How to Deal with Ransomware in 2023

Ho to deal with ransomware continues to be a pressing challenge for many companies. It is a type of malware that hackers use to encrypt critical system files. A CrowdStrike Global Security Attitude Survey found that at least 56% of organizations worldwide were victims of a ransomware incident. Also, the survey revealed that 27% of the affected companies paid ransoms to the attackers, with each incident averaging $1.1 million.

Therefore, ransomware is a high-priority cyber threat plaguing organizations in different industries. Attackers use various ransomware variants to encrypt mission-critical files and demand high payouts. For example, REvil ransomware targeted Acer, and the attackers demanded a $50 million ransom, the highest in history. With ransomware attacks increasing every year, organizations must understand ransomware and the required protective measures to protect themselves adequately.

Ransomware is the Top Threat Facing Enterprises.

Ransomware attacks are the most pervasive cyber threats facing small- and medium-sized businesses. In 2020, more than 60% of managed security providers reported that ransomware infections affected their clients. Essentially, ransomware attackers target SMBs the most due to the insufficient resources required to prevent the attacks. In addition, poor cybersecurity practices, insufficient security training and awareness, and phishing attacks are the leading causes of ransomware incidents. The following statistics illustrate why ransomware is a headache for many organizations and why they must protect themselves.

  • Cost of ransomware attacks exceeds ransom payouts: Although most security experts who teach how to deal with ransomware advise against making ransomware payments, most organizations pay them anyway. Companies pay to regain access to encrypted files or prevent the attackers from uploading compromised data to the dark web. However, the resulting attack costs often exceed the paid ransom amount. Specifically, costs related to data unavailability, system downtime, and diminished customer trust resulting in lost business opportunities are almost fifty times the demanded ransom.
  • Attackers are increasingly targeting MSPs: MSPs play a vital role in protecting organizations of all sizes from ransomware incidents and other related attacks. However, ransomware variants evolve rapidly as ransomware authors leverage innovative technologies to develop complex and hard to detect variants. Subsequently, at least 95% of MSPs are at a higher risk of being attacked. More MSPs are, therefore, partnering with other security providers. In essence, MSPs are partnering with specialized security firms with more focus on ransomware detection and prevention.  
  • COVID-19 impacts elevating ransomware risks: A recent survey found that 71% of cybersecurity professionals are more concerned with the effects of the COVID-19 pandemic on ransomware attacks. The pandemic has resulted in a drastic change of work methods as more employees are now working remotely. Therefore, organizations are more exposed to ransomware attacks since employees often use devices that lack robust ransomware prevention measures. Also, phishing attacks have grown alarmingly, and attackers use phishing emails as the preferred ransomware delivery method.
  • You can’t prevent ransomware attacks using a single solution: The importance of ransomware prevention cannot be underscored, especially with ransomware attacks registering an unprecedented rise of 1318% in 2021. Hence, Gartner concludes that organizations cannot rely on a single cybersecurity solution to protect against ransomware threats. In most cases, attackers deploy ransomware as one of the components of a broader cyber-attack to compromise crucial administrative and critical IT assets. For example, attackers develop sophisticated ransomware variants to target and compromise data backups, corporate networks, and systems or databases holding confidential information. Therefore, a defense in depth approach is necessary to safeguard against ransomware attacks.

Top Recent Ransomware Incidents

A survey involving at least 3500 technological industry leaders confirmed the fears of most security professionals in the cybersecurity sector – ransomware is spiraling out of hand.  The survey found that ransomware increased by 900% in the first half of 2021 compared to a similar period in 2020. Inevitably, a large number of SMEs and Fortune 500 companies have been attacked in 2021. The following are the top five ransomware attacks in 2021, indicating why ransomware detection and prevention are essential.

1.      CNA Financial

A March 2021 ransomware incident saw CNA Financial Corp., one of the leading insurance companies in the United States, pay a staggering $40 million ransom to access a decryption key or decryption tools and regain control of infected systems. According to security professionals, a Russian-based cybercrime syndicate, known as Evil Corp, was responsible for the attack. The cybercrime group used Phoenix Locker malware to execute the attack. Although the affected insurer did not confirm the paid ransom, a $40 million payout is the largest ransomware payment in history.

While the initial attack vector is not officially confirmed, David Carmiel, the CEO of KELA, a threat intelligence security firm, stated that the attackers delivered the ransomware via a harmful browser update published on a legitimate website. Additionally, the hackers used other vulnerability exploitations and social engineering attacks to gain elevated access privileges, enabling them to access and infect the company’s entire network.

2.      Colonial Pipeline

Colonial Pipeline operates the largest fuel pipeline in the US. However, it was a victim of a ransomware incident that affected the US fuel market. Unfortunately, cybersecurity experts that responded to the incident blamed it on a single hacked password. According to Charles Carmakal, a senior vice president at Mandiant cybersecurity company, the hackers responsible for the attack compromised a VPN account that enables employees to remotely access the organization’s corporate network.

Although it is unclear how the attackers accessed the account’s password, it was later found on the dark web, among other leaked passwords. Also, multi-factor authentication had not been enabled despite being a crucial cybersecurity practice. The Russian-linked cybercrime syndicate made away with $4.4 million in a ransom payout after it threatened to leak almost 100 gigabytes of crucial data.

3.      Brenntag Attack

Brenntag, a leading chemical distribution organization with a global workforce of more than 17,000 employees, parted with $4.4 million to access a decryption tool and regain control of its data and systems after a DarkSide ransomware attack. Attackers compromised the German-headquartered company and stole at least 150GB of data while encrypting computer systems and devices connected to the network.

DarkSide is ransomware as a service where the ransomware authors lease it to other hackers, and DarkSide gains a percentage of the paid ransom. The DarkSide affiliates accessed the company’s network after buying compromised credentials from an initial access broker (IAB) during the incident. The attackers later advised the company to use more advanced antivirus solutions and enable multi-factor authentication to prevent similar future attacks. 

4.      Kaseya

The notorious REvil ransomware group struck in July 2021 and hacked Kaseya, a leading US-based software solutions provider. The ransomware incident affected at least 2000 organizations globally since Kaseya provides IT solutions to enterprise clients and MSPs. Investigations showed that the responsible attackers exploited a vulnerability in the company’s VSA software, affecting multiple MSPs and businesses. VSA is a unified tool that enables remote management and monitoring of endpoints deployed in a network.

According to FBI investigations, the ransomware incident resulted from a supply chain attack that involved at least 30 MSPs. Specifically, the ransomware attack occurred after attackers exploited an authentication bypass flaw in the VSA web interface. As a result, the hackers circumvented authentication measures and controls to gain an authenticated session. Then, using SQL injection commands, the attackers uploaded a malicious payload leading to the attack. However, Kaseya refused to pay the demanded ransom of $70 million.

Different Ways Ransomware Affects Your Organization.

  1. System downtime and data unavailability: Essentially, a ransomware incident encrypts the infected machines, networks, and systems, causing downtime. It also causes data unavailability since cybercriminals target and encrypts mission-critical information. Technology is crucial to modern business operations, and system downtime means that an organization cannot operate. Therefore, a ransomware attack can adversely impact your organization by preventing system or data access, impacting the achievement of daily business objectives.
  2. Huge financial losses: Without data or network access, your company can count numerous losses due to missed business opportunities. Besides, attackers demand huge ransom payouts, which can cripple startups and SMEs. Even if you don’t pay the demanded ransom, the costs incurred in system and data recovery efforts are significant since the process often requires specialized assistance and resources. Moreover, legal challenges may arise, especially if the attack could have been prevented, further adding financial losses.
  3. Marred reputation: Customers and third parties are less likely to trust a company that has suffered any cyber-attack. In most cases, some ransomware attackers can upload or sell stolen personal information via the dark web even after receiving the demanded ransom. Other malicious cyber actors can use the information to advance more hacks and cybercrimes, which is why customers and third parties avoid attacked organizations.
  4. Exposure to more attacks: A ransomware attack occurs once attackers have compromised your network or business. Undoubtedly, hackers are familiar with a network they have already compromised and are more likely to strike again even after an affected organization implements mitigation controls. They can use this knowledge to perpetrate more attacks. Recurring cyber-attacks can potentially lead to business closure, which is why at least 60% of breached organizations shut down operations within six months.

How You Can Protect Your Organization from Ransomware Incidents

The following are some of the best ways and best practices your organization can use to prevent ransomware attacks and other cyber incidents.

1.      Timely Software Updates

Zero-day exploits enable attackers to exploit security vulnerabilities whose patches or updates are yet to be released. However, updating software, firmware, and operating system immediately after new updates roll out is recommended to prevent cyber breaches. Timely updating should be the first step towards preventing hackers from exploiting existing security weaknesses, thus preventing them from uploading ransomware payloads. Furthermore, installing new patches and updates on time is critical for fixing software or firmware security flaws that provide entry points for ransomware infection. In this regard, you should set all devices to install new updates automatically. Additionally, you can use an automated software updating platform that permits you to download and install new updates from a centralized dashboard.

2.      Employee Training and Awareness

As previously mentioned, phishing emails are the leading ransomware delivery method through harmful email attachments. Delivering ransomware through phishing is widely popular since most employees lack the knowledge to discern between safe and unsafe emails. In addition, phishing emails often contain malicious attachments or malicious links that could cause a ransomware infection.

Through frequent employee training and awareness, employees can learn the best way to identify and report suspicious emails bundled with malicious software or attachments, significantly improving your organization’s cybersecurity posture. More importantly, training and awareness equip employees with relevant skills regarding visiting insecure websites or clicking unsafe links. At the very least, a comprehensive cybersecurity training and awareness program should focus on educating users on healthy cybersecurity practices that can reduce the risk of a ransomware attack, such as avoiding illegitimate software as they could be malicious programs.

3.      Never Connect Unauthorized USB Drives

Huge organizations have suffered devastating attacks after one of their employees connected unknown USB disks to company-owned devices. Attackers may leave infected storage devices where someone can find them easily, such as in car parks. The aim is to tempt employees into connecting them to a computer and introduce a ransomware infection automatically since an unknown USB could be an infected device. Therefore, connecting unknown or unauthorized USB devices may cause a ransomware attack resulting in adverse impacts. Towards this end, you should never connect an unknown USB device, especially if you don’t know where it came from. Fortunately, some security applications prevent users from connecting unauthorized USB devices to a computer.

4.      Enable Multi-Factor Authentications

In some of the notable ransomware incidents mentioned earlier, attackers used stolen passwords or login credentials to access a network or system to upload a ransomware payload. Additionally, stolen passwords can be sold via the dark web to enable nefarious cyber actors to access and perpetrate attacks on user accounts. By enabling multi-factor authentication across all accounts and services, you can prevent unauthorized access that may lead to ransomware incidents. Multi-factor authentication prevents access if the user cannot provide the necessary authentication items despite providing a correct username and password. Hence, multi-factor authentication can protect against ransomware incidents that occur due to password theft or the use of weak credentials.

5.      Create Multiple Backups

Although some ransomware incidents infections can spread to created backups, it is vital to regularly create and update multiple backups. Besides, data backup is a recommended best practice since backups provide a safe and convenient method for restoring affected data and system configurations after a ransomware incident. Furthermore, cloud services enable users to create safe and secure backups. Also, creating offline backups is an efficient way of restoring sensitive data.

6.      Endpoint Security

Managing endpoints is an overlooked but vital component of robust cybersecurity strategies. Most organizations and employees use various endpoints, such as mobile devices, to enhance operational effectiveness and productivity. However, the more the deployed endpoints, the larger the attack surface. Therefore, securing and managing endpoints is critical to securing potential entry points to a protected network. Endpoint security entails implementing adequate configurations across all endpoints’ security software, ensuring all devices are up to date, monitoring endpoints to detect unusual behavior, and managing who can access and use various devices. For example, using an endpoint detection and response system can assist in detecting and stopping ransomware threats.

7.      Zero-Trust Security

Zero-trust security treats every user or device as a potential security threat. It is a cybersecurity approach that authenticates, authorizes, and validates all users and devices continuously before allowing them to access critical infrastructure. As a result, it greatly reduces the possibility of a ransomware incident by providing complete visibility and control of who or what can access your network. Also, zero-trust enables adaptive monitoring, micro-segmentation, and network traffic assessment, which reduces the risk of a ransomware attack.

8.      Network Segmentation

You can protect critical files and systems from a ransomware attack through network segmentation. Segmenting a network according to sensitivity and criticality is a widely used approach for preventing network intrusions. For example, you can create a network for public use while restricting vital communications and sharing sensitive information to a more secure network. In addition, in the event of a ransomware attack, network segmentation can prevent the infection from spreading. Network segmentation also prevents prolonged network downtime since an organization can respond to an attack while performing essential operations via secure networks. You should ensure that all network segments are encrypted using the WAP 2 encryption scheme, which most professionals deem the most secure.