Ransomware is the “gift” that keeps on giving – and not in a good way.
Sophos’s report The state of ransomware 2022 makes for rather sobering reading: 66% of 5,600 survey respondents said their organisations had been hit with ransomware in 2021 – nearly double that of the previous year – with 46% of organisations that were hit by encrypting ransomware having to pay a ransom to get their data back.
For as long as ransoms are paid, the appeal of the crime remains. This is a difficult cycle to break. Despite the massive amount of attention and concern about ransomware, large swathes of organisations are simply not prepared for it when it strikes. Similarly, they can’t and won’t let their businesses flounder, either. They pay, or their business dies. You can see the quandary.
So how do we break this cycle? By businesses doing as much as they can to prevent it from snaring them in the first place. And should they be unfortunate enough to get snared, being able to spot it quickly, limit the blast radius and recover swiftly is key, without having to pay the ransom to get back to normal. In short, they need to become more resilient.
There are many things to consider when thinking about business resiliency in the context of ransomware, but here are some key areas to focus on.
Know thy self
Easier said than done in this era of hybrid everything. Your staff are not necessarily holed up in an office any more. Similarly, neither are your servers or your data – a combination of cloud and on-premise now makes for an amorphous and complicated attack surface.
And the hyper-connected world doesn’t stop there – how many of your suppliers are connected to your network too? All these interconnections aggregate to a hefty attack surface that needs to be enumerated, assessed, patrolled and maintained. Remember – the bad guys only need one way in.
What are your crown jewels, your mission-critical assets? If you don’t keep on top of your asset inventories, your service and data catalogues, how on earth can you be sure you have everything covered, especially if nobody tells you when they change? (Handy hint: offline backups are somewhat tricky for ransomware to penetrate, whereas no backup at all is the gamble of a simple fool. Back the important stuff up. Properly!)
Know thy enemy
What I’m not saying here is rush out and bag yourself a state-of-the-art threat intelligence capability because there is a little more to it than that – a conversation for another time. But it is certainly pragmatic to at least have one eye on the outside world.
What activity is occurring right now, which sectors are getting particular interest, what techniques are they employing and what vulnerabilities are they exploiting are all important questions if you want to take a proactive stance. Even knowledge-sharing between industry peers is a good place to start.
Build the right walls
Your architecture is an important consideration in the fight against ransomware. If your network design is representative of a single open-plan warehouse, all the threat actor needs to do is get in, then it’s access all areas. Inhibiting a threat actor’s lateral movement and limiting the scale of impact should they release a payload could be the difference between minor inconvenience and extinction-level event.
Building a segregated environment considerate of who you are as an organisation and what you are in terms of data assets is not an overnight piece of work – but it should be a fundamental principle of your security architecture.
Keep your cyber hygiene levels high
The obvious place to start here is to stress the importance of keeping everything well maintained. Strong and secure configurations based on least privilege, coupled with an effective regime of patching, goes without saying – but is not without challenges either. If you need to take a prioritised approach to this, my advice is to start with your internet-facing assets and ask yourself some obvious questions about them: Is this asset properly owned, patched and maintained? Does it need to be pointed at the internet? Should remote access services such as RDP be enabled (probably not, in all likelihood)? Why are Telnet, SSH, W3C services switched on if nobody is actually using them?
Vulnerability scanning and penetration testing goes hand in hand with all this, giving you an independent view of where your weaknesses lie. Just be sure to do something useful with the output. Pen testing is not just for box-ticking on your ISO certification, and ignoring the advice and then getting nailed is not a good look.
The ability to filter spoofed email, email with malicious content and email coming from known malicious origins is important because this is a key vector of initial attack by ransomware gangs. But this absolutely needs to be complemented by an effective security culture, which educates, supports and encourages staff to be aware of potential threats, and to call them out in good time.
Make sure you have appropriate and up-to-date endpoint protections in place. Your 10-year-old antivirus product simply isn’t going to cut it in the fight against modern ransomware. Start by looking at the endpoint detection and response (EDR) marketplace – there are some amazing products out there. And if you aren’t rocking a security operations centre (SOC), I recommend a managed solution (MDR) if your budget can stretch to it.
Build a response a plan. Test the plan. Refine the plan
Despite all your best intentions, there is still a chance of compromise. This is a fact of life. It is dangerous to talk about attack in the context of if; you should now always talk in the context of when. This sentiment needs to flow through your business, and be supported by a concerted effort to build, test and actively maintain plans for how you would respond should the worst happen to you.
A swift, co-ordinated response is critical in understanding the attack, containing it, limiting the damage and recovering while keeping the lines of communication tight, succinct, timely and relevant – both inside and outside the organisation. A well-owned, well-maintained plan can get you there, and a well-rehearsed plan instils confidence that you can and will recover – but never, ever be complacent.
A final word on the role of cyber insurance. Insurance alone cannot protect you against ransomware, but a good insurance product will complement a degree of financial protection with services that can support you in your preparedness (and response). Services include incident response consultancy, specialised legal and communications advice, regulatory support and cyber health checks.
I’m sorry to say – and it bears repeating – that ransomware isn’t going away any time soon. For as long as there is money to be made and victims are “willing” to pay, it will persist. The best thing you can do for your organisation is recognise the clear and present danger, keep it in the forefront of people’s minds, and encourage everyone in the business to take it seriously and play their part in keeping the business resilient and safe.