Ransomware continues to be a major cybersecurity threat, with the number of incidents rising each year, and according to the ACSC Annual Cyber Threat Report 2020-2021, During the 2020–21 financial year, the ACSC received nearly 500 ransomware cybercrime reports, which is an increase of nearly 15% compared with the previous financial year. Therefore cybersecurity consultants recommend that businesses take a proactive stance against ransomware by investing in cybersecurity solutions and staff training. Cybersecurity solutions can help to identify and block ransomware attacks, while staff training can help employees to recognise and report suspicious emails. By taking these measures, businesses can help to protect themselves from the growing threat of ransomware.
While business email compromise (BEC) — a form of phishing where a threat actor poses as a legitimate business colleague — is one of the top cyber threats affecting companies, often BEC is followed with a ransomware payload. According to the ACSC Annual Cyber Threat Report 2020-2021, BEC cybercrime was one of the top cybercrime categories, making up nearly 7 per cent of the cybercrime reports received in the 2020–21 financial year. While there has been a slight decrease in BEC reports compared with the previous financial year, ransomware remains a major cybersecurity threat that businesses need to be aware of. The self-reported financial losses have increased – total losses were approximately $81.45 million (AUD) for the 2020–21 financial year, an increase of nearly 15 per cent from the previous financial year.
Ransomware is a threat that receives significant press coverage because of the damages both financially and operationally. The exposure spans compromised customer data, a tarnished reputation, and loss of productivity (research shows that the average amount of downtime caused by a ransomware attack is 21 days!).
Let’s take a closer look at what ransomware is, the steps for responding to a ransomware attack, and how you can strengthen your defences against ransomware.
What is a ransomware attack and how does it work?
Ransomware is a form of malware in which threat actors encrypt the information on a computer system so that users are unable to access their own data. The hackers then demand payment in exchange for releasing the decryption key allowing the owner to access their information again. Hackers commonly use email phishing, remote desktop protocol vulnerabilities, and software vulnerabilities to gain access to networks and deploy ransomware software.
Here’s an overview of what that typically looks like:
- First, hackers infiltrate an organisation’s network through stolen credentials and remote access malware.
- Next, they destabilise critical administrative accounts that control backup, Active Directory (AD), Domain Name System (DNS) servers, storage admin consoles, and other key systems.
- With access to the backup administration console, backup jobs are turned off or modified and retention policies are changed. This also gives threat actors a roadmap to where sensitive application data is stored.
- Often even security software such as anti-virus components is circumvented or even turned off.
- Hackers then encrypt the data and possibly steal (aka exfiltrate) data for use in future criminal activities.
As mentioned in that last step, ransomware doesn’t have to be encryption only. Data exfiltration and subsequent ransom demands are proliferating across the cybercrime landscape.
Ransomware response: Five steps to take
When you consider the possibility of how ransomware can affect you, you should think about it as a matter of when not if. It’s better to anticipate a worst-case scenario than to be underprepared in the event of an incident. Develop an incident response plan that includes each team member’s role and responsibilities as well as goals that can be used to measure effective response to a ransomware attack.
At a high level, here are the steps you will need to quickly take for ransomware response:
- Step #1: Identify the systems that have been infected by the ransomware.
- Step #2: Isolate the infection by disconnecting all infected computers from one another and the network.
- Step #3: Use backup and disaster recovery (BDR) software to restore systems and data from backups by pulling information from before the network was infected by the ransomware.
- Step #4: Review all the facts surrounding the ransomware attack and how it occurred so you can begin to put additional preventive measures in place.
- Step #5: Report with details about the incident.
It’s worth noting that, because more companies are utilising BDR tools to restore infected systems, cybercriminals have upped the ante and are now threatening to publish data on the dark web if the ransom is not paid (as was the case in the Accenture attack). According to research, 77% of ransomware attacks now involve a threat to leak exfiltrated data.
For a comprehensive checklist of what to do in the aftermath of a ransomware attack, we highly recommend reviewing this ransomware guide from the Australian Cybersecurity Centre (ACSC).
Tips for ransomware prevention and mitigation
Although it’s impossible to guarantee 100% protection against ransomware, AWD can help reduce the likelihood of an attack as well as mitigate the damage in the event of an incident by implementing tools and techniques that can be used to improve the security posture of your business.
Vulnerability Assessment and Penetration Testing
When unidentified assets exist on a network without being accounted for, it can introduce operational and security risks. Unmanaged and unmonitored endpoints are prime targets for hackers because they’re more likely to be outdated and have vulnerabilities.
That’s why Vulnerability Assessment and Penetration Testing is an important service with which we can scan your public-facing network interfaces and website or internal network interfaces and devices to find any vulnerabilities that can be exploited by cybercriminals to gain entry to your network or the workings of your website.
The automated VAPT can assist you in keeping an eye on the state of your web and network either regularly or on a one-off basis.
The process is non-invasive and will not cause any downtime or harm to your network or website.
Once assets are identified, you must also monitor and manage them effectively. Keeping operating systems, software, and applications current and up to date can reduce the cybersecurity risk level of your business. A remote monitoring and management (RMM) tool help with continuous patching. This technology enables you to automatically deploy updates to endpoints, ensuring that you never fall behind with your patching needs. You should also ensure that your anti-virus and anti-malware solutions are set to automatically update and run regular scans.
Regular data backups
To minimise downtime and disruption in the event of a cybersecurity incident, routinely backing up data is a must. However, you may need to manage different backup tools depending on your needs. That’s where an integrated BDR solution comes in, to help achieve more streamlined service management with far less chaos. It’s also crucial to secure your backups — make sure they are not connected to the computers and networks they are backing up, or else they could become infected in the event of a ransomware attack.
Deploy an endpoint protection tool
Endpoint security is another crucial element of your overall cybersecurity posture. Many organisations leverage endpoint detection and response (EDR) technology to help with the protection of endpoints such as servers, laptops, desktops, mobile devices, and more. An EDR tool is capable of quickly identifying many different virus and malware variants, as well as automatically taking remediation actions such as restoring unsafe files to an acceptable previous state.
Enhancing your cybersecurity
When it comes to cybersecurity, there is no such thing as too secure. Here are a few examples of tools and services you should consider adding to your cybersecurity tech stack:
- Risk Assessment
- ISO 27001 Information Security Management
- Email monitoring
- Implementing Essential Eight strategies
- Threat detection and response
Keeping your business protected
Ransomware attacks are more targeted and sophisticated than ever before. This is why it is critically important to have a partner who is an extension of your team to help you keep pace with the ever-changing threat landscape and bolster your cybersecurity defences, as well as prepare to respond in the event of a ransomware attack.