It happens all too often: a hacker breaks into a company’s cyber systems, threatening chaos. Or they get access to confidential information prior to a merger. Then follows the message: pay up — or else.
Ransomware refers to the use of malware to encrypt files. To get the key to decrypt their data, the victim pays ransom. It’s extortion with a 21st century twist, and it is far from uncommon. Supply-chain attacks rose by 42% in the first quarter of 2021 in the United States. Plus, ransomware is getting more expensive. The average ransom fee requested rose from $5,000 in 2018 to about $200,000 in 2020, and there are any number of companies who have paid millions. The total costs of dealing with ransomware could be more than $265 billion by 2031.
All the signs show that ransomware extortionists are getting more sophisticated. And with more businesses digitizing their data, the threat is growing and metastasizing. To build resilience and fend off the worst consequences, security leaders can implement these four tactics.
This starts by knowing what technology an organization has and who has access to it, and then keeping track by monitoring remote collaboration tools and checking networks for malware. It continues by ensuring that security is ingrained into day-to-day operations and regularly reinforced. Phishing emails and remote desktop protocol (RDP) compromises are the most common sources of ransomware breaches. In 60% of cases, the malware is installed directly or via desktop-sharing apps. Only constant vigilance can improve defense — even if it cannot guarantee it.
Given the substantial shift to remote working, it’s critical to improve home networks, beginning with such basics as insisting on strong passwords and prompt installation of software updates. Multi-factor authentication (MFA) is relatively straightforward to implement, but constitutes a strong barrier against malware attacks. The same is true for user-level command-line capabilities and blocking Transmission Control Protocol (TCP) port 445. Doing so can reduce the efficacy of the software and scanning tools that ransomware extortionists use. Along the same lines, take steps to protect the Active Directory, which contains services that connect users to network resources.
Anticipating is better than reacting. One idea is for a skilled team, including senior leaders, to create plausible scenarios, and then devise a business continuity plan in case of attack. This can uncover vulnerabilities and build confidence in the ability to manage disruption. The team can also determine who will lead the response if an incident occurs, and decide whether to pay.
It may not be possible — and it certainly cannot be assumed — that any and all cyberattacks can be prevented. The overarching goal of preparation, then, is resiliency, to ensure that the company can keep running if a specific technology is compromised. That means identifying the most critical assets, protecting them as much as possible and developing a backup process. Regular recovery testing builds muscle memory and encourages problem solving.
Speed matters — every day a company’s data is muddled or lost exacts a very real price. At the same time, hasty decision-making can lead to bad outcomes. To thread this needle, convene everyone who matters immediately, including the board, senior executives, affected business groups, and compliance, risk, and technical experts to craft a single, unified message. It’s also a good idea to consult legal counsel and insurers sooner rather than later.
An effective ransomware response starts with calling law enforcement agencies, who may have capabilities the company does not and be aware of factors that can inform the response. For example, it can be illegal for companies to pay ransom to entities from countries subject to U.S. sanctions. Then plan to engage outside stakeholders, who may be put under pressure by the attackers, or their affiliates, to push for settlement. Regardless of the nature of an attack, responding to it requires information; in the case of malware, that means determining how the criminals gained access and how serious the attack is. In the best-case scenario, such intelligence can lead to finding the decryption key. At the least, it provides insights that can be useful during negotiations.
Ransomware perpetrators are criminals. Therefore, their integrity cannot be assumed. So the closer a company gets to paying the ransom, the more it needs to insist on proof that the hackers have what they say they have. Whether payment is made or not, networks may have to be rebuilt, reinforced and scrubbed. Recovery is a process; in a sense, it is the first step in prevention because the ransomware threat is constantly changing.
Ransomware can seem like the mythical hydra — with two heads growing when one is chopped off. In an increasingly digital world, no single business can take down the hydra. What each company can do, however, is protect itself as best it can.