Ransomware attacks are still very much a threat, and the ease of perpetuating them is a big reason why. All it takes for a ransom attack to begin is for a single employee to click on a phishing email. Sadly, these attacks aren’t going away anytime soon.
The latest 2020 Verizon Data Breach Investigations Report cite phishing as the number one attack vector for the second year in a row, and the number of large corporations that have been subject to ransom attacks continues to grow and make the news each week. For example, a recent ransomware attack on a major entertainment law firm managed to steal more than 750 GB of private client data including phone numbers and personal email correspondence. Another attack on the University of Utah netted close to half a million dollars in a ransom payment to prevent the criminals from leaking the student data collected.
Ransomware criminals count on several weak links in an IT department’s governance that often leave entry points easily exposed. For example, there are often numerous open network ports that aren’t carefully monitored, and, frequently, infrastructure isn’t consistently managed or maintained with delays in patching and deploying system updates. Additionally, the role of backups has completely changed in the ransomware era. Attackers are getting more adept at penetrating networks which forces backup strategies to become more sophisticated and cover a wider variety of circumstances, threat models and conditions. As more of us use our smartphones for work purposes, this means that we store data on our phones, making the corporate backup solutions ineffective if our phones are lost or stolen. Backup tools also weren’t initially designed for heavily virtualized and cloud computing environments, which made them difficult to scale as these virtual and cloud servers were brought online.
Your organization doesn’t have to be such a tempting target for ransomware attacks. There are a few simple ways to minimize your exposure and make it more difficult for attackers to gain a foothold.
First, you need to set up the appropriate playbook and ensure that it is comprehensive and current. This Forrester report has a ransomware incident flowchart with lots of suggestions on how to create one. It starts with pre-incident planning and offers suggestions on various responses, including assembling your team and perhaps including ransom security specialists, pre-purchasing Bitcoins in advance (in case you choose to pay the ransom) and validating and recovering from backups. That is a good starting place.
If attacked, you’ll need to decide whether to pay the ransom or not. It is tempting to pay, especially if you think your backup copies are fine and the cost of the actual ransom payment could be less than the costs and consequences of trying to fix the damaged systems on your own. But you have to be confident that the attacks will actually decrypt your data and return your systems to a working state. That isn’t guaranteed: remember, you are dealing with criminals. Plus, you shouldn’t confuse repairing a machine with restoring its data. Just because you have a spare Windows Server that could be brought online doesn’t necessarily mean that it has the right configuration to operate on your network properly, or that its shadow copies haven’t been damaged in the ransom process.
Here are a few steps to take to reduce your potential ransomware exposure.
Remember the keys to better IT decision-making to protect your organization: