The three components to an effective ransomware strategy

Our Executive Guide to the NTT Security 2018 Global Threat Intelligence Report highlighted the significant impact Ransomware is continuing to have on organisations around the world. It also showed that how cybercriminals are using ransomware has evolved in recent years. Here’s a brief introduction to ransomware and how you can address it within your organisation.

How cybercriminals use ransomware

Ransomware often targets people through social engineering techniques, such as phishing, to have them unknowingly deploy a ransomware payload on their machine, usually as an email attachment. The payload then encrypts files on the machine and demands a ransom ─ often asked for in a cryptocurrency such as bitcoin ─ to unlock the files. These demands are usually time-sensitive with a deadline, after which the data is permanently deleted. Paying the ransom is no guarantee, though, that the files will be activated again.

In 2016, ransomware took on a new dimension; it would not only infect the first machine, but then looked to propagate itself across the network. Adding to the devastation is the choice of target: adversaries using ransomware often go after companies with highly sensitive business process-relevant information, such as health records or manufacturing data. This raises the odds that the victims will pay.

The world saw an explosion in ransomware attacks in 2016, in part because attackers used exploits allegedly stolen from the NSA and released online. The vulnerabilities that these exploits target can be patched, yet from our analysis, ransomware attacks actually rose in 2017, from 1% of malware attacks to 7%, an increase of 350% from the previous year. There’s growing evidence that attackers are also using ransomware to expand their control, downloading additional payloads once an infection is active. But unlike long-term breaches, which might syphon valuable company data over time and be even more devastating, ransomware attacks work best on shock-and-awe tactics: pay the money or lose your data.

Fighting ransomware

Growing security maturity among certain sectors has tangibly reduced ransomware attacks. Business and professional services used to be the most popular target because they have access to and hold records on many customers (and thus many potential targets). Security investments have reduced the ransomware threat. We found a reduction from 28% in 2016 to 17% in 2017. Adversaries are now focusing on new targets to catch less security-mature companies and countries.

There are strategies organisations can follow to reduce their threat profile and risk. It requires investment and executive-level buy-in but it can be accomplished. Strategies include three vital components:

• Backups Backups are a natural remedy to ransomware, as the data that’s been compromised is available elsewhere. An attack can still cause a disruption to operations but it leaves a bad taste in the mouths of adversaries, who prefer maximum reward for the effort. So a good data backup/recovery strategy is critical.
• Patches Many ransomware attacks exploit known flaws in operating systems. While it’s not always practical to take down systems and patch, as this can interrupt business operations, patching remains crucial, so a risk-based patch strategy must be in place and a healthy patching strategy is a critical element of a mature security culture.
• Vigilant people People may be the weakest link in implementing strategies to combat ransomware. Attackers are skilled at duping people into malicious actions. A vigilant workforce is invaluable to security. The people element includes the Executives. It’s important for them to know that ransomware goes straight for the business’ throat. It will target and compromise the very process-related data and workloads that executives and departments need to execute their mandates. Security in general is a business problem but ransomware brings this home acutely.

There’s another choice: pay the ransom. But this should be avoided as there’s no guarantee that the files will be unlocked, plus it enables and encourages attackers to do the same again. In the case of ransomware, prevention is far better than cure ─ because there is no real cure.

In summary

Ransomware is one of the easiest ways for adversaries to bring a company to its knees. Without the right precautions, there’s little that can be done to recover compromised data. But it’s very possible to build defences against it. Here are some best practices for doing so:

1. Assess the threat to the organisation: what would stop the business in its tracks?
2. Ensure sufficient investment in security.
3. Gain the understanding, buy-in, and support of executives.
4. Ensure there is a backup/recovery strategy in place.
5. Have a system patching strategy and ensure it is executed.
6. Perform vulnerability management to identify and address deficiencies.
7. Secure the endpoint.
8. Invest in user education and training.

You can read more about ransomware and the other cybersecurity trends impacting organisations as uncovered by the Executive Guide to the NTT Security 2018 Global Threat Intelligence Report.

Dimension Data employs the best and brightest cybersecurity experts in the world, but we’re always looking for new talent to join our team. Take a look at some of the current cybersecurity opportunities at Dimension Data.