Ransomware Resiliency 101

What is ransomware?

Ransomware is a type of malware, or malicious software. When infected with ransomware, organizations lose access to their systems and data, and cybercriminals demand a ransom in exchange for releasing the data. In more technical terms, adversaries encrypt your data and require you to pay nominal amounts of money for the decryption key. Typically, a ransom note pops up on a computer explaining the terms of the ransom, including the cost, form of payment, and deadline. 

Not only is the threat of ransomware growing, but the impact of ransomware is also increasing. Attacks are becoming more sophisticated, and requested payments are getting larger. Here are five key ransomware trends to pay attention to right now:

Ransomware trends:

  • The ransomware-as-a-service (RaaS) model is on the rise. With RaaS, attackers do not write the malware, they purchase and spread it. Commissions are paid to the developers for the use of the malware.
  • Remote worker entry points are being targeted much more, including remote desktop, employee access gateways, and VPN access portals.
  • Operational technology is a prime target. According to IBM Security X-Force, 41% of all ransomware attacks targeted organizations with operational technology (OT) networks.
  • Email phishing, admin interfaces, and exploits are common entry points, and drive-by downloads (malvertising, force download, or exploit browser) are becoming more popular.
  • Many threat actors that deploy ransomware attempt to disable backup/recovery capabilities, so victims are forced to pay if they want access to their systems and data.

Is my organization a good target for ransomware? 

Every organization is susceptible to a ransomware attack, but there are a few considerations to be aware of that may increase your chance of falling victim. 

  • Are you in an industry that frequently is targeted by ransomware? It’s common for ransomware families to target multiple organizations in a particular industry given the attack surfaces are similar. 
  • Does your organization prioritize security? There are a few industries that have notoriously underfunded security programs, including higher education, startups, and small businesses.
  • Does your organization store and manage high-value data? The higher value the data is, the greater the appetite for ransomware attacks. It’s more likely an organization will pay the ransom to get its data recovered if the data is extremely sensitive. Read: Healthcare’s Guide to Ryuk Ransomware.

How does ransomware work?

Step 1: Getting in | Adversaries can get into a network in numerous ways. Here are four vectors used to gain initial access:

  1. Phishing links and attachments.
  2. Using weak or default credentials to log into single factor remote management interfaces and desktop platforms such as Citrix, Remote Desktop, and VPN access points.
  3. Exploitation of common security vulnerabilities, including SQL injection, broken authentication, broken access control, and insufficient logging and monitoring.
  4. Unintentional download and execution of malware through obfuscation and/or social engineering techniques (drive-by downloads, malvertising, forced download, or browser exploits).

Step 2: Privilege escalation | Once in, adversaries work to exploit bugs, design flaws, or configuration oversights in an operating system or application to gain access to protected databases, file shares, and business sensitive data.

Step 3: Find and exfiltrate sensitive data | Attackers leverage well known techniques to quickly identify servers that may contain sensitive data and upload the data to systems on the internet. 

Step 4: Ransomware deployment | Now it is time to deploy the malicious ransomware code. Ransomware can take many forms, including: locker (uses screen locking to block basic computer functions), wiper (deletes files on a timer), or crypto (encrypts important data and often includes a kill switch to delete data if the ransom is not paid by a specific time).

Step 5: Get paid for the decryption key | Often ransomware attackers request the ransom is paid in Bitcoin. Once paid, the likelihood of recovering the money is low.  Even when money is returned, you’re not likely to get all of it back. For example, in 2021 the FBI recovered $2.3 million of the $5 million from the Colonial Pipeline attackers. 

Step 6: Extort additional money by threatening to publish exfiltrated data | Adversaries exfiltrate sensitive data early in the ransomware deployment process so that, even if a ransom is paid, they can continue to threaten the organization and make more money.

Should I pay the ransom?

This is not a yes or no question – it depends on the industry regulations, the complexity of the situation, and the business risk. Payments entice bad actors and enable ransomware attacks to continue. Right now, no one is outright prohibiting direct ransomware payments or ransomware insurance claims. If we do not see new regulations restricting ransomware payment, hopefully, we will see governments offering some subsidies to small and medium businesses that can’t afford to partner with security firms but may be considered high-risk targets. 

Best practices for ransomware protection.

While we wait for the global cybersecurity community to work toward a solution, organizations must get proactive about their cybersecurity efforts. Here are seven best practices to follow to protect your organization from a ransomware attack: 

  1. Employee awareness, namely phishing prevention and education. 
  2. Limit your external attack surface. Evaluate what you expose to the internet.
  3. Access management: Multi-factor authentication, strong passwords, and least privilege.
  4. Review and test your data backup plan often.
  5. Perform regular penetration testing to identify and remediate your vulnerabilities.
  6. Put your incident response plan, crisis communications and management plan, and business continuity plans to the test.
  7. Practice ransomware resiliency. The more proactive your security efforts, the better you will be able to prevent, detect, and recover from a ransomware attack. Download NetSPI’s ransomware prevention and detection checklists.

While we wait for the global cybersecurity community to work toward solutions, ransomware resiliency planning is going to become a priority for everyone. For more detailed insight on ransomware attacks, how ransomware works, and how to prevent and detect ransomware, download our Ultimate Guide to Ransomware Attacks

Download the Ultimate Guide to Ransomware Attacks

Discover why security operations teams choose NetSPI.