Ransomware on the rampage

With 24% of businesses identified in recent research as having been victims to an attack, the omens for the year ahead look worrying. How can they start fighting back?

Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to an annual report from cybersecurity specialist Hornetsecurity.

The company's 2022 Ransomware Report, which surveyed more than 2,000 IT leaders, discloses that 24% have been victims of a ransomware attack, with one in five (20%) attacks happening in the last year.

Cyberattacks are certainly happening on a very wide scale with ever-increasing frequency. Last year's ransomware survey by Hornetsecurity revealed one in five (21%) companies experienced an attack; this year, it rose by 3% to 24%.

"Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros," states Hornetsecurity CEO Daniel Hofmann. "Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world."

The 2022 Ransomware Report highlights a lack of knowledge on the security available to businesses. For example, a quarter (25%) of IT professionals either don't know or don't think that Microsoft 365 data can be impacted by a ransomware attack. Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan, should their Microsoft 365 data be compromised by a ransomware attack.

"Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but, with the help of third-party tools, IT admins can back up their Microsoft 365 data securely and protect themselves from such attacks," adds Hofmann. Industry responses showed the widespread lack of preparedness from IT professionals and businesses. There has been an increase in businesses not having a disaster recovery plan in place, if they do succumb to the heightened threat of a cyberattack.

In 2021, 16% of respondents reported having no disaster recovery plan in place. In 2022, this grew to 19%, despite the rise in attacks. The survey also showed that more than one in five businesses (21%) that were attacked either paid up or lost data. Hackers have an incentive to run these ransomware attacks, because there's a decent chance that they'll get a payday - 7% of IT professionals whose organisations were attacked paid the ransom, while 14% admitted that they lost data to an attack.

Hofmann concludes: "Interestingly, 97% of pros are moderately to extremely confident in their primary protection method, even if they don't use many of the most effective security measures available, such as immutable storage and air-gapped off-site storage. This tells us that more education is needed in the field and we're committed to this cause."

You can read more at this link: https://www.hornetsecurity.com/en/knowledge-base/ransomware/ransomware-attacks-survey-2022

Data backup alone is not enough to protect you, cautions Florian Malecki, executive vice president marketing, Arcserve. "Companies should also plan to recover data quickly and cost effectively, following a ransomware attack. With a well-thought-out recovery plan in place, you may be able to restore the exact version of a file or folder following a data loss properly and quickly."

Immutable storage should be a vital component of your backup and recovery plan to allow you to safeguard your data, even if a ransomware attack victimises you, he states. "An immutable solution continually protects your data by taking snapshots every 90 seconds. These snapshots make it possible for you to go back to specific points in time before an attack and recover entire file systems in a matter of minutes. As a result, even if an attack is successful, your information will be quickly and easily recoverable to a very recent point in time."

Because your backup data is immutable - your data can't be altered in any way by ransomware - there will always be a series of recovery points, ensuring your data remains protected, argues Malecki. "This immutability can also bridge the security and the operational infrastructure teams, which have traditionally been siloed. That means these two groups can speak the same language and work together in the face of ransomware threats.

"If the worst happens and you fall victim to an attack, being in control of your recovery would be highly comforting to everyone involved in your organisation. Your data protection system should be able to deliver orchestrated recovery with a single click. In a ransomware attack, you should be able to recover confidently by safely spinning up copies of physical and virtual systems onsite and offsite in minutes-not hours or days.

"An ideal data protection system will also use analytics to identify frequently used data that a business should always back up and less vital data that doesn't have to be. This system gives organisations an intelligent, tiered data architecture that provides rapid access to mission-critical information."

Ransomware attacks are at an all-time high, with 2021 receiving the largest ransomware payout by an insurance company ($40 million, according to Matthew Woodward), and have witnessed a 94% increase from 2021 to 2022 on US healthcare organisations, states Kyle Mitchell, commercial sales director for Whitaker Brothers. "Damage from ransomware can be costly for businesses, as recovering data can be time-consuming, often costing businesses money to resolve."

To avoid any possible ransomware attack, he offers practical tips on preventing malware from reaching your organisation's devices.

Analyse suspicious emails for any unorthodox attachments - ransomware can find its way onto your device through suspicious emails and email attachments. "These can often be found through emails that contain strange requests for information, scaremongering tactics and uncharacteristic requests from known associates. Ensure that you read a suspicious email carefully, paying close attention to the sender. If you are unsure if the email is trustworthy, avoid opening any attachments," says Mitchell.

Create regular backups of your files - "Regular backups for your organisation are ideal to bounce back from a ransomware attack and should be created offline, so that digital attackers cannot target your data."

Keep systems up to date - "Making sure that systems are up to date is an effective way to close all essential security gaps that digital attackers often try to exploit."

Apply an Intrusion Detection Systems (IDS) - this compares network traffic logs to signatures that identify known malicious behaviour online.

Actively inspect content - you can reduce the likelihood of ransomware attacks actually reaching your devices by actively inspecting the content. "This means filtering your files to only allow file types you want to receive, blocking websites that are known to be malicious, and using signatures to block known malicious code," he adds.

Train your team - an effective security awareness training programme within your organisation can be crucial in stopping ransomware attacks.

Meanwhile, two-thirds (65%) of Critical National Infrastructure (CNI) has fallen victim to a cyberattack over the past 12 months - statistics unveiled in new research from global cybersecurity company Forcepoint. The report examines the pressure CNI cybersecurity professionals face, as they balance the rapid pursuit of digital transformation with the cyber threat landscape.

"Ransomware is perceived by cybersecurity professionals to present the greatest risk to CNI organisations," says Forcepoint. "This is unsurprising, given 57% report that their organisation fell victim to a ransomware attack in the last year, of whom 72% admitted to paying the ransom."

When asked what aspects of the current cybersecurity threat landscape cause CNI cybersecurity professionals to worry the most, the challenge of managing more complex security solutions was superseded only by concerns that the Russia-Ukraine war could be increasing the risk of cyberattacks.

And Forcepoint further states: "The rapid digital transformation of both IT and OT [operational technology] environments is compounding the challenge that CNI cybersecurity professionals are facing. When asked about its impact on their organisation, the most cited concern was the need to secure new technologies, because they were new to the organisation, as well as being difficult to secure properly."

CNI cybersecurity professionals also believe a cyberattack on CNI could lead to disruptive behaviour amongst the general public, which increases the difficulty of mitigating or controlling the impact of an attack. In the US, the greatest concern was of a power outage, whereas cybersecurity professionals in the UK predict that disruption to personal banking would have the greatest impact." The threat of disruption is also amplified by what cybersecurity professionals believe motivates cyberattacks on CNI. The greatest threats were perceived to be from cyber gangs demonstrating their capabilities, acts of political retaliation, acts of hacktivism and acts of cyber warfare.

"Unfortunately, the research has also found many CNI cybersecurity professionals are feeling the pressure of this high-pressure, high-complexity environment. Feelings of stress, anxiety and burnout are affecting over one-third of all CNI cybersecurity professionals [35%, 39% and 36% respectively]. "This is impacting their professional experience, with two-fifths of cybersecurity professionals reporting that the pressure to secure CNI has led them to have a low morale at work (40%), rising to 51% of UK employees. Worryingly, it is also affecting their personal well-being."

Adds Dan Turner, vice president at Forcepoint: ""Understanding the challenges our cybersecurity professionals in CNI are facing helps us find better solutions to alleviate the burden on them. They work in a climate of high risk, diverse threats when rapid adoption of new technologies changes security parameters all the time. Knowing what motivates and worries our industry is key - it helps us help them in their efforts to ensure no new threat or technology puts our essential services at risk of disruption, so which, in turn, allows us to secure a safer and more sustainable future for everyone."

"Securing an expanding digital footprint is one of the biggest challenges facing companies," points out Sam Curry, chief security officer, Cybereason. "With ransom-ware attacks surging, the clock starts to immediately tick after ransomware has executed. And when the ransom itself is received, that is a time of high adrenaline, confusion and panic for most. This is actually by design on the part of the attackers."

They attack, often, at night, on holidays and weekends to maximise pressure, and, therefore, the chance of poor decision-making and capitulation. According to a recent Cybereason study on ransomware attacks, more than 60% of organisations lack preparedness on holiday and weekends, and it limits their ability not only to assess the risk, but stop it as well. Hackers know this and they attack accordingly.

"Companies can't pay their way out of ransomware and many decide they won't pay," adds Curry. "Hopefully, they are backing up data, but how quickly can the data be operational? If a company isn't backing up their data and still won't pay, that decision comes with weathering the pain of rebuilding. And what other trade-offs come into play? Can services continue? Is public safety or human life at risk? What is the cost of rebuilding? How long will it take to rebuild etc? There is the arithmetic of recovery, the risk equation, the truly compelling questions like not putting human life at risk and then there is also the ethical question of funding criminal activity."

Given the massive strides that the security industry has been making in developing sophisticated network protection technology, this raises a vital question according to Mark Oakton, CEO/Consulting CISO, Infosec Partners: "Why is ransomware still able to keep CISOs awake at night and send shockwaves through the corporate world's boardrooms?" There are many reasons, he believes, including a reliance on outdated technology, combined with poor staff awareness and training - but ultimately the answer lies in human nature.

"Ransomware attacks are typically the result of a simple lapse in judgement or concentration by a user who fails to spot a fake email, but also whether to pay or not is a decision only management can make. In the latter case, most people's natural reaction is likely to be to try to tough it out and pray that the IT team can get things back up and running. Unfortunately, the hackers have thought of that and typically built in the ticking timebomb factor, increasing pressure to cave in and pay up while there is still time for damage limitation," he says.

In such situations, the management team finds itself between the proverbial rock and the hard place. "Stand firm and risk not just losing their entire OT systems, including business critical files and corporate data, but also the indirect costs, such as reputational damage and any incurred customer liability costs; or take the hit and move on as quickly as possible."

In the end, adds Oakton, it all comes down to a simple cost/benefit decision, which usually means taking the least-worst financial impact option and giving in to the hacker's demands.

"For its victims, ransomware holds some salutary lessons that need to be heeded, if they are going to avoid similar attacks in the future. Top of the list is: don't assume that you are now immune. Research has shown that hackers are very likely to be back to see if you have strengthened your defences. Next, ensure that you have a robust backup and recovery plan for all critical systems and, last but not least, put in place rigorous network management policies, backed by a programme of regular user education to engender a corporate culture of cyber awareness."

Steve Forbes, government cyber security expert, Nominet, picks up on the NCSC advice against paying a ransom, on the basis that there's no guarantee you'll actually have access restored, if you pay, and it could make your business a bigger target in the future. "But, if a worst-case scenario does happen," he says, "and you hold out on paying a ransom, there are steps you can take to mitigate any damage and try to recover.

"At a bare minimum, having robust backups on hand that have been tested and are resilient to malware is critical to get any impacted systems back online and operational in a quick manner. Ideally, this would be part of an incident response and crisis management plan that would be implemented at the first sign of trouble."

Local authorities and national cyber agencies like the NCSC can also become a major lifeline in a ransomware situation, he adds. "They're the experts, and have all the procedures and actions in place to deploy when needed. Whether it's sharing technical advice for what to do or providing access to information, liaising with organisations like this can be invaluable. The quicker a business reaches out for help when disaster strikes, the better chance they have to recover and get back on track. Additionally, transparency with the authorities and any person or organisation that may be impacted by the incident is crucial. This can help to minimise reputational damage and reduce any fines that are imposed by regulatory bodies."

Double extortion ransomware is another increasing trend for businesses to be wary of, where threat actors encrypt and hold hostage valuable data, putting additional pressure on them to pay up. "This is where, on top of having trusted backups, it is vital to have strong data encryption before it has a chance to be stolen, ensuring that, if an attacker is threatening to expose the data, it is at least protected," Forbes concludes. "Finally, organisations should ensure that only data that is required is retained, as this reduces the risk and impact, should any data be compromised."