At the end of 2015, many cybersecurity commentators predicted that ransomware attacks would continue to rise during 2016. But few could have expected how dramatoc that increase would turn out to be. A new study found that 39% of UK companies were victims of ransomware attack in the last 12months – and this was below the global average of 48%.
The study estimated that IT staff lost nearly a full working week (33 hours) to restoring the encrypted data from backups. What’s more, it isn’t just large organisations being targeted: a separate report from Kaspersky Lab found that small businesses faced eight times more ransomware attacks in the third quarter of 2016 than the same period last year.
One of the key reasons for the growth in the attack volumes is simply this: ransomware is prov en work. Also, for criminals behind the attacks, it’s a numbers game: the more businesses they infect, the more ransoms they can demand and potentially have paid.
The way ransoware is delivered has also evolved, to help infections evade conventional security controls such as signature-based antivirus software. For example, recent variants use a two-stage infections process with the first stage being a phishing email with an attachment harbouring a macro.
If the user opens the document, the macro activates and contacts the attacker’s and remote server to download the ransomware. In effect, the user is inviting the ransomware onto their machine, which makes this attack vector particularly difficult to block; in most examples the macro is often purposely designed to evade the majority of the anti-virus software and current detection techniques.
One of the challenges in mitigation ransomware is how quickly it can encrypt large numbers of files, rendering them in accessible and stopping the normal flow of work.
Understanding where the risk of ransomware lies
The biggest risk within a network is that the ransomware has the same access to files and data as the person who uses the infected machine. This can be especially dangerous if an executive is successfully targeted, as such highly privileged users often require access to vast quantities of company data.
Another major ransomware risk is a social one. If an employee is given the option to pay and conceal the fact that they accidentally triggered an infection, they may do so out of fear of losing their job.
Practice makes perfect
First and foremost, as with so many facets of life, organisations need to bear in mind that practice makes perfect, and that maxim also applies to ransomware attack preparations. As we saw earlier with 39% of UK organisations being hit in the last 12 months its clear to see it’s a case of when not if a business is attacked with ransomware.
To hone their readiness for an attack organisations should run simulated ransomware attacks, mimicking a real threat without any of the danger. As an example SureCloud’s Simulated Ransomware Service triggers two main actions if a machine is successfully infected.
First, the ransomware performs harmless actions designed to trigger and test for advanced behavioural analysis checks, then displays a typical ransomware message to demonstrate and evidence the infection, which also testing to see if an employee attempts to make payment on a compromised device.
Simulating attacks, such as these, provides businesses with visibility of how likely they are to be successfully compromised via a targeted and focused attack, whilst also identifying where current controls are ineffective at preventing and/or detecting an attack.
Furthermore, they will be able to see what could be encrypted from various access points should a real attack occur. This in-turn would allow the organisation to deploy more restrictive permissions along with improving user awareness and training to help early detection and stop the spread in the event of a real attack.
Prevention is more effective than remediation
In addition to practising how to respond in the event of a ransomware attack successfully infiltrating the network, there are also a number of measures businesses can take to reduce the likelihood of ransomware making its way onto the corporate network. Let’s take a look at these steps in turn.
1. Security controls
While some forms of ransomware can circumvent traditional security controls they nonetheless remain a critical part of an organisations defences. These should include email filtering, web filtering and a corporate anti-virus solution that includes ransomware detection capabilities.
2. Have robust back-up in place
By regularly backing-up files and data to an offline location (such as tape) that can’t be touched by the ransomware, should infection occur. By ensuring this, organisations will put themselves in an excellent position to mitigate the impact of a ransomware attack. Allowing infecting devices to be removed from the network, wiped and data restored in full.
3. Staff education and training
This is absolutely critical within organisations of all sizes to ensure that knowledge of attacks is shared. Employees can be educated to watch out for the tell-tale signs and flags of a potential ransomware infection, whatever the delivery mechanism. This can be aided massively by a simulated and targeted attack against your organisation.
Luke Potter, Security Practice Director at SureCloud