The risk of ransomware attacks is ever present in today’s business environment. The 2022 Verizon Data Breach Investigation Report estimates a 13% increase in ransomware identified as the root cause for breaches over the previous year. That places ransomware as the attack vector in 25% for all breaches for the previous year. In tandem with other phishing attacks, clicking on links or opening attachments, it makes the mouse the most dangerous piece of technology in our infrastructure. Verizon goes on to report that breaches caused by some form of human element was 82%.
Over the 2nd quarter of 2022, Dragos tracked ransomware attacks by sector and found that 69% of the ransomware attacks targeted 42 unique manufacturing subsectors.Figure 2: Ransomware targets by sector and subsector
What is Ransomware?
Ransomware is a type of cyber-attack that requires relatively low sophistication and low financial investment by attackers to deploy. Often, the ransomware attacks are carried out using open-source tools that are low- or no-cost and offer a substantial return on investment.
Typically, a ransomware attack is initiated by sending phishing messages to a target, either blindly sending to multiple targets or targeting individuals which is also known as “spear-phishing.” These messages can be delivered via various platforms, including email, text message (SMS), or other communication platforms like popular collaboration and messaging applications.
Attackers have adopted phishing as their favorite delivery method since it is much easier to encourage humans to act on something rather than work to bypass sophisticated technical controls.
Once the end user clicks on the link or opens the malicious attachment in a message, typically malware (bad software) is executed on the end user’s computer and encrypts the files. Encryption is a computer algorithm that jumbles data, rendering it unusable until the encryption key (password) is employed to decrypt the data, making it readable and usable again. To obtain the decryption key is obtained by paying the ransom demand in Bitcoin.
Threat actors continue to iterate their capabilities and attacks to increase leverage as defense capabilities and victim responses change. Historically, it was commonplace for organizations to immediately pay ransom demands to get their data decrypted. This is no longer the case as organizations have become more resilient and consider the risk to business before immediately paying a ransom.
In light of this, to encourage organizations to pay a ransom, ransomware attacks pivoted from simply encrypting data to threats of leaking data or selling it on the Dark Web. Threat actors have exponentially increased with new attacks like LockBit 3.0, Ransomware-as-a-Service (RaaS), which reduces the barrier-to-entry for threat actors, and triple extortion ransomware attacks that apply pressure to the original victim, then subsequently to their stakeholders if the original victim does not act.
Ransomware attacks will be a significant concern for the foreseeable future and are expected to continually iterate and proliferate. Security Intelligence estimates that ransomware will cost victims $265 billion by 2031.
Mitigation and Resilience
While all of this may sound daunting, there are precautions that can be implemented to increase organizational resilience. Best-practices and basic security hygiene can significantly improve the organization's ransomware mitigation capability and posture.
Numerous resources are available at low- or no-cost to organizations to help improve security awareness, defense capabilities, assessments, frameworks, and more.
With the understanding that 82% of attacks include some form of human element, a helpful area to focus on is the education of the organization’s employees on security topics. This is often one of the most immediately realized return on security investments for organizations.
A variety of services and offerings exist for security awareness and education. Pricing for services ranges and is available for every budget. Education can be live, recorded video, webinars and phishing simulation exercises can help bolster understanding on when it is safe to click or not.
Information Security Frameworks
Depending on the organization, operational environment, regulation requirements, business risks, and other factors, several frameworks exist to help organizations implement Information Security programs and establish controls.
A lot of options exist for frameworks, but some popular options are:
- NIST CSF (National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF))
- NIST 800-53
- CIS Top 18 (Center for Internet Security (CIS))
- ISO 27001 (International Organization for Standardization (ISO))
United States Government Support
CISA (Cybersecurity & Infrastructure Security Agency) is part of the Department of Homeland Security. They provide a variety of complimentary tools and services and have a substantial number of resources available to businesses, like Stop Ransomware.
The FBI (Federal Bureau of Investigation) also provides education on security topics, as well as a portal IC3 (Internet Crime Complaint Center) to report cyber-attacks.
A few best practices are outlined below. This is not an exhaustive list. A full information security program should be implemented with appropriate controls for your business by following trusted frameworks.
- Microsoft estimates that 99% of account compromise attacks can be mitigated by implementing multi-factor authentication (MFA). MFA is almost a requirement in today’s computing environment.
- Ensure organization data is backed-up following best-practice guidelines for backups, like the 3-2-1 rule. Test backups and restoration capability often.
- Ensure all data and devices are encrypted both in-transit and at-rest.
- Have an organization incident response plan that has easy-to-follow steps that employees can execute on when an incident occurs.
- Train employees on how to spot phishing attacks, ask qualified personnel if they are unsure, and to report incidents.
- Establish relationships with trusted partners including legal, cybersecurity insurance, forensics, and incident response vendors. Review cybersecurity insurance details for carveouts and approved vendors.
There are certainly additional controls and precautions that the organization will want to explore, but the above are some basic security hygiene elements that are helpful to increase resiliency.
Another valuable resource is No More Ransom that has decryption tools for various ransomware, additional guidance for prevention, and more.
Ransomware is a significant and ever-evolving, ever-present threat to organizations. However, excellent resources are available to establish cost-effective controls to increase organizational resiliency and mitigate attacks. Partners like CISA can assist in helping the organization build awareness and improve their defensive capabilities.