What is the threat of ransomware to your company?
According to the Veeam 2022 Data Protection Trends Report, 76% of companies admitted to being attacked by ransomware in 2021. If we broaden the question and asked how many companies experienced a cyberattack, the number would be closer to 100%. Some of the main reasons ransomware has been so successful include the low cost of entry and high return on investment for the attackers.
Let’s unpack that a bit. It’s been long known that attackers have no limit on the number of attacks they can send out, and attacks only need to be successful once to be profitable. In the pre-cloud days, the attackers had to maintain their own data centers with high-performance internet connections, email servers to send out the spam and large storage arrays for the stolen data. Attackers also had to parse the data to find something they could sell as well as market the data and process the transactions. All in, there were significant costs in terms of people and technology.
The cloud and growth of cryptocurrency changed this paradigm. Malware gangs could host their infrastructures in the cloud, making it portable as illegal providers were taken offline. The malware, delivery services and payment processing can now be sold as a subscription to anyone, anywhere, which increases the number of attacks victim companies will experience. The encryption of the victim’s data in place means there’s no need for attackers to have storage, and it eliminates the need to find a buyer since the data only needs to be valuable to the victim. Malware gangs have literally created a one-stop shop for theft.
As easy and profitable as ransomware has been, there has been an interesting evolution in the attacks. In the past couple of years, we’ve seen an increase in “double extortion,” where the data is both encrypted in place and copied to a storage repository controlled by the attackers. Some targeted attacks, where an attacker is actively in the victim’s network, have used ransomware after the primary goals have been achieved to increase their profits.
How does ransomware work?
Ransomware is a type of malware that encrypts your files and then demands money to decrypt them. It’s usually spread through email attachments, but it can also be downloaded from websites or shared on social media platforms like Facebook and Twitter. Once you open the attachment, the malicious software will infect your computer and lock up all your data. The bad guys then demand payment in order to get back into your computer and unlock your files.
Some of the most common ransomware attacks in 2022:
Steps in a typical ransomware attack
Infection: The ransomware is installed on a target machine, often through a phishing attack or exploiting a vulnerability.
Encryption: The ransomware encrypts data on the target machine, making it inaccessible to the user.
Ransom: The ransomware displays a message demanding payment in order to decrypt the data.
Payment: Victims often pay the ransom, believing that this is the only way to recover their data.
Decryption: After payment is made, the ransomware may decrypt the data or may simply delete it.
If your business has experienced a ransomware attack, you might notice some of the following symptoms:
- Your computer becomes unresponsive or freezes up.
- You receive an email that appears to be from someone at your company but contains malicious code.
- Your company’s network is slow or unavailable.
- Your emails stop arriving.
- Your documents cannot be opened.
- Your files cannot be accessed.
- Your access to financial records is blocked.
- Your company loses productivity due to downtime.
How can companies lower their risk from ransomware?
Detection technologies are not 100% effective, so it is best to create a strategy that includes the response to a successful attack. This is not admitting defeat but rather looking at the issue pragmatically. Guidance from organizations like the National Institute of Standards and Technology (NIST) as well as the Cybersecurity Infrastructure Security Agency (CISA) can help build a resilient and even a proactive cybersecurity program. These agencies have created frameworks that allow you to plan for and respond to attacks in a structured way that reduces your overall risk and helps you recover faster. Some of these recommendations include improving your overall cyber hygiene, improving user education, following best practices for implementing technology, and creating detailed plans for responding to an incident. The end goal should be to mature your security program to the point where you can understand the tactics, techniques and procedures (TTPs) being used against your company and build an enhanced threat intelligence program to stay current on the changing threat landscape and be able to predict attacks.
What should you do if you are attacked?
There are many checklists for incident response. The specific steps you follow will be influenced by any cyber insurance policies, or third-party incident response services you’ve contracted with. Having these services on retainer will quickly provide the expertise needed to investigate the event and negotiate with the attackers if needed. Generally speaking, you should be taking the following steps:
- Contact your incident response team and begin to triage impacted systems for restoration and recovery.
- Determine which systems were impacted and immediately isolate them.
- Do not make any changes to the system. This could impact the ability to collect evidence.
- Assess the integrity of your backup systems to determine if the data has been impacted by the malware.
- Contact your legal team and let them know what’s happening.
- Contact your family and let them know you will be working late. I know plenty of spouses and partners who want this on the list.
- Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders.
Should you pay the ransom?
The short answer is no since there’s no guarantee that an attacker will provide a working decryption tool even if they are paid. It’s also possible that paying the ransom will create larger legal issues as more sanctions and laws are put in place. Combine that with the likelihood you may be targeted again if the attackers believe you will continue to pay the risk is too high. But that’s just me. Here’s what the FBI says about paying the ransom.
“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
The reality is that many organizations have not prepared for a ransom situation which turns the “no” into a “maybe” when backups are compromised, and critical data is at risk of being lost. It’s for this reason security professionals stress the need for preparation to lower your risk of having to pay a ransom.
Who should you notify?
Report ransomware attacks to law enforcement. Here in the U.S., FBI field offices and the Internet Crime Complaint Center are the resources that can begin an investigation. Since you’re probably not the only victim, your report can help authorities build their case against the attackers. Contacting authorities can also help you collect evidence for your own investigation and build a cyber insurance policy claim.
You should also notify any affected parties via email or a public announcement on your website. This could include customers, suppliers or partners that may have been impacted by the ransomware attack. Your exact process for notification will be guided by your legal counsel and the regulations within your industry, but by being transparent about the incident, you can retain trust in your organization and limit any damage to your reputation. It’s also possible that the initial attack vector was a business partner, so directly informing them may help prevent future attacks by helping them secure their networks.
What other resources are there?
Every vendor should have best practices for hardening your systems. Veeam’s is in the help center and there’s a great whitepaper on the subject. CISA has included a list of general recommendations and checklists in their Ransomware Guide and joining information sharing groups can help you identify new ways to enhance your protection.
These groups include:
- Multi-State Information Sharing and Analysis Center (MS-ISAC): https://learn.cisecurity.org/ms-isac-registration
- Sector-based ISACs: MEMBER ISACS | natlcouncilofisacs (nationalisacs.org
- Information Sharing and Analysis Organization: Information Sharing Groups – ISAO Standards Organization
It’s possible you could have the best security plan, the most well-trained users, and bleeding edge technology and still experience a breach. It will be frustrating and humbling but once it’s over it’s important to conduct a formal post-mortem to document what worked, and what needs improvement. For example, identify the processes that didn’t work as intended, or were missing all together. Were there assumptions made during the planning process that weren’t true? I’ve even heard of people keeping a running list of questions that didn’t have an answer, or the answer was “I don’t know” and used the list as part of the improvement plan.
Here at Veeam, we believe rapid, reliable recovery is an integral part of the overall cybersecurity incident response process and must be thoughtfully planned out just like the rest of your security architecture. At the end of the day, your data is your most valuable asset, so it must be protected with a secure backup solution that is not only flexible enough to build immutability that fits your needs, but also verifies the backup jobs to ensure the data is there and malware free when you need to restore. All these reasons and more are why when we think about ransomware, Veeam believes secure backup is your last line of defense.