Treading A Safe Path - Navigating Hidden Ransomware Risks

Uploaded on 2024-07-03 in TECHNOLOGY--Resilience, FREE TO VIEW

Ransomware attacks have continued their inexorable rise over the past decade. While there’s debate about whether the number of attacks has gone up or down in recent months, statistical trends may seem less important than the day-to-day reality faced by many cyber security professionals - thousands of organisations are still falling prey to ransomware.

The figures remain shocking – 3 in every 5 organisations were hit by ransomware attacks in the past 12 months and 70% suffered data encryption. More worryingly, initial ransom demands have surged 20% over the past year.

Ransomware attacks continues to dominate headlines and C-suite anxieties due to the colossal scale of disruption caused. Those tasked with protecting their organisations walk a tricky tightrope, risking losses extending far beyond the ransom itself.

Paying Isn’t A Straightforward Path

Paying the ransom might seem like the quickest way to regain access to encrypted data and business continuity. Where critical, time-sensitive data is at stake, capitulating to the financial demands can appear a necessary evil to uphold commitments to customers and stakeholders. The cost of the ransom may appear negligible compared to the potential losses incurred from operational downtime or the expense of alternative data recovery methods, IR counsel and legal costs, credit monitoring, PR and crisis management.

However, this apparently simple decision masks a range of more complex considerations that must be addressed before deciding to pay.

Paying the ransom doesn’t guarantee the safe return of data. The National Crime Agency’s operation against LockBit revealed that even when ransoms were paid, the group didn’t always do as promised. There are numerous cases where businesses didn’t regain access to their data or found it was corrupted or incomplete. Frequently decryptors are withheld despite ransom payment, or those provided prove to be faulty.

Paying a ransom can also mark an organisation as an easy target, leading to repeat attacks. Cybercriminals often share information about compliant victims, increasing the likelihood of future ransom demands from others utilising the same vulnerability or exploit. This creates a vicious cycle, making businesses more vulnerable each time they pay up.

Moreover, cybercriminals are now deploying high-pressure tactics in an effort to increase payments, with some groups now targeting the clients of firms it successfully attacks or reporting victims to their insurers and even to the US Securities and Exchange Commission. This intensifies the risk of severe reputational damage and additional penalties.

Navigating Regulatory Risks

In the face of mounting financial pressures, wider implications can get overlooked by victims. Overwhelmed by monetary demands and business continuity issues, many are ill-prepared to navigate the complex maze of long-term regulatory and moral considerations.

From a legal and ethical standpoint, paying a ransom can place organisations in murky waters. Funding criminal activities perpetuates the cycle of crime, so payment poses significant moral dilemmas by supporting the nefarious world of cyber extortion. Capitulation to ransom demands is in breach of a company policies designed to prevent this by forbidding payment.

Payment may also conflict with laws banning the funding of criminal activities. In October, the White House announced an alliance of 40 countries vowing never to pay ransoms. Ransom payment may expose individuals and any organisations involved in facilitating these payments to potential civil and criminal penalties. Victims are obliged to report ransomware incidents promptly to government and law enforcement agencies and cooperate fully with their investigations.

Preparation Is Key

Among the myriad of measures cybersecurity professionals can implement, here are some of the most effective steps to boost resilience and reduce risk.

Plan Ahead
A robust incident response strategy should include clear protocols for ransomware attacks. Formal incident response plans are rare – only 1 in 5 UK businesses have one in place and a number of leaders aren’t aware of their company’s stance on ransom payments. Develop a clear ransomware attack response plan and be clear on company policies and local laws concerning cybercrime. Conducting regular drills and policy reviews will ensure that the organisation is prepared for an actual incident.

Restore & Recover
Maintaining proper backup and recovery practices is an effective way to increase resilience to ransomware attacks. Robust backups protect valuable data ensuring it is fully restorable, while best practice disaster recovery solutions with industry-leading Recovery Point Objective (RPO) and near real-time replication ensure rapid, full recovery of data and services. While backup and DR don’t prevent data exfiltration, being able to retrieve data and restore business operations can limit the impact of an attack.

Watch & Learn
While holistic visibility with continuous monitoring across the entire attack surface is essential, it’s also critical to make use of the information. Log monitoring is a crucial component, encompassing intrusion detection and NDR systems, EDR solutions, firewalls, IAM systems, email and cloud-hosted services. This increases the likelihood of detecting threats at an early stage and also allows organisations to exploit their cyber threat intelligence, informing strategies and future defences.

Closing Gaps
Organisations can greatly reduce their cyber risk by implementing an effective patching programme to address known weaknesses. 60% of cyber incidents in the past 12 months exploited vulnerabilities identified at least 2 years previously. Keeping up to date with vulnerabilities, establishing a remediation plan, setting priorities and effectively managing patching long-term can be challenging. Managed patching services can be a cost-effective way to keep all your machines up to date with the latest security and core OS patches.

Enforce Identity Controls
Cyber criminals are adept at finding and leveraging user credentials to log into IT environments. Multi-factor authentication is an effective way to harden defences; but as attacks become more sophisticated, it’s essential for organisations to not just implement modern MFA, but also to enforce it — particularly proven password-less approaches.

Cloud Control
With 45% of breaches starting in victims’ public cloud, it’s important to be clear where security responsibilities lie. In general, a breach originating from your organisation’s vulnerability that disrupts your cloud data is your responsibility. Many firms discover the hard way that data and other resources aren’t automatically backed up by their cloud providers. Many cloud security incidents can be traced back to misconfigurations and weak access policies, highlighting the importance of IAM and cloud utilities.

Collaboration Is Key
There’s growing recognition that knowledge sharing is an important weapon in the war against cybercrime. While reporting ransomware incidents is often a legal requirement, working closely with law enforcement agencies can also help track and apprehend cybercriminals. Collaborating with industry peers can help businesses stay informed about the latest threats and mitigation strategies, while cybersecurity specialists and MSPs can further enhance an organisation’s security posture and incident response capabilities.

Forewarned Is Forearmed

There’s been a shift in the war against ransomware. Businesses and governments have adapted to increased cyber-risk by stepping up measures to defeat ransomware attackers - bolstering defences, upweighting international law enforcement operations and cutting out ransom payments. Ransomware groups have, in turn, become more aggressive. Faced with a growing refusal to pay, attackers are demanding higher payments, expanding their list of targets and also applying greater pressure on victims.

This further underscores the importance of a proactive strategy on prevention, detection and recovery. Giving full consideration to the financial, legal and ethical considerations now can take uncertainty out of the equation, streamlining and de-risking fraught decision-making when a ransomware incident strikes.

Outsmarting ransomware groups is not just about refusing to pay; it’s about establishing a state of readiness that reduces risk and eliminates the need to make such decisions in the first place.

Rob Smith is CTO at Creative ITC

Image: fizkes

You Might Also Read:

The Ransomware Arms Race:

DIRECTORY OF SUPPLIERS - Ransomware Protection:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.