What is Ransomware?
Let’s start with the basics. The simple definition of ransom is “a consideration paid or demanded for the release of someone or something from captivity.” Ransomware, then, is a way for bad actors to encrypt information and hold it ransom in exchange for money—typically untraceable bitcoin.
There are four main ways that hackers target organizations and demand payment:
- Lockout: Victims pay to regain access to systems after key files are encrypted. This is the original ransomware attack.
- Data theft extortion: The ransomware classic. Hackers steal and threaten to release sensitive information if a ransom is not paid.
- Denial of Service (DOS): Ransomware gangs launch denial of service attacks that bring down a victim’s public websites.
- Harassment: Cybercriminals contact customers, business partners, employees, and media to tell them the organization was hacked.
Recent research from the Ponemon Institute found that 80 percent of companies have found themselves victimized by a ransomware attack. This high probability comes even though an average of $6 million is spent annually on ransomware mitigation.
Get the Guide: Ransomware Playbook: Defense in Depth Strategies to Minimize Impact
Why is Ransomware So Popular?
The simple answer is that it works; hackers get their paycheck simply by infiltrating companies and taking data or systems hostage. And getting ahold of ransomware is easier than ever, too. Besides being able to purchase malware for as low as $1000, hackers can purchase Ransomware as a Service (RaaS) packages, which offers perks like software support, pay-as-you-go plans, and further reach than self-developed ransomware.
Breaches are bad for business, particularly if they are made public. That means most companies don’t think twice about paying to get their information back and keep the situation out of the news, which is what the criminals are banking on.
Other reasons that ransomware has grown so popular are:
- Production and cost of sales can be low – hacking is easy, especially with devices like the pineapple or, stealing default passwords, or breaking into IoT devices. Cost of sales is low because you know that particular buyer and that he is motivated to get his information back. Bitcoins are usually used as payment because they are an effective and efficient medium of exchange.
- Ransom prices can be high or low to scale to match what you think the owner will pay
- Margins are high and profits are amazing
- Addressable market is enormous and includes anyone with privileged data
- Every aspect is maturing, from code quality to back up systems and evasion techniques
Related Reading: A Ransomware Special: WannaCry’s Anniversary and More
To Understand How to Stop It, You Have to Know How Ransomware Works
Many ransomware attacks start as phishing attacks which pivot into persistent infections. Widespread ransomware attacks do not happen instantly, but they do spread quickly as evidenced by the rapid worm that the WannaCry attack used.
How It Starts
Most ransomware attacks begin with an attack on one employee, website, or some other vector before gaining persistent access to the network. As the virus moves around the network, it installs the ransomware which encrypts your critical data with a key that only the bad actors hold. Everything you have is still there, but you lack the ability to access it unless you pay the ransom and get the key.
Related Reading: The 10 Biggest Data Security Breaches of 2021
How to Fight It
Fighting back against ransomware is a complicated process, especially once the operators are inside your network. Think about the attack paths in your network and how an intruder could pivot from one system to another to reach your sensitive data.
People are also vulnerable due to their accounts on different systems, profiles, roles, or the entitlements granted to certain security groups. That's billions of relationships in a mid-sized company and bad actors only need to exploit one.
The truth is that in this complicated and many-faceted world of cyber security, the bad actors do get in. The real question is, could you have deterred this attack? If not, how fast can you move to prevent loss once it happens? How can you do this? With evidenced prioritization.
Related Reading: Ransomware Attacks on Small Businesses: How to Mitigate
Prioritization in an Attack
In the lifecycle of an attack, you can use prioritization to deter, detect, remediate and validate threats.
Prep:
Because most ransomware attacks begin by targeting individual employees, two essential actions for any organization are user training and multi-factor authentication. This helps employees identify and avoid things like phishing, and keeps their accounts safe in the instance they fall prey to a phishing attempt. There are even tools that put up an extra barrier around email inboxes – the primary place that phishing and other security issues like data loss occur.
Deter:
Penetration testing can help you identify the most critical vulnerabilities in your network. For instance, the WannaCry attack exploited a Microsoft vulnerability that had an available patch. However, many had not yet updated their systems. Identity and Access Management (IAM) will help you to understand who has access to what critical systems and if machines are synchronizing passwords with other accounts. Using IAM will help you to understand who can access your critical information and how.
Protect:
Speaking of your critical information, it’s time to segregate your backups. Ransomware methods are maturing, and targeting backups is one new tactic. Organizations think that they don’t need to pay the ransom because they can use their backup – only to find that the ransomware has found its way to the backup, too. Make sure that all backups are on different networks and cannot be affected in an attack.
Beyond backups, ensuring that data is protected at all stages of the data lifecycle – from intake to access rights to sharing and transfer – can reduce an organization’s data breach risk. It’s better to have multiple safeguards than let loose a flood of data immediately upon breach.
Detect:
Here is where your network threat-detection analysis comes into play to see where or what devices have been affected. Did this machine have an IoC? What access did that expose? By using this information, you can also see when the infection happened, how it happened and who is affected.
Remediate:
Your company needs to have an incident response plan in place for the remediation of accounts, vulnerabilities, and compromised devices to quickly address security risks as soon as they become visible. With prioritization, you can see which of these incidents have a larger impact on your organization and can stop data loss by tackling the top priorities first.
Validate:
Validation isn't a onetime process. You need to continuously validate your security posture to test and strengthen your processes. Access reviews, penetration testing, network security assessments and other security consulting services ensure that you are continuously validating and, in turn, continuously improving.
Are You Prepared for a Ransomware Attack on Your Organization?
Raising awareness about ransomware helps keep things like phishing attacks top of mind and keep your employees from falling for them. And having robust data security solutions in place can help your organization prepare
