When discussing ransomware – which, for good reason has emerged as Topic A in cybersecurity – we should take a closer look at what happens during a typical incident. A ransomware attack starts when an adversary enters an organization’s cyber ecosystem, encrypts systems and data, and demands payment for decryption.
If the organization balks at paying, the adversary threatens to leak sensitive data and materials. If the organization still refuses payment, the adversary may launch a denial-of-service (DoS) attack to bring down critical systems. In some cases, attackers may threaten to modify important files, such as payroll documents or files containing essential source code.
All of which means we should call ransomware what it is: extortion. While the term “ransomware” implies that it’s all about weaponized technology, what we’re really dealing with is the criminal, malicious intention behind the weaponized technology.
To get a better sense of the frequency and impact of ransomware, CBI and Ponemon Institute recently released a research report, for which 659 IT security professionals were surveyed. Following are some of the more revealing findings:
- Eighty percent of companies surveyed have experienced a ransomware attack within the past year – up from 51 percent in 2017 – despite spending an average of $6 million annually to prevent, detect, contain, and resolve ransomware. For staffing alone, organizations budget an average of $170,000 to pay for 14 employees to spend 190 hours containing and remediating the latest incident.
- Of the 80% of companies that were compromised, 53 percent paid the ransom, which now averages more than $1 million. However, only half of these companies report receiving a decryption key from the attackers after paying. This means ransomware does not function as a business transaction. It’s extortion – expensive extortion at that.
- Legal and regulatory actions account for the highest total costs resulting from a ransomware attack, more than productivity disruptions, technical support, reputation/brand damage and lost revenues.
- Only 32% of organizations are confident in their security controls. Yet just 51% regularly conduct assessments to test their ransomware prevention and recovery practices, and just over one-third evaluate their third parties’ security and privacy practices.
- Just 30% are confident in their employees’ ability to detect social engineering lures that could trigger a ransomware incident, even though 61% provide continuous security awareness training for staffers.
Clearly, organizations must take a proactive stance in responding to these developments. Relying on cyber insurance won’t solve the problem – two out of five companies are seeing decreases in ransomware coverage while still paying more than $17,000 annually in average premiums. Companies should also implement these industry best practices into their ransomware prevention strategies:
- Understand the anatomy of common attacks.
As defenders, we know the general approaches – the tactics, techniques and procedures (TTPs) – of these criminals. They usually gain entry via phishing or insecure web applications. Once inside the network, attackers move laterally using relatively common techniques in search of valuable targets, all the while escalating privileges to increase their capacity to harm. With an understanding of the established, proven anatomies of the adversaries’ TTPs, companies can better align their detection, alerting and prevention tools, and procedures.
- Develop a comprehensive ransomware playbook.
In addition to anatomy-based tools and procedures, organizations need a ransomware playbook that addresses how the organization will respond to everything from data leakage and DoS attacks to compromised systems integrity. A playbook should include legal and compliance considerations, as well as policies and procedures for third-party security assessments and employee training.
- Acquire total visibility of potentially targeted assets.
While backing up data makes sense and a recommended practice, it’s no longer enough as a mitigation strategy: backups won’t stop hackers from leaking sensitive files or going after critical business dependencies, such as microservices and Software-as-a-Service (SaaS) integrations. Given this reality, security teams should strive to gain comprehensive visibility over all digital assets that are likely targets, putting them in a much better position to protect those assets.
- Reach out for support when needed.
Once compromised, companies often make the mistake of immediately deciding whether to pay the ransom or not, without considering the possible consequences of each path. Most are inexperienced in ransomware negotiations, where saying the wrong thing can result in attackers increasing the ransom demand. What’s more, a sense of panic can result in bad decisions. Bringing in third-party experts who specialize in ransomware incident response will ensure incidents are dealt with in a measured, strategic way. Seven of 10 companies are hiring third-party experts to remediate ransomware incidents, up from 59% in 2017.
Ransomware has become a modern form of extortion, an offense as old as humanity. Today, cybercriminals use ransomware to forcefully extract huge payouts from organizations. But companies don’t have to be defenseless. Armed with the right knowledge, preparation, tooling and third-party expertise, companies can get ahead of adversaries before they strike – to minimize if not eliminate their capacity for damage.
Shaun Bertrand, chief services officer, CBI