Welcome back to Cyber Security Awareness Month with Secure Sense!
Last week we discussed human error in cyber security and the importance of training your employees to avoid being a victim of a phishing scheme or social engineering attack. This week, we are reviewing ransomware – an attack that is often times a result of credentials stolen via phishing campaigns, or from malicious email links themselves. Ransomware attacks have hit record highs in 2021, increasing 151% in the past 6 months compared to the first half of 2020. All industries are at risk, but its no surprise that healthcare, education, and manufacturing have been just a few of the hardest hit industries since the beginning of the pandemic. Today we are discussing how ransomware works, who is at risk, how to deal with this kind of attack, and how your MSSP can help.
What is ransomware and how does it work?
As mentioned, ransomware attacks often occur after an employee or user opens or clicks an infected attachment or URL. When these infected links are opened, the virus is installed on the user’s computer and begins to either encrypt their files or simply lock their screen. Encryptor malware works by denying the user or organization access to their files and data – effectively holding that data hostage. In doing so, the ransomware agent then has the ability to ask for a ransom payment to release the files back to the organization to be decrypted with a decryption key. Screen lockers simply notify the user that their screen is locked and they must pay the ransom to have it unlocked. Once ransom is paid, the ransomware agent will give the decryption key to unlock the data. However, sometimes organizations will pay the ransom to then never receive the decryption key. It is generally accepted these days that paying the ransom is not advised because nothing is guaranteed – and in doing so, the organization or individual may become a target for future attacks. Not paying the ransom, however, can be extremely difficult on organizations as many feel they have no choice. Without the decryption key, gaining access to the lost data is extremely difficult and the organization risks lengthy business interruptions to restore from backups, or even losing important data forever. Even though a ransom can be upwards of hundreds of thousands of dollars, paying the ransom is often seen as the cheapest and most efficient way to regain access.
As most types of cyber attacks develop and become more sophisticated over time, ransomware attacks are no different. These kinds of attacks have been wreaking havoc on victims for years and attackers have only grown more creative. These days, cybercriminals can remain anonymous by coming up with ways to make tracking payments impossible – such as being paid in gift cards or cryptocurrencies. It may sound daunting to defend against something like this, however, there are many steps you can take to protect your organization against these attackers. Learning as much as possible about these kinds of attacks, training your staff, and putting the correct technical controls in place, are all measures that should be taken. Starting with becoming familiar with major ransomware attacks that have happened over the years will give you and your employees a good foundation of the tactics attackers use and the characteristics of these major attacks. Like we mentioned, attackers are always evolving and getting creative, however most ransomware attacks follow a few different models you should be up to speed to successfully create your defense. The following is a summary from our partners at Proofpoint of some major attacks over the past few years:
Who is at risk and why is it spreading?
As with any cyber attack, any device that is connected to the internet becomes a risk. When ransomware is able to scan a vulnerable device, it is also able to scan anything connected via the local network – if that happens to be a business, the business then becomes a potential victim. The ransomware can then work by encrypting documents and files owned by the business. So how does a device become vulnerable? Aside from phishing emails and malicious attachments and links directly installing ransomware onto the device, a device (laptop, phone, etc.) can be especially vulnerable if it isn’t updated with the latest software security patches, has outdated/unsupported operating systems, or if it does not have anti-malware installed to help detect and stop ransomware.
Ransomware has been spreading at unprecedented rates in the past 18 months notably due to the increase in employees working from home. Not only have attackers increased their use of phishing tactics and social engineering schemes, but they are taking advantage of the increased surface area of vulnerable personal devices employees may be using or personal networks that don’t have adequate security.
Steps for Responding to an Attack
If your business has unfortunately found itself in a situation of a ransomware attack, there are a few basic steps you can take. Firstly, you should not pay the ransom. The ransomware message will typically say the amount to pay, how much time there is (usually not very much), and maybe even threaten to expose the business publicly that they’ve been compromised – thus putting pressure on the victim to act quickly. Although, it is important to act fast, paying the ransom isn’t advised. There are a few risks to paying:
So what should you do? Like we said, it’s important to act quickly so the ransomware doesn’t spread to other areas on the network. Our partners at Proofpoint have a few basic steps to follow before getting the experts involved for analysis, clean-up and investigations:
Ransomware Prevention and how your MSSP can help
Last year, 37% of employees at businesses surveyed in North America didn’t know what ransomware was while 32% had already been a victim of a ransomware attack. This indicates just how important it is to train your staff as one of your first lines of defense. Last week in the blog, we have some tips on how to train your staff on cyber security awareness. This training should be done regularly to ensure employees know how to spot an attack, what to do if they become a victim, and how to report it.
In addition to training your staff properly on social engineering, phishing, and best practices, you can turn to your MSSP for help. Not only can your MSSP help you get back on your feet in the event of a successful ransomware attack, but they can help you prevent them in the first place. Being prepared for an attack (even if you think it will never happen to you) is the most important thing you can do to protect yourself. Anyone can be a victim to a ransomware attack so it’s important to have the proper security in place to protect your organization. A few things you can talk to your MSSP about:
There should always be a dialogue about security awareness with your staff, your security team, and your MSSP. Creating a prevention and response strategy across the board will help ensure your organization doesn’t find themselves in the unfortunate situation of a ransomware attack.
Interested in Chatting with a Security Professional?
There’s no better time than the present to enlist help for your security needs. Available across Canada, our team of specialists are eager and ready to learn how to become that trusted extension of your security team.
Don’t hesitate to reach out to us at 866-999-7506 or shoot us an email at contactus@securesense.ca.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.