It’s a tough decision that, unfortunately, many Australian businesses are going to have to make during the coming year. If hit by a successful ransomware attack, should they pay the demanded ransom?
Some may decide that avoiding the disruption caused by having critical data encrypted is worth the cost of meeting the demand. Others may be covered by insurance or decide to ditch affected systems and start again.
It should be remembered, however, that even paying the cybercriminals does not guarantee access to the data will actually be restored. Also, recent industry research[1] found that 80% of organisations that opt to pay end up being attacked again.
With the number of attacks rising quickly, the chance of an organisation falling victim is growing. For this reason, it’s vital to have in place a plan covering the steps will be taken if an attack occurs.
This comprehensive plan should cover three important elements: protection of identity credentials, securing web applications and access, and backing up data.
ID credential protection
Cybercriminals mounting a ransomware attack rely on securing the identity credentials of a user, most likely through email phishing. Because phishing is the primary attack vector, it’s important for security teams to maintain a culture of awareness around credential security.
Processes need to be developed that train users on email security and deploy anti-phishing technology that can identify and flag unusual activity. If the attacker cannot access credentials, it is much more difficult to escalate the attack from phishing to ransomware.
Worryingly, an attacker only needs one person within an organisation to click on a link or open an attachment. Recent Barracuda research showed that, on average, 3% of people who receive a phishing email will click on the link. Usually, the goal of the attack is to capture account credentials, allowing the hacker to then move laterally across the company and ransom the entire organisation.
Securing web applications and access
The rapid shift to remote and home working during the pandemic has pushed even more applications out of traditional datacentres and into the cloud. Sometimes the rush to keep business services functioning meant that security was overlooked, and cybercriminals are ready to exploit these vulnerabilities.
The State of Network Security in 2021 report found that Australian companies with staff working predominantly from home had a significantly higher network security breach rate (93%), compared to companies with staff working predominantly in the office (67%). A full 72% of those surveyed said their organisation has been the victim of at least one ransomware attack in the last year.
The Verizon 2021 Data Breach Investigations Report[2] shows that for hacking, web applications are the biggest attack vector in use and account for more than 80% of all data breaches. Online applications like file-sharing services, web forms, and e-commerce sites are among the resources that can be compromised by attackers.
Web applications tend to be attacked through the user interface or an API interface. Often these attacks involve credential stuffing, brute force attacks, or Open Web Application Security Project (OWASP) vulnerabilities. Once the application has been compromised, the attacker can introduce ransomware and other malware into the system.
Web application vulnerabilities are the next attack vector that needs to be assessed to determine how secure an organisation’s applications really are. Areas that should be reviewed include the organisation’s website, any forms stored on it, and whether the website accepts file uploads.
At the same time, as organisations experience a high level of network breaches and face ongoing connectivity and security challenges as they adapt to hybrid work environments, they realise that moving to SaaS applications and the public cloud improves both the user experience and security. As a result, they’re starting to embrace new SASE technologies.
Backing up sensitive data
A comprehensive ransomware protection strategy should also contain steps that cover data backup and recovery. The trouble is that cybercriminals know this too, and increasing numbers are seeking it out before their presence within a targeted IT infrastructure has even been detected.
The backup admin console is particularly important for the criminals as it gives them access to backup schedules, configuration, retention policies, and the ability to start deleting things. Often, the criminals will also target backup storage itself, hoping to delete primary backup servers and any secondary DR copies that might exist.
There also remains an all-too-common misconception that, because data is stored on a cloud platform, it can’t be affected by ransomware, however this is simply not true.
For example, a child browsing the web on their school tablet or laptop at home can easily be tricked into clicking on a malicious link by accident. If that device is connected and synced to OneDrive as part of the school’s Office 365 account, a ransomware file can be automatically uploaded to OneDrive and encrypt the school’s files and data held in the Microsoft cloud.
It’s therefore important to properly defend and isolate backup data. Think about how often systems need to be mirrored and how fast you can rebuild systems from those images.
Hope for the best, but prepare for the worst
Every organisation hopes it never falls victim to a ransomware attack, however, the reality is that it’s likely to happen at some point.
By taking time to think through what measures to put in place to minimise risks and develop a response plan for when an attack happens, organisations can be as prepared as it is possible to be.
[1]https://www.prweb.com/releases/new_cybereason_ransomware_study_reveals_true_cost_to_business/prweb18012872.htm
[2] https://www.verizon.com/business/en-au/resources/reports/dbir/?cmp=paid_search:google:ves_international:gm:awareness&utm_medium=paid_search&utm_source=google&utm_campaign=GGL_BND_AU_Security_DBIR_BMM&utm_content=AU_Security_DBIR&utm_term=%2Bverizon%20%2Bdata%20%2Bbreach&gclid=Cj0KCQiA5OuNBhCRARIsACgaiqWIga1XQolHJpyOM91IS9LJVoD9eU5C0eLaRzoxzSDmYeXDp-DXhAUaAohkEALw_wcB&gclsrc=aw.ds
