Posted on

In the eye of a cyber-storm: Defending against a ransomware attack

Ransomware

For many global businesses, ransomware is front of mind, and for good reason. Following the most recent debilitating ransomware attack on Kaseya, the Miami-based unicorn, we are reminded of the risks, vulnerabilities and devastating effects that a targeted ransomware attack can have on not just the business directly attacked but their customers and supply chains as well.

It is no longer a question of if, but when another high profile ransomware attack will eventuate, and organisations in Asia should be on alert.

According to the CrowdStrike Global Security Attitude Survey, six in 10 organisations surveyed across the APAC region (63 per cent) suffered a ransomware attack in 2020.

Businesses must be prepared to face the coming storm, understand the prevailing trends of ransomware and bolster their defences comprehensively to safeguard their funds, data and customer trust

The uphill battle: How to fight against ransomware

When protecting an organisation against ransomware, too often we focus on reacting or recovering our systems from a catastrophic incident. Although extremely important, we forget the one simple goal we should all have– making sure that threat actors do not disrupt or impact our business, employees and customers in the first place.

When dealing with ransomware incidents, we find victims have access to security solutions, but these may well be reactive legacy solutions, only focusing on cleaning up the mess a cybercriminal has left behind – not preventing it!

Organisations today need to implement a prevention-first mindset to protect themselves. Due to the global pandemic and more people working from home, this prevention-first methodology needs to be thought about holistically.

Cybercriminals are harnessing flexible working as an opportunity to target organisations during their time of digital transformation because of the increased number of endpoints, as well as employees using their own devices at home.

For example, they are increasingly leveraging security gaps by replicating or stealing trusted network access to breach networks, undetected.

Also Read: Why Malaysia is quickly becoming a cybersecurity hub for the rest of the world

It’s paramount that organisations focus on a prevention-first mindset. Not only for endpoints but also cloud workloads, and more importantly, adopting a Zero Trust approach, meaning that all users and devices must be authenticated, authorised and continuously re-validated to gain access to data.  Having a security solution that is able to prevent first is the key first step in staying proactive in your defence.

Fight on the front lines, and turn the hunter into the hunted

Threat hunting teams are particularly instrumental in promoting a more proactive security posture. Threat hunting allows organisations to go where technology cannot; to identify the unknowns or the proverbial “needle in the haystack, in a haystack factory.”

Ransomware threats often go undetected for days – sometimes even weeks or months – as they prepare an environment for an attack. The massive ransomware attacks we see in the news are commonly a product of cyber criminals spending inordinate amounts of time preparing the environment for maximum impact.

Adequate time gives cybercriminals the best opportunity to apply as much pressure as possible and extract as much money as possible out of the victim, ultimately forcing their hand to do nothing but pay the ransom and other extortion fees.

However, threat hunting teams are designed to pinpoint threats in real-time to detect and engage cyber criminals in “hand-to-hand combat”, providing a front-line defence for organisations before it’s too late.

Even with full security implementations, it is one thing to detect a cybercriminal’s activity on the network, but it is another to do something about it. Threat hunting teams are a critical consideration to augment, or even sometimes replace, existing teams by turning detection into action against ransomware threats.

Don’t pay the ransom. Easy to say, hard to do

Any Asian (or international) organisation considering making a payment (to essentially a criminal group) during a ransomware incident must seek legal advice to ensure what they are about to do does not result in a criminal offence. Paying the ransom fuels a criminal industry and it does not guarantee access to encrypted data.

Additionally, organisations assisting victims in making ransomware payments to sanctioned cybercriminals also face the risk of violating various regulations, depending on what country they are in.

It is important to acknowledge that it is easy to say “don’t pay the ransom”, but it ultimately remains a very difficult situation for an organisation that can’t recover its data or a critical infrastructure provider that faces severe service disruption. They may feel forced into paying the ransom to get back to being operational.

These situations put victimised organisations between a rock and a hard place, as they either pay the ransom and be at risk of breaking government regulations, or not pay the ransom and risk going out of business. However, despite the immense pressure, paying a ransom can fuel the fire for cybercriminals to return with bigger threats.

Also Read: Practical tips to protect your business from cyber attacks

The evolution and proliferation of ransomware: Double extortion

CrowdStrike has recently observed cybercriminals adopting a “double extortion” model, in which cybercriminals will encrypt the target’s data and not only demand a ransom for its return but also leverage additional payment incentives to add pressure on the victim to pay the ransom.

Some cybercriminals will even use a more targeted approach and threaten to publicly release and/or auction the data unless the victim pays up.

This in turn fuels the ransomware ecosystem in a vicious cycle that only hurts the victimised organisation even more down the road. The exploitation of data also puts victimised organisations at risk of violating local or regional data privacy regulations, which can end up costing millions of dollars in addition to the original ransom.

Cybercriminals will continue to refine these approaches and experiment with different business models, including affiliate schemes designed to recruit more people to deploy attacks for a share of the profit, known as Ransomware as a Service (RaaS). With this and the double extortion model, the potential ramifications are far and wide.

As we progress through this year, organisations need to remain on high alert to be better prepared to weather the storm that is coming or run the risk of facing the consequences of a potentially devastating ransomware attack.

With the right knowledge, tools and preparation–as well as testing and role-playing exercises–organisations can effectively combat would-be attackers and give themselves the best chance of remaining unscathed in 2021.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast or infographic

Join our e27 Telegram group, FB community or like the e27 Facebook page

Image Credit: gioiak2

The post In the eye of a cyber-storm: Defending against a ransomware attack appeared first on e27.