of UK critical national infrastructure (CNI) organisations are implementing critical measures to protect, detect and respond to ransomware.
“This suggests many businesses are currently running blind, relying on reactive measures like cyber insurance to offset the damage caused by an attack,” adds Knapp.
“Of course, a good cyber insurance product can add value to an organisation, but, as ransomware attacks become more frequent, targeted and ruthless, insurance alone should never be treated as a silver bullet to the complexities of cyber crime.”
The changing face of ransomware
Ransomware has changed significantly over the past few years.
While hackers traditionally relied on human error to get through a business’ defences, the rise of human-operated ransomware (HoR) now sees sophisticated criminal groups quietly infiltrating organisations for extended periods – prior to harvesting data and launching debilitating attacks.
Knapp explains: “Multiple initial attack vectors are now used to gain entry to victim organisations, including exploiting vulnerabilities in external systems, supply chain compromise, use of initial access brokers, stolen credentials and phishing.
“Once initial access is obtained, attacks tend to follow a consistent lifecycle. Attackers will steal credentials to facilitate lateral movement, then move laterally and install persistence mechanisms to ensure they maintain a foothold in the target environment.
“After performing internal discovery, they will collect and stage data in preparation to be exfiltrated. Then, after degrading defences and impairing recovery controls, they will exfiltrate data and launch their ransomware.”
By this stage, it’s often too late for organisations to respond effectively, meaning they face the possibility of losing data or having to pay a ransom.
The risk here is two-fold as those responsible for the attack will often threaten to publicly release data even after receiving an initial ransom, leading to further payments.
Another consideration these days is ransomcloud, a new strain of ransomware which exploits weaknesses or legitimate functionality in cloud resources to deploy malware, encrypt data and extort money from organisations.
“As more firms embrace cloud to improve their efficiency and operational agility in a hybrid working world, attack surfaces inevitably expand,” continues Knapp.
“Therefore, businesses that race head-first into the cloud – without taking the time to architect secure cloud services – are putting themselves at increasing risk.”
Plugging cybersecurity gaps
In order to keep up with evolving threats, security strategies must be built on stronger foundations than cyber insurance alone, says Knapp.
He continues: “There are no silver bullets when it comes to ransomware intrusions. Security controls need to be layered, and prevention, detection and response capabilities must be regularly tested using threat intelligence and security assessments to emulate real-world threat tactics, techniques and procedures (TTPs).
“Having a well thought out security strategy to directly address ransomware, consisting of layered security controls, can reduce the blast radius of an attack and – in some cases – prevent the attacker from gaining access to critical systems or data.”
However, while most organisations might recognise the value of planning and prioritising to mitigate the ransomware threat, it appears there is still a long way to go on the journey towards reaching strong cyber maturity.
Bridewell’s research found just 36% of CNI organisations have a security information and event management (SIEM) platform in place – a crucial tool to detect and alert against intruders.
Furthermore, less than half (43%) have implemented technical controls to prevent unauthorised access and stop key directories and files being deleted, overwritten or encrypted.
Three in five (62%) don’t even have a plan on whether to pay the ransom in the case of an attack.
With that in mind, Knapp offers his advice on how organisations can strengthen their cybersecurity posture and protect themselves from rising ransomware threats.
“The crucial first step is to educate end users on the most up-to-date ransomware risks, how they work, how they can be mitigated and how any incidents should be reported,” he says.
“Businesses should then implement the technology needed to identify the adversary activity across all areas of the cyber kill chain, proactively detecting and subsequently evicting the threat actors from the environment. This necessitates strong endpoint, email and cloud app detection and response capabilities, backed up by a central SIEM platform and a managed detection and response (MDR) service that monitors alerts 24/7 and implements automated response where appropriate.
“With threat intelligence services also in place to provide early warning of an attack and facilitate intelligence-driven detection and response, this proactive and multifaceted approach will secure better outcomes than relying on cyber insurance.”
Respond and recover
Clearly, a strong cybersecurity strategy shouldn’t rely on detection alone; how businesses respond to a potential threat is what really matters.
When defences fail and operations are threatened by a ransomware attack, companies with a clear and effective incident response plan stand the best chance of mitigating the damage.
“Any incident response plan needs to be tested and should ideally undergo regular tabletop exercises to ensure everyone is aware of the plan and their individual responsibilities,” Knapp adds.
“It’s also critical that a robust IT disaster recovery plan is in place and frequently tested. Backup controls should be protected using approaches such as segmentation of backups, strong authentication requiring multi-factor authentication, backup pins or dual authorisation mechanisms to prevent files from being disabled or overwritten.”
Knapp insists a robust data protection strategy is also key, ensuring crucial data stays in known, risk-assessed locations, with measures in place to protect and provide timely access.
In a best case scenario, this can prevent an attacker from gaining access; worst case, it can slow them down until the incident response capability identifies and contains the threat.
Finally, plans must be in place relating to the payment of ransoms.
“This is a decision that should be taken very carefully,” says Knapp. “The legal and ethical implications of paying out need to be addressed and evaluated long before the actual criminal act takes place. Data can help businesses make the right call on this contentious issue.
“Weighing up the operational cost lost per day, versus the cost of paying the attacker, can provide some much-needed clarity, while the level of confidence of being able to bring systems back will be a factor in many organisations’ decision making.”
You may also be interested in the Business Chief US & Canada website.
BizClik is a global provider of B2B digital media platforms that cover executive communities for CEOs, CFOs and CMOs, as well as leaders in Sustainability, Procurement & Supply Chain, Technology & AI, Cyber, FinTech & InsurTech. We also cover industries including Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food & Drink.
BizClik, based in London, Dubai and New York, offers services such as content creation, advertising and sponsorship solutions, webinars and events.