The State of ransomware 2022 report from Sophos found that two-thirds of 5,600 survey respondents say their organisations were affected by ransomware in 2021 – nearly double that of the previous year. Almost half (46%) of those surveyed admit that their organisations were attacked by encrypting ransomware and they had to pay a ransom to get their data back.
As Paul Watts, distinguished analyst at the Information Security Forum (ISF), points out, all the time ransoms are paid, the appeal of the crime remains. It is a difficult cycle to break.
“Despite the massive amount of attention and concern about ransomware, large swathes of organisations are simply not prepared for it when it strikes,” he says. “Similarly, they can’t and won’t let their businesses flounder either. They pay, or their business dies. You can see the quandary.”
User controls
There are plenty of techniques to reduce the risk and damage such attacks can cause. The experts Computer Weekly spoke to recommend that organisations start with up-to-date user education covering the latest trends and attacks.
Petra Wenham, a volunteer at BCS, The Chartered Institute for IT, says that typically, ransomware protections include filtering all incoming and outgoing emails for malicious files and malicious links. This is often achieved through an external commercial service.
“These scanning services can be extended to cover data exfiltration via email and scanning of a company’s web traffic,” she says.
Wenham suggests that IT leaders should deploy login policies for network access based on least-privilege access. She recommends that IT departments encrypt the network traffic for remote workers and implement time-of-day access. Such techniques can limit the damage caused if a remote worker is successfully targeted by ransomware.
While ransomware remains one of the top cyber security concerns for organisations today, according to Mandy Andress, chief information security officer (CISO) at Elastic, the state of ransomware defence is failing.
While organisations have traditionally relied on a combination of people, processes and technology to thwart cyber threats, Andress says these tactics alone are not enough to successfully mitigate increasingly sophisticated ransomware attacks.
“Ransomware defence is failing because it is viewed as a technical or organisational problem when, in fact, it’s an economic one,” she adds.
The world’s economies are largely dependent on the movement and distribution of data. For Andress, this implies that digital infrastructure should be scrutinised with the same urgency as critical physical infrastructure. She regards the issue of ransomware as interconnectivity.
“The same ransomware attacks that have caused gas shortages and transportation delays have also affected people’s ability to access healthcare or find what they are looking for at the grocery store,” she says.
By recognising ransomware as an economic problem, Andress says there is an opportunity for business leaders to mobilise a more effective response. As part of this, she suggests that CISOs and the business leaders in the organisations they work for should speak openly about the ransomware attacks they have experienced.
As Andress notes, there is a strong culture of shame within organisations around ransomware: “Companies are often too afraid or embarrassed to admit they’ve been the victim of an attack for fear that it will damage their reputation, result in hefty fines, or cause panic among customers and other stakeholders.
“In fact, some ransomware attackers will even use this to their advantage by employing ‘name and shame’ tactics with their victims in an effort to force them to pay a ransom.
“If major corporations with ample security resources can fall victim to ransomware, organisations should recognise that shame is unwarranted. All companies are at risk.”
It is also worth bearing in mind that some of the largest and most successful ransomware attacks have been orchestrated by powerful nation-states. This, says Andress, makes it nearly impossible for a single organisation to protect itself effectively.
“During the pandemic, for example, the healthcare industry was overwhelmed with ransomware attacks driven by nation-states trying to obtain data and research on Covid-19 vaccines, and many small, independent labs didn’t have the proper resources or skills to mitigate these attacks,” she says.
Challenges of securing against ransomware
Nevertheless, CISOs should look at how they can mitigate the damage a successful ransomware attack can cause.
Rob Dartnall, CEO and head of intelligence at SecAlliance, stresses the importance of hardening the supply chain. “Numerous firms deal with ransomware breaches and data breaches, not from within their own firm but from their supply chain,” he says.
“Whether or not the supplier has direct network access, provides software with potential malicious updates or holds sensitive data, monitoring the wider ecosystem – particularly the supply chain – is now as important as monitoring your organisation.
“Knowing who may target your suppliers and what the attack surface looks could have a significant impact on the likelihood of your organisation or its data being compromised by ransomware operators,” adds Dartnall.
ISF’s Watts recommends that business and IT security leaders decide on what are their crown jewels and mission-critical assets. “If you don’t keep on top of your asset inventories, your service and data catalogues, how on earth can you be sure you have everything covered, especially if nobody tells you when they change?” he says.
[embedded content]
An offline backup is somewhat tricky for ransomware to penetrate and the overall IT security architecture is an important consideration in the fight against ransomware.
“If your network design is representative of a single open-plan warehouse, all the threat actor needs to do is get in, then it’s access-all-areas,” Watts warns. “Inhibiting a threat actor’s lateral movement and limiting the scale of impact should they release a payload could be the difference between minor inconvenience and extinction-level event.”
He urges IT security architects to invest time and effort in designing a segregated environment that can offer a level of protection, to limit the damage a ransomware attack can cause.
Watts argues that IT teams need to implement strong and secure configurations based on least privilege coupled with an effective regime of patching. “If you need to take a prioritised approach to this, my advice is to start with your internet-facing assets,” he says.
The IT department needs to assess whether the asset is patched and maintained, and check whether it really does need access via the internet or require remote access services such as remote desktop protocol. Watts recommends IT teams ensure that services like Telnet, SSH and W3C are disabled unless they are actually needed.
“Vulnerability scanning and penetration testing goes hand-in-hand with all this, giving you an independent view of where your weaknesses lie,” he adds.
Beyond vulnerability scanning, Dartnall recommends CISOs put in place a cyber threat intelligence function to monitor the ransomware threat and attack surfaces. These offer actionable recommendations that can prevent a ransomware attack from occurring.
Looking externally, he says: “Monitoring the actions of the threat actors, their tactics and techniques, attack infrastructure and collecting indicators allows us to refine our security controls, detection logic and threat-hunting capabilities. Each of these activities further limits the possibility of a ransomware outbreak.”
As John Tolbert, a senior analyst at KuppingerCole, notes, having all the right elements of a security architecture in place improves a CISO’s chances of preventing ransomware attacks and/or minimising damage. Attackers are now targeting members of the software supply chain and are likely to continue to do so. He recommends CISOs put in place comprehensive defences to boost resilience. These measures need to be deployed across the IT industry.