Yes, we still need to talk about fighting ransomware in enterprises. Because ransomware creators and operators have pioneered new ways to avoid endpoint security products in 2020. And they have creativity and versatility in devising new tactics.
In the last quarter of 2020 alone, the average ransom payment increased by 21%, according to international reports. It reached U$233,817.30. A year ago, the average payment was $84,116. Clearly, ransomware actors understand how expensive downtime can be and are testing the limit of what they can extract from companies in a ransom demand.
Whenever a company suffers an attack, the conclusions of the analyses are similar to that of a plane crash. It is never a single event, it is a combination of factors. In a ransomware incident, the hacker uses various techniques to gain access to the environment. However, one thing all attacks have in common is social engineering, where the attacker exploits human vulnerability. This, combined with an environment without information security features, or with poorly configured and unmanaged protection tools, opens the door for the attacker.
It could be that the hacker keeps the data encrypted, without having any copy of the data. Or, they may make a copy of the data (Exfiltration) and then start encrypting the files. In this second scenario, even if the company has a business continuity plan and manages to restore the environment, avoiding a major operational impact, the attacker will initiate a blackmail process in order not to leak or sell the data on the darkweb. This may cause the company to end up paying the ransom.
Even though ransomware poses so many risks, there are still aspects of this type of crime that businesses continue to neglect and that, until there is a consistent response, attacks will continue to occur.
Engagement is as important as protection tools
Most companies don't have transactional visibility of data. So if users are moving it to clouds not sanctioned by the corporation, or sending it via email or on USB sticks, for example, those responsible for the company's cybersecurity will not be able to identify, in the event of an attack, whether there has been data leakage or encryption.
This is why engagement is so important. As there are several factors involved in a cyber incident, countermeasures must be worked out in the context of a cybersecurity programme. The programme is about initiating protection modelling. And it is essential that employees are engaged. So that they know how to identify phishing, that when they notice something suspicious by e-mail or even by a call, they can alert the responsible team in the corporation.
Focus on detection and response
In addition to having a focus on protection, security teams should focus their efforts on detection, assuming that, at some point, an attack can happen. The damage will be minimised if the time to detect and respond to that incident is reduced.
Incident response is also a topic that should be taken seriously by the IS team. Many companies do not have an instruction of the steps to be followed when an attack is in progress. And turning off the equipment ends up being the first option, which can hinder the forensic investigation, the memory evidence and the identification of patient zero. This is important information for correcting the attack vector and understanding the occurrence. Was it a targeted attack or simply the identification and exploitation of a vulnerability?
Deficit of qualified professionals
Reduced technology teams and high demand are factors that raise the challenge of keeping the corporate environment and its data protected. The IS area suffers from a shortage of qualified professionals at the same time as the need for security does not stop increasing.
Don't forget
There is no silver bullet. Companies need to adapt their cybersecurity program to raise the maturity of protection and align the security strategy with the business. In addition, they must invest in a well-developed business continuity plan with clear measures in case of disasters, and a good offline backup policy, outside the corporate network. Essential measures for organisations not to be at the mercy of criminals if all security measures fail and the inevitable happens in the environment.