By Ez Yiap
Cyber Security Consultant (GRC) and Assistant Trainer for the Institute of Data’s Cyber Security Program.
An IOD alumni who pivoted into cyber security, Ez now helps organisations assess and strengthen holistic cyber security. Ez is passionate about contribution and coaching within the cyber security community. Connect with Ez on LinkedIn here!
Ransomware is a form of malicious software (malware) that is distributed and/or deployed by a threat actor (malicious person, hacker, cybercrime group). Ransomware is intended to disrupt system operations, deny access to files, services or possibly the entire device, and place timebound pressure to take corrective action. While it can impact individuals, average home users or households, it is usually targeted at organisations, being a primarily financially motivated attack.
Who uses ransomware, and who do they target?
Usually, a cybercriminal organisation or entity leverages ransomware to encrypt files on an organisation’s device(s), denying access to staff or customers, and sometimes even both. In most scenarios, the threat actor holds the decryption algorithm program and demands a ransom be paid by the organisation in order to decrypt the files/system within a specified timeframe so the organisation can regain control and return to operations.
How does a ransomware attack start?
As with most cyber-attacks, ransomware can impact a device through different vectors. It could be an email attachment activated by an unaware user or in a download unbeknownst to the user. Additionally, ransomware may be deployed by a threat actor following the compromise of a network environment, gaining access to systems and applications via phishing for credentials, or the use of social engineering to gain initial access before deployment.
Sometimes it is as simple as tricking a user into being directed to a malicious website where the malware download occurs. Ransomware can even be placed on external media, such as a USB drive and when plugged into a computer, infects the device.
Ransomware as a Service (RaaS) is a criminal business model whereby one entity (affiliate) pays another (operator) to launch a ransomware attack against a specified target. This allows almost anyone the capability to instigate an attack without necessarily having developed ransomware software or having deep technical know-how to undertake the engagement. CrowdStrike, via its Cybersecurity 101 channel, advises RaaS can start from as low as USD$40 per month, and the average criminal ransom demand in 2021 was USD$6 million.
Have you heard about the rise in ransomware ‘double-dipping’?
Ransomware attacks are often associated with data breaches, whereby the threat actor exfiltrates sensitive data before encrypting the devices or systems. This rising cybercrime trend is known as ‘double-dipping’. In addition to the denial of access, the threat actor holds the organisation to an additional ransom at the threat of releasing the data extracted to the dark web, public, or selling it to other cybercriminals.
There is, of course, never any guarantee that if a ransom is paid, the threat actor will provide decryption, return any stolen data or not take other cybercriminal action. Many organisations that have paid a ransom often still have the exfiltrated data leaked regardless.
Why should we be concerned about ransomware?
Understandably, ransomware tops the list of many organisations’ worries when it comes to an ever-evolving threat landscape. Risks come in all forms; economic, weather, organisational, geopolitical, market, human, technology and more; however, they are not always considered, assessed and treated equally. As a result, cyber risk is challenging for many organisations.
It often requires the considerations, resources and attention traditionally excluded from business inception, being sought after or implemented in later maturity stages as the organisation grows. Additionally, given the proliferation of ransomware is relatively recent, many established organisations have not known about it or how to mitigate against it or respond when impacted.
Ransomware is feared because of the debilitating way it can cripple an organisation effectively and efficiently. IT can often occur so quickly, and the resulting impact is critical. There can be drastic ripple effects on supply chains, the community, and even the health and well-being of people.
CrowdStrike, in its 2022 Global Threat Report, observed that in 2021, ransomware-related data leaks increased by 82%, with the total number of attacks at 2,686 by the year’s end compared to 1,474 during 2020.
What is the solution to protecting against ransomware attacks?
There are plenty of dedicated technology solutions that claim anti-ransomware capabilities. Additionally, there are longstanding anti-virus and anti-malware packages that continue to extend protection tools into anti-ransomware offerings.
Finally, some companies or individuals put vulnerability management at the top of the mitigation stack. Others may say doing daily backups or even prioritising taking out cyber insurance can be a way to safeguard you.
Ultimately, preventing, detecting, responding to and recovering from ransomware, as across cyber security as a whole, requires a holistic approach of people, processes and technology controls. Let’s look at these in-depth a bit further.
What part do people play in protecting against ransomware?
People are arguably the leading cause of ransomware attacks being successful, but just the same people can be an organisation’s greatest proactive defence against it.
Ransomware has to be delivered and deployed to a device for it to take effect and encrypt data, locking out user(s). For a threat actor to deliver and deploy the ransomware, they need to breach the organisation’s device, network or environment by some means.
Ransomware attacks often start with obtaining a user’s credentials through a means of social engineering such as email phishing, vishing (like phishing but on a voice call) or by sending a user an email with a malicious attachment. Sophisticated ransomware attacks leveraging a user may involve social media connections, spam, impersonation, direct messages or even app store downloads to mobile devices.
The Australian Cyber Security Centre (ACSC) lists three cautions that users can take and be trained on:
- Visiting unsafe or suspicious websites
- Opening emails or files from unknown sources
- Clicking on malicious links in an email or via social media
Embedding a workplace culture of security awareness is essential to ensure that staff operate day-to-day tasks with a heightened sense of awareness.
Verifying before trusting is a key concept for users to learn about. By implementing a mindset of risk assessment with all communications and interactions, staff will be more likely to verify the validity of email sources, attachments, requests, messages, calls, etc.
What are some of the essential processes for ransomware incident readiness and response?
Organisations need policies addressing ransomware and other security-related incidents. Additionally, processes and procedures are required in order to build out tactical and operational direction. Staff need to know what steps to take in order to identify a ransomware incident, how to contain it, who to speak to about it, what other impacts may result from the ransomware and how to treat it.
To promote an organisation’s cyber maturity growth, processes need to address lessons learned, such as a formal and documented incident review, revision and coaching process. Organisations can utilise procedures to empower staff to feel ready to deal with a ransomware incident and then recover and better prepare for future incidents.
As ransomware is often a security incident that requires multiple stakeholders, both internally and externally, and may require contact with government and law enforcement bodies as well as regulators and insurers, there is a multitude of moving parts.
Communication and how to effectively and timely notify the proper entities is crucial. Processes should be developed, tested, reviewed, updated and treated as living documents made aware to all relevant parties.
What technology controls prevent, mitigate and treat ransomware risks?
Other than leveraging people as a vector to deploy a ransomware attack, threat actors will look to take advantage of technical vulnerabilities in software, applications, websites, network infrastructure and end-user devices.
Therefore, mitigating the threat of ransomware requires addressing multiple layers of technology. Some of the top mitigations are as follows:
- Maintain a formal, documented vulnerability and patch management programme. This should include the identification of severity ratings for vulnerabilities and the required timeframe that these must be addressed and patched by the organisation. For such a programme to be effective, a detailed, comprehensive and complete asset register is required to ensure that no asset – whether device, operating system or application – goes unchecked for the most up-to-date security patching.
- Patch management – updates – should be centrally managed for all user devices where possible, including Bring Your Own Devices (BYOD), mobiles, laptops, and all other network and infrastructure technology.
- Utilise multi-factor authentication (MFA). MFA addresses several security controls across a few domains. As an access control, MFA can be used to prevent a compromised user’s account from being leveraged as a vector to the device or environment and work as an effective flag raised as to the possibility of a security event attempted or underway.
- Backups are an age-old challenge that many organisations continue to fight. Increasingly, this challenge arises in organisations undertaking cloud migrations or having legacy systems in production that limit timely, effective, and affordable controls. Avoiding having to pay a ransom can often be addressed by restoring a device, system, network or environment through the restoration of backups. However, if the organisation’s policies and procedures do not address regular backups, including testing backups to ensure availability, integrity, and, importantly, segregation from all other parts of the network, they may not be effective.
- Ransomware protection technology is available through several software bundles, applications or solutions. Windows Defender in Windows 10, for example, has some capability to provide ransomware protection. Other end-point detection and response (EDR) or next-generation EDR solutions, sometimes known as XDR, are able to provide intrusion detection/prevention responses and take actions to mitigate threats when suspicious traffic, files or events are encountered.
For an individual or organisation to have an assurance of readiness to respond to ransomware attacks, people, processes and technology controls must be fully implemented, tested, reviewed and updated routinely to keep up with the changing threatscape.
So, what’s the best approach?
When it comes to paying a ransom, most organisations have to assess the impact and cost of paying the ransom versus the impact and cost of being taken offline or unable to do business for a period of time. In some instances, paying a ransom may be deemed as contributing to or being an instrument of crime.
For example, in some parts of the world, sanctions apply for the support of advanced threat persistent (ATP) groups or terrorists that may use ransomware for funding their activities and criminal organisations.
Organisations and individuals should always consider legal advice as part of undertaking their ransomware policies, processes, response readiness and incident management.
Cyber insurance companies are increasingly reluctant to honour claims related to ransomware. They may ask in some circumstances that a level of maturity in cyber security controls be implemented within the organisation to be eligible for a claim to be lodged and honoured.
Organisations such as the ACSC and numerous technology vendors provide free resources that can be used to start the journey for organisations to identify risks potentially leading to a ransomware attack. A great starting point for organisations is to undertake a risk assessment for a baseline on what the opportunities are for improvement.
From there, they can develop a strategy to implement controls and mitigations. There is no one solution, fix-it-all for ransomware, so organisations’ leadership must understand that it is a holistic approach to be most effective.
Fighting ransomware is each and everyone’s responsibility in the current threatscape. Keep in mind that people, processes and technology are all required as a holistic approach.
Exciting, challenging and rewarding career prospects exist and continue to boom in each of these aspects to address to protect and secure individuals, communities and organisations against ransomware.
If you are thinking of stepping into a role in the fight against ransomware and protecting organisations, individuals, communities, and even countries, you should look at the skills required to equip yourself as a cyber security expert.
By joining the Institute of Data’s Cyber Security Program, you will obtain job-ready skills and industry connections that could get you one step closer to becoming an integral part of the ransomware solution.