Mounting a defence in the ransomware war

Ransomware attacks are escalating – it’s a criminal industry already worth billions and it’s only going to get worse. Baker Tilly’s cyber security experts discuss common weaknesses and how best to prepare against the inevitable because it’s a case of when, not if, a business is hit.

It’s the customer service story you never want to tell.

Locked out of their critical IT systems, facing the loss of important corporate and customer data, the Dutch business could only speak glowingly of the call centre offering support. Within a matter of minutes, a helpful operator was able to guide the business through the process of making payment so they could get their files restored.

But the catch is this wasn’t an IT help desk on the phone. It was one of the well-staffed, smoothly run ransomware call centres that allow people to negotiate and pay the criminal enterprises that have encrypted their data in the first place.

Ransomware is now one of the world’s most profitable (and seemingly low risk) criminal enterprises — with an underground network estimated to cost a legitimate business around USD20 billion this year alone.

While that sum is 57 times the amount collected by ransomware gangs only a few years ago, the worst is yet to come, and some experts suggest that within a decade, USD265 billion will be stolen and extorted annually through ransomware crime. And with that growth in revenue has come remarkable sophistication as crime gangs efficiently target victims, with an estimated 150% surge in attacks in the past year.

A simple crime with a sting in the tail

What sets ransomware apart from many other kinds of cyberattacks is the simplicity of the crime, which combines both technological and psychological attacks on the victims.

Unlike malware that might corrupt files, ransomware uses encryption tools to lock them so they are just out of reach of a business that desperately needs its systems and data to be able to continue shipping goods, paying staff, responding to customers or delivering on contracts.

While it is relatively easy to enact this encryption — some ransomware tools trade on the dark web for as little as £50 — the lock is also very difficult to undo.

For many companies, the cost of paying the ransom is relatively small: a median £34,000 in the first quarter of this year, according to Coveware.

But the cost of ransomware goes far beyond the ransom payment. Besides an average downtime of three weeks, 80% of ransom attacks now include the threat to leak company data, which can trigger its own crisis in terms of loss of trust (reputational risk) and breach of privacy.

Then there are the recovery and business interruption costs, even if a ransom is paid. In fact, a survey by cybersecurity group Sophos of more than 5400 companies earlier this year found that of those who were attacked and paid up, only 8% recovered all their data, and on average only two-thirds of files were restored.

Risks of ransomware

Although the average payout for ransomware might be small, there is huge potential for high yield returns.

Not only has the volume of attacks scaled dramatically, to one every 11 seconds, but as their techniques and tools improve, gangs are changing tactics. Ransomware first responder Coveware suggests that the size of companies who fall victim to ransomware is growing, with half the victims in Q2 this year having 200 or more staff.

Although experts are divided over how closely ransomware attackers consider the industry of their victims, some groups are over-represented, in part because the software they use has been exploited or because they hold sensitive data and are more likely to pay.

Email phishing attacks and compromised remote access remain the key vectors for ransomware, with malware introduced into a network that can initiate an attack.

Preparing a gameplan

Pitcher Partners’ Head of Security Eric Eekhof says businesses should rightly feel alarmed about the surge in ransomware, but planning is key for the best chance of protecting the business.

“Organisations can consider several solutions that can all prevent an attack from being successful,” said Mr Eekhof.

“Something as simple as keeping all systems up-to-date with the latest versions and patches is a good first step. The vast majority of ransomware abuses known security issues in common operating systems and applications such as Microsoft Windows, Office and Acrobat Reader. These software providers have usually already provided patches and upgrades and it is on organisations to ensure these patches and upgrades are applied as quickly in their IT environment.”

Mr Eekhof said one of the biggest myths in resolving ransomware attacks is to pay the ransom.

“It is estimated between a third to a half of infected companies pay something to criminals holding their data to ransom, but there is no guarantee you will get your data back,” he says.

Regardless of whether you pay, however, the real cost lies in addressing the vulnerabilities in your system in the first place, estimated to commonly cost 10 times an average ransom.

“Educated staff are less likely to open infected attachments which put the organisation at risk,” said Mr Eekhof.

“Training staff about ransomware and security risks greatly reduces the risk of infection. Users can be trained to identify phishing emails and malicious messages including ransomware.”

There are also several technical solutions that can be implemented in an organisation’s IT environment to prevent the execution or spreading of ransomware once detected.

There are many products in the marketplace which are constantly being updated by their supplies but there is no guarantee they detect the latest versions of ransomware.

However, Mr Eekhof says organisations must be proactive to minimise the harm of a potential ransomware attack.

“Organisations must ensure they always have recent and complete backups which will be a serious lifesaver if you are targeted and want to recover data without paying the ransom. You should not only backup all your data, but also regularly test them to ensure they are complete, accurate and useful. There are regular incidents where organisations discover that the backups they thought they had were incomplete or useless, leaving them in exactly the situation they tried to prevent.”

This article first appeared on Baker Tilly International’s Great Conversations hub.