Exclusive: How to mask up against the ransomware pandemic

In early 2020 the world was plunged into a global financial and healthcare crisis like no other in living memory. But at the same time another pandemic was taking hold—one that has had fatal consequences for some businesses. Ransomware is not a new threat. But the way it’s being used and the threat groups wielding it have evolved over the course of the past couple of years to the point where no organisation is safe today. During this time, cyber-criminals have also capitalised on the ignorance, arrogance and complacency of boardrooms, which has meant plenty of corporate victims.

Now the threat is being treated by governments with the gravity it deserves, it’s time for organisations to do the same. That means a greater focus on plugging security gaps, improving cyber hygiene and enhancing proactive detection and response.

How bad is it?

It’s difficult to get a true and accurate picture of the scale of the ransomware pandemic. Many attacks still aren’t reported, especially if they’re outside the jurisdiction of the GDPR and/or no customer or employee data was stolen. There were just 2,474 incident reports filed with the FBI last year, versus over 241,000 cases of phishing.

According to the 2021 Data Breach Investigations Report, ransomware appeared in 10% of global data breaches in 2020, double the previous year’s tally. That’s likely just the tip of the iceberg. Big name breaches have sparked fuel shortages and concerns over food supply chains in the US, school and university closures in the UK and hospital disruption in Europe and the US, as doctors battled surging COVID-19 cases.

How did it get this bad? The COVID-19 crisis is partly to blame. As organisations scrambled to support mass remote working they unwittingly expanded the corporate attack surface with cloud infrastructure and applications and potentially insecure employee-owned endpoints. In some cases, remote access infrastructure was not properly protected: unpatched vulnerabilities were exploited in VPNs while RDP servers protected only with weak or breached passwords were hijacked. At the same time, home workers juggling childcare and unable to sanity check suspicious emails with IT or their colleagues, were exposed to a surge in phishing. Many engaged in more risky behaviour than they would otherwise at the office, like sharing work laptops with house mates and family members, or uploading corporate data to consumer-grade apps.

Yet even that’s not the whole story. On the cybercrime underground, the emergence of “as-a-service” models for ransomware has opened the flood gates to all-comers. Everyone wants to make a quick buck from ransomware and many are, as organisations are increasingly willing to pay up—especially if they’re covered by cyber-insurance. Techniques once the preserve of sophisticated APT groups enable attackers to gain a foothold in victim networks, move laterally using legitimate tools like PSExec and Mimikatz and steal data to force payment.

Time for action

In the US, the ransomware pandemic has sparked genuine action at the very top of government. President Biden has had harsh words for his opposite number in the Kremlin, warning that the US reserves the right to go after criminal gangs operating from within Russia if the government there refuses. He also created a new Department of Justice Ransomware and Digital Extortion Task Force, which has already scored a major coup by helping to seize more than half of the funds paid to the Colonial Pipeline attackers. The new group will be prioritising the investigation of ransomware raids in the same way as it does terrorist attacks.

But for all the tough talk and calls for global police cooperation, ransomware will continue unless victim organisations stop paying their extorters. AXA took a stand in France by refusing to fund such payments any longer for policyholders. And a noted UK thinktank has called on the UK government to look into banning such payments outright. But it doesn’t help disincentivise this course of action when some regimes even make ransom payments eligible for corporate tax deductions. It’s estimated that half of all UK ransomware victims paid their attackers last year, even though a quarter didn’t manage to decrypt their files and reports suggest that many groups don’t delete their stolen data.

Action on all fronts

Bringing the COVID-19 virus to heel has involved a combination of measures—vaccinations, social distancing, mask wearing and regular hand washing. In a similar way, organisations need to look at a range of best practices to mitigate the threat posed by ransomware groups.

First, it’s back to maintaining good hygiene—in this context, by running regular vulnerability scans and risk-based patching programmes to reduce the corporate attack surface. Pen testing and risk assessments will also help to identify and correct both vulnerabilities and configuration errors, especially around passwords and access controls. Their findings can also feed into security training and awareness programmes for staff.

Organisations should understand what and where their most sensitive data and IT assets are and then apply the appropriate controls including strong encryption. They will also benefit from following internationally recognised standards to enhance their security policies. That means least privilege access rules and multi-factor authentication, network segmentation and strict vetting of third-party providers that are increasingly used as a threat vector in their own right.

Finally, it’s time to get back on the front foot. The best way to do that is with a well-trained security operations (SecOps) team and detection and response and logging/monitoring tools for enhanced visibility and control. This could be achieved in-house, or the increasingly popular option of outsourcing it to an expert provider which guarantees security 24/7.

It takes organisations on average 280 days to find and contain a breach today. That’s around 280 days too long. The focus should always be on spotting the warning signs of an attack early on, so that action can be taken to mitigate an attack before the threat actors are able to do any damage. Everyone’s a target today. But not everyone has to be a ransomware victim.

By Rick Jones, CEO, DigitalXRAID