The threat that ransomware poses to organisations grows exponentially each year. Malwarebytes, the leading advanced malware prevention solution, recently conducted an international study that found that almost 40 per cent of businesses had been a target of ransomware over the last year. Among this 40 per cent, over a third had also lost revenue due to the ransomware attack and, even more alarmingly, 20 per cent were required to completely halt their operations.
It is often the case, particularly when the ransomware deployed is an outdated version, false threats are employed to scare the victim into paying the hackers’ ransom. In these instances, threats are being made although it is not clear whether or not they can be followed through with. The very threat of action is typically as serious as the potential action itself. Many businesses find it difficult to call a potential bluff when the culprit is threatening to encrypt all of the data on the victim’s system, leaving it completely inaccessible to the intended users, should the ransom not be payed within a month. With all of their private data at risk of being lost, few businesses are willing to take the risk of ignoring these threats.
Working out What’s Real
In a sense, therefore, there are two different types of ransomware threat in place therefore. That, which results in real malware being downloaded onto the network causing immediate real damage and the psychological battle where threats are made and businesses are unsure whether they are viable or not but are often unwilling to take the risk.
Both threats, real and presumed are, however, likely to have a similar impact on the business concerned. Fear is, after all, a powerful emotion and is likely to elicit a defensive response. Think what you would do, for example, if you could not access any of your business documents – all of your personal files – and you are being held from them by a countdown timer to their complete annihilation.
This method of money-making by the faceless and nameless ‘black-hatters’ of the Internet is now becoming a serious threat. Recent research by Bitdefender reports that companies and individuals caught out in this way in the UK ‘are willing to pay the most to recover personal documents, photos and job-related documents’ with up to £400 being paid to decrypt locked and encrypted files for a start. Typically also, once businesses have shown that they are willing to pay, they are more aggressively targeted as their name joins a list of so-called “suckers” who will reach into their pockets for the convenience of getting their files back quickly.
Moreover, it’s not just a case of computers being hacked. The related phenomenon of SMiShing is also on the increase. SMiShing is a similar kind of attack to ransomware and typically involves a user being sent an unsolicited SMS/text message which tricks them into downloading a rogue program or releasing sufficient personal details to compromise their security.
It is always best to minimise exposure to these scenarios where possible with common-sense, site or IP address blocking and end-point protection but that in itself may not be enough to counteract this ever more pervasive threat.
It’s critically important, of course, to ensure your electronic defence is as impenetrable as possible through the use of actively maintained antivirus software, firewall appliances, Intrusion Protection Systems, web and mail filtering, and define and robustly enforce policies that prevent penetration through ensuring correct system configuration and device ‘hardening’.
However, in today’s complex security environment becoming a victim of one of these increasingly prevalent security threats is almost an inevitably at some point. So, because it will happen, and when it does, what else do organisations need to consider? Robust backup systems are key, of course, but so too is putting in place robust policy and processes and a practical system of educating users.
Putting Solutions in Place
Best practice then is to implement a robust and incremental backup system of business/personal critical details, and keep those backups safely offline. Businesses should then also ensure they test these backups regularly and ensure everything that should be protected is protected.
On the user side, they should enforce a general information policy pertaining to what web-sites are SFW and NSFW (Suitable For Work and Not Suitable For Work) and educate themselves and their team on the risks and the methods by which ransomware is activated. This kind of focus on education is key. Organisations need to remember that their human firewall is their best, but is also often their last line of defence.
After all, in the battle against ransomware, businesses need to marshal their resources, ensure they have a strategic plan in place, train up their workforce and deploy their full gamut of policies and procedures to keep their corporate networks and systems safe.
by Mike Simmonds, Managing Director, Axial Systems