Staying protected against ransomware

As we wrap up cybersecurity month, we’d be remiss if we didn’t visit the ever-present threat of ransomware attacks. Every time we look at the trends around ransomware attacks, the news is rarely positive. The frequency of these attacks has yet to slow down, with experts estimating that an attempted ransomware attack occurred every 11 seconds in 2021, with a total 700 million attempted attacks, up 134% from 2020. Phishing attacks continue to be a common and successful method by which attackers gain initial access to an organization’s network.

No one is immune to these threats. Organizations of all sizes are targeted, from the small to the enterprise, and across all industries – with healthcare, financial services, and manufacturing leading the way as the most targeted. For these enterprises in highly regulated and mission-critical industries, these types of attacks can have ramifications that extend well beyond the enterprise itself.

While some of the tactics have evolved over the past few years, fundamentally ransomware is good business for the bad guys. It’s effective, lucrative, and easy for them to be successful at. For the organization though, the consequences can be significant. Not only do organizations face the ransom demand payment itself, but they face much higher total costs, factoring in downtime, inability to operate, loss of business and customer trust, and regulatory fines and penalties to name a few. In 2021, the average total cost of recovery from a ransomware attack was $1.85 million, which more than doubled from 2020.

The regulatory environment is starting to catch up and respond to these threats accordingly. Just a few months ago, Congress passed the 2022 Consolidated Appropriations Act, which contains the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This requires organizations operating within critical infrastructure – which broadly can include health care, financial services, energy, transportation and commercial facilities, among others – to report a material cyber incident to CISA no later than 72 hours after the cyber incident occurred. They are also required to report when a ransom payment was made within 24 hours. With 30% of nation states predicted to pass legislation to regulate ransomware payments, fines & negotiations by 2025 (compared to 1% in 2021), we’re seeing in real-time the effects cyber and ransomware attacks are having on our legislation, and a spike across the world for strong regulatory involvement in how organizations respond to attacks.

So, what is it that makes organizations so vulnerable to attack? There are a variety of reasons, but there are a few key factors that play into this dynamic.

  1. Many organizations are digitizing, relying more on IoT and cloud-based services than ever before. It’s no longer an analog, place-based world for most organizations. While this digitization provides many benefits and greater efficiencies, it has also increased an organization’s attack surface.
  2. The cost of downtime and the potential butterfly effect of an attack can be devastating, especially for industries like healthcare and critical infrastructure. This means organizations are incentivized to pay the ransom to get access back as quickly as possible.
  3. Organizations’ operations are evolving faster than their cybersecurity. Many organizations rely on outdated methods and technology to protect against increasingly sophisticated attacks. As attacks increase in both complexity and variety, it can be difficult for IT and security teams to keep pace with new solutions — especially with limited time, resources, and budgets.

What can organizations do to defend themselves?

When thinking about how to defend against this ever-present threat, the adaptive security model provides a practical way to holistically tackle the problem. This model has four key components: predict, prevent, detect, and respond. Let’s look at a few practical steps within each area that organizations can take.

  1. Predict:
    1. To prevent attacks from occurring, you must first understand where they’re likely to come from. One of the most common vectors is through your employees via phishing attacks. Unsecured, exposed RDP and VPNs are another common source, as well as malicious websites.
  2. Prevent:
    1. Once you’ve identified the most common attack vectors, you need to ensure they’re as secure as possible. Preventing phishing attacks starts and ends with your employees. Provide them with cybersecurity training on a regular basis and reinforce that material frequently. Secure your applications and software by updating software with patches and upgrades as soon as possible – ideally as soon as they are available. Secure against credential-based attacks by storing privileged credentials in a PAM solution. Secure your remote access (particularly for your third parties) by verifying identities and controlling access based on the concept of Zero Trust. This allows you to reduce your attack surface by minimizing the number of access points in question. Less access points = less ways to enter = less risk.
  3. Detect:
    1. Even with all of the preparation and prevention techniques, there is still a chance that attackers can find their way in. It’s smart to prepare accordingly, and that’s where detection comes into play: ensuring you can catch an attack as quickly as possible. Monitor and analyze your network activity for signs of malware or infection. Use a SIEM solution to aggregate this data and highlight various threats or unusual activity to identify and address these threats quickly.
  4. Response:
    1. Finally, you want to make sure you can respond quickly and effectively in the event of an attack. Time can truly make a difference to recovery and total costs, so ensuring you have a plan in place beforehand is crucial. Outline and test run your incident response plan to ensure everyone knows the role they must play. Ensure you have up-to-date backups of your critical systems and data, and that those systems are stored in an offsite, secure location.

Unfortunately, this attack vector isn’t going away any time soon. Ransomware attacks, effectiveness and volume will only increase as long as they’re profitable for bad actors, and government legislation will continue to increase correspondingly. Implementing these proactive and preventative measures to defend yourself, and prepare in the case an incident does happen, is critical and necessary. The consequences of failing to do so are too high, and the likelihood too high, to ignore.