Ransomware: fail to prepare, then prepare to fail

Ransomware: fail to prepare, then prepare to fail

As ransomware threats become more frequent, targeted and ruthless, Gavin Knapp, Cyber Defence Technical Lead at Bridewell, explains why business leaders cannot afford to rely on cyber insurance alone as a silver bullet.

Ransomware is now an unavoidable business issue. What started as a relatively opportunistic method of extorting money for individuals and organisations has evolved into a complex and sophisticated attack mechanism, originating from skilled human actors who will do whatever necessary to achieve their goals.

As a result, dynamics are shifting within businesses. While security teams used to vie for the attention of the board, it is now the board who are actively engaging security teams. The evolution of ransomware has brought the importance of cyber-resilience to the fore – and businesses are stepping up and increasing their security budgets in response.

However, as always, more can be done. New research from Bridewell reveals that only a minority of UK critical national infrastructure organisations are implementing critical measures to protect, detect and respond to ransomware. This suggests that some businesses may be relying on reactive measures to help offset the damage caused by an attack. But as ransomware becomes more frequent, targeted and ruthless, business leaders must look beyond the not-so-silver bullet of cyber insurance alone. It pays to have a plan – and there are clear steps organisations can take now to ensure they are better protected against this unrelenting threat.

How has ransomware evolved?

Ransomware is a threat decades in the making. Traditionally, attackers capitalised on human error to get through a business’ defences, but the rise of human-operated ransomware (HoR) now sees criminal groups quietly infiltrating organisations for extended periods prior to exfiltrating data and launching debilitating attacks on data and systems. Multiple initial attack vectors are now used to gain entry to victim organisations including exploiting vulnerabilities in external systems, supply chain compromise, use of initial access brokers, stolen credentials and phishing.

Once in, attackers typically escalate privileges, install persistence, steal credentials and repeat the process as they move laterally through the environment. Finally, they will execute their objectives, which is to steal and encrypt data, before extorting the victim. Unlucky victims can sometimes find themselves in a double extortion scenario where they end up paying twice; once to decrypt files and subsequent payment to prevent confidential data being publicly released.

Ransomcloud is also on the rise. These attacks exploit weaknesses or legitimate functionality in cloud resources to deploy malware, encrypt data and extort money from organisations. As more businesses embrace cloud to improve their efficiency and operational agility, the security risks inevitably increase. Organisations that race head-first into the cloud without architecting secure cloud services are particularly susceptible to attack.

Any ransomware attack can cause extensive loss of data and operational downtime for businesses. To outpace an escalating threat landscape, security strategies must be built on stronger foundations than cyber insurance alone.

Strengthening defences against ransomware

Many organisations are realising the need to prioritise and plan to mitigate the ransomware threat. Yet, opportunities for improvements remain. Bridewell research found that only 36% have a security information and event management (SIEM) platform in place – a crucial tool to detect and alert against intruders. Furthermore, just 43% have implemented technical controls to prevent unauthorised access and stop key directories and files being deleted, overwritten, or encrypted. And while nobody enjoys thinking about those fraught moments immediately after a cyberattack, over half (62%) don’t even have a plan for decision-making on whether to pay the ransom.

But the picture is not all doom and gloom. Organisations have an opportunity to strengthen their cybersecurity posture in the face of these rising threats. The first step is to educate end-users on evolving ransomware risks, how they work, how they can be mitigated and how any incidents should be reported. 

Once the education is in place, organisations should implement the technology required to identify the opportunities within the kill chain to detect the adversary activity and subsequently evict them from the environment. This includes strong endpoint, email and cloud app detection and response capabilities, backed up by a central SIEM platform and managed detection and response (MDR) service that monitors alerts 24/7 and implements automated response where appropriate. This proactive and multifaceted approach will go far beyond the reactive confines of cyber insurance and should be bolstered further by threat intelligence services to provide early warning of an attack.

The right response is essential

A strong cyber strategy shouldn’t rely on detection alone. How a business responds to a breach is also key in defining the success of its security posture. When defences fail and operations are threatened by a ransomware attack, organisations with a clear and effective incident response plan already in place stand the best chance of mitigating the damage. The incident response plan needs to be tested and ideally tabletops performed to ensure everyone is aware of the plan and their individual responsibilities. It is also critical that a robust IT Disaster Recovery plan is in place that is regularly tested. Backup controls should be protected using approaches such as segmentation of backups, strong authentication requiring Multi-Factor Authentication, backup pins or dual authorisation mechanisms to prevent backups from being disabled or overwritten.

Having a robust data protection strategy is just as critical. Strong data governance practices ensure that key data stays in known, risk-assessed locations, with measures in place to provide timely access to the data. In some cases, this can prevent the attacker from gaining access, but if the worst case does happen and they do get in, it can slow the attacker down until the incident response capability can identify and contain the threat.

To pay or not to pay?

Finally, the question of whether to pay the ransom must be considered. This decision should not be taken lightly. The legal and ethical implications of paying out need to be addressed and evaluated long before the actual criminal act takes place. Data can help organisations to make the right decision on this contentious issue: weighing up the operational cost lost per day versus the cost of paying the attacker can provide some much-needed clarity, while the level of confidence of being able to bring systems back will be a factor in many organisations’ decision-making.

As ransomware risks accumulate, preparation must take centre stage. Basic cybersecurity hygiene practices, such as asset inventory, configuration management, application control, endpoint protection, regular testing and patching of any systems connected to the Internet and segmentation of networks still have an important role to play. However, organisations need to plan for all eventualities. The security and success of each organisation will depend on its ability to predict, prevent, detect and respond against ever-changing ransomware threats. 

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive