The Digital Pandemic - Ransomware

In 2021, there are two words that can send a cold chill down the spine of any Cybersecurity professional and business leader; Phishing and Ransomware.

Research carried out by the Data Analytics and training company CybSafe, identified that 22% of all cyber incidents reported in the first quarter of 2021 were ransomware attacks. According to the figures obtained from the Information Commissioners Office, they are up by 11% compared to 2020.

This increase is significant and must be studied more closely, but let us start at the beginning.

What is Ransomware?

Ransomware is a form of 'Malware' or malicious software that infects your computer or device and blocks you from accessing your systems or files.  Generally speaking, the entire system or subset of files will be encrypted. Until you, the victim, pay the ransom, you cannot access the system or the files, which are now under the control of the Cybercriminals.  The demand for payment usually comes in a request for payment by bitcoin or some other anonymous form of payment/bank transfer. 

Cybercriminals understand not only the technical aspects of the attack but also the psychological angles to play to. They will often state that all files and systems will be deleted or destroyed if the demands are not met within a specific timescale, thereby creating a sense of panic and urgency. They may also state that they will inform your clients of the breach (after all, they have your entire customer base in their hands), thereby adding blackmail to the ransomware demand. In recent years we have also heard of instances where they will threaten to inform the Information Commissioners Office (ICO) of your breach, meaning you run the risk of regulatory and legislative investigations.

Why has it become such a problem?

Ransomware is nothing new. The first known ransomware attack occurred as far back as 1989 and focused on the health care sector.  Fast forward to the present, and a report by the security company, Purplesec, there were 68,000 ransomware trojans for mobile devices in 2019.  There are several reasons why Ransomware is so prevalent, and it is linked to something that has also been on the increase for many years; Phishing.

Most, if not all of us, will have received some form of phishing email over the last 12months. Receiving an email or SMS message to our device, trying to convince us to 'click this link', or 'open the attachment'. Phishing is the vehicle, but quite often, Ransomware is the payload. Once you click that link, what happens next is down to the Cybercriminal.  Unfortunately, there is an abundance of 'Ransomware kits' and 'Crime-As-A-Service' offerings, and therefore the barrier to entry into this form of criminality has been vastly reduced.

In addition to this, according to Palo Alto Networks Unit 42 security consulting group, the average ransom paid by organisations has increased since 2020, by 82%. The average demand is now a record  $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020.

Of course, it is not always as high as this, and ransom demands can be much lower, depending upon who they target.  Crime-As-A-Service operators will help those wishing to carry out ransomware attacks by setting price limits that are likely to be paid. Ask too much or too little, and the ransom demand may be ignored.

Tip of the iceberg

Although reports and statistics all tell the shocking story that Ransomware is on the increase, I firmly believe we only see the tip of the iceberg. Why? Because many victims don't want to make it publically (and often internally)  known that they have been hit with a ransomware attack. This was highlighted back in 2019 when it was revealed that Uber paid $100,000 to Cybercriminals to delete over 57 million customer and driver records they had stolen.

What can we do?

It's important to say that we can't leave this to the authorities or legislators to address for us. We must take action ourselves, but it's not as difficult as it sounds. Prevention is always better than cure, and here's what you should be doing to protect yourself and your organisations.

People are your best and last form of defence

Educate your team on what phishing is and what the implications are. Ransomware is often the symptom, not the cause of an attack. Cybercriminals need to persuade someone to 'click this link' or provide access to your systems.  Training and awareness may sound dull, but think of it this way; You wouldn't put someone behind the wheel of a vehicle without training them first. 

Training and awareness need to be ongoing, not a passive, once-a-year, must-be-endured event! Make it enjoyable, make it relevant and make it practical. Finally, remember that EVERYONE needs this training. Yes, EVERYONE. That includes the CEO, the MD, the Head of [function name], the IT function and even the Cybersecurity professional! Things change, and attack methods differ. We must adopt the beginner's mindset and commitment to continual (self) improvement.

If you're wondering how to get the IT team or CEO/MD to commit to training and awareness, then why not run a tabletop exercise to walk through the scenario of a Ransomware attack? A scenario that sees your entire customer database stolen, encrypted and held to ransom should make the C-Suite sit up and pay attention.

Use Technology effectively

Ensure you have strong spam filters in place to prevent phishing emails in the first place, and you're already increasing your security by reducing the psychological burden on your people. But suppose the user does click the link. In that case, you can implement tools that will detect any attempt to download files, make local changes to the machine, and alert you to these actions (these can be implemented as part of a broader Security Configuration Monitoring (SCM) suite).

You should also check DMARC (Domain Messaging Authentication Reporting Conformance) settings to reduce the risk of email spoofing, which again ensures end-users aren't seeing an email from "YourCEO.Company.co.uk", which actually is NOT from this person.  Ensuring you are scanning all incoming and outgoing messages for malicious content will again reduce the burden on your end-users. If possible, you should block any emails that contain executable files (although this may impact your operation, so check if this is likely to cause any disruption). 

The above are perimeter defences aimed at keeping the bad guys out by reducing the burden on end-users and reducing the need for human intervention. But if they do manage to break through, then having good technical controls in place can prevent a lot of the damage caused by this threat. For example, Ransomware often has a signature or characteristics that can be quickly identified by file integrity monitoring (FIM) tools. In addition, anti-virus and malware protection in place will alert you to any potential threats.

The most effective approach to this threat's technical aspects is deploying a Security Configuration Monitoring (SCM) facility. An effective SCM collects and analyses information from across your network to detect suspicious behaviour and unauthorised system changes which may indicate the presence of Ransomware.  Quite often, those behind the Ransomware will take a copy of the data prior to encryption to extort further money out of their victims.  By deploying a security configuration monitoring tool, you will be alerted to this data exfiltration and can implement remediation and contingency plans quickly and effectively.

A lot more could be done in relation to the technical controls you can deploy, but it would be remiss of me not to mention the most technical measure of all; Backup.

Make sure you have a robust backup process in place and that it is tested regularly. Depending upon the nature of your work, you might want to apply the 3-2-1 rule of backing up. This is;

• 3 copies of your data - Production data and 2 backup copies
• 2 different media (disk, tape and/or cloud)
• 1 copy off-site and off-line for disaster recovery.

Conclusion

Remember – Sadly, there is no such thing as 100% secure.  Having a preventative, detective and remediation mindset is mandatory.  Taking some of the measures outlined above will help reduce the chances of an attack being successful, but if you are unlucky enough to be a victim of Ransomware; Do Not Panic. Consider the following steps as your incident response plan.

• Invoke your Incident Management team
• Isolate and protect your backups
• Isolate and close down the affected systems or devices
• Identify all admin accounts and change passwords (Cybercriminals may have created a 'backdoor' so be sure you have checked this before taking actions to lock out the bad guys, as this may cause them to take further actions)
• Inform law enforcement agencies
• Inform your insurer
• Inform your team
• Inform customers
• Bring in Cybersecurity specialists who can assist in the recovery process and exercising any 'Ghosts in the machine.'

Please note that this is not a linear process, but each is a step you should consider carefully.  Once things have returned to normal, conduct a Post Incident Response (PIR) review to look at the steps in the recovery process and see how you can respond better (should you be unlucky to be a victim again). Once this is complete, you should look at a Root Cause Analysis (RCA) so that you can identify how the Ransomware was able to infiltrate your business and what you can do to reduce the likelihood or impact of it happening again.  This should include determining what investment in training or technology is required.

Ransomware is a threat that is not going away. It will be with us for some time to come until Cybercriminals stop making money from it.  Crime evolves, and Ransomware, just like pickpocketing in the 1800s, is currently en vogue.

The best form of offence is defence, and knowledge over ignorance and complacency will put you in a stronger position to defend against this threat. 

Take action today to prevent an attack tomorrow, or as I like to say: put Cybersecurity ON the agenda, before it BECOMES the agenda.

Climbing the Ransomware Maturity Curve

To learn more, you can join cybersecurity experts Tim Erlin and Dr. Ed Amoroso on September 30, at 7:00 a.m. PT (3:00 p.m. BST) for a discussion around the current ransomware threat landscape and techniques you can use to stay a step ahead of ransomware attacks. You’ll come away with new perspectives on identifying and correcting weakened security configurations, alerting on suspicious changes as they occur, and much more!

Register here: https://info.tripwire.com/register-climbing-the-ransomware-maturity-curve.html

Image

About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.

You can follow Gary on Twitter here: @AgenciGary

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.