Al Dickson, director, Quod Orbis
Ransomware has evolved into a sophisticated, complex ecosystem, capable of extorting vast sums of money from a wide spectrum of businesses. One of the most sobering considerations is that the penetration now extends far beyond SME’s, proving that enterprise businesses are not as mature and robust as they need to be.
Many explorations of ransomware have shown that tactics constantly evolve, as criminals compete in their underground community to infiltrate high-profile businesses and industries, to increase their own reputation. This will only worsen in 2023.
Ransomware: the 2023 edition
It is predicted that by 2024, ransomware damages will grow (globally) to $42 billion. Even more worrying is the forecasted year-on-year increase of 30% to reach $265 billion by 2031.
There are three major trends driving this growth:
1.Multiple extortion attacksare the norm:
Here, the bad guys use data theft, DDoS, customer communications and take a layered approach to extort money and increase the payout.
2.Ransomware as a Service goes Premium:
RaaS is nothing new, but it is becoming incredibly sophisticated as affiliate networks distribute ransomware on a massive scale. This allows cyber criminals to share profits with the most advanced ransomware groups.
3.The Supply Chain becomes part of the attack:
By exploiting trusted supplier relationships, threat actors have realized they can hit hundreds and potentially thousands of victims simultaneously. Even enterprises with robust security are falling foul to this kind of attack.
Given these developments, it is little surprise that Aimpoint’s “CISO report 2022” identified ransomware as the threat that CISOs around the world are most concerned about.
The question is what to do about it. Or, more precisely, what are the ransomware controls that ANY business should implement?
The context of controls
The good news is that despite the above evolution, criminals remain lazy, which means they will target businesses that are easier to infiltrate. This means those with fewer security controls and internet visible applications.
However, it is vital to remember that in an age where 80% of the data to run a business is outside of the four walls of that organisation, and supplier and third-party attacks are increasing, the weakest link may be a supplier or vendor. Consequently, an awareness of controls must expand throughout the supply chain.
The second context is that of speed – businesses are now targeted quicker. The dark web is heavily laden with company credentials for sale, and the time hackers take before launching an attack has significantly decreased. Hackers see that businesses are implementing detection software, so they know time is of the essence.
The last context is an honest assessment by a business to understand the impact of a ransomware attack. It only takes one person to make the mistake that allows a ransomware attack to occur, so the controls need to be applied throughout the business.
The top 5 ransomware controls for the 2023 threat landscape
There are always industry-specific ransomware controls that should be considered by certain security teams. However, there are rule-of-thumb controls that are essential to most businesses, focusing on a dual-approach of minimizing the risk of a ransomware attack and having a robust recovery plan.
Control 1: Credential Management
This must include two elements. Implementing a password policy to grant access and multi-factor authentication (MFA) to provide an extra layer should an employee provide their password accidentally.
Control 2: Training
Basic training for all employees on what to look for in a ransomware attack should be conducted at regular intervals. It is too easy to complete this as a tick box exercise. The landscape is constantly evolving, so there are always new threats.
Social Engineering (SE) is a critical part of this training. Criminals are adept at infiltrating teams and convincing them to provide sensitive information. It only takes one person to let the hackers in, and with teams geographically disparate, it is vital to include SE training.
Control 3: Least Privilege
This should focus on only allowing certain privileges to certain employees with default position being the least privileges granted – be it by number of rights or the levels of access granted. Admin rights expose networks.
Control 4: Patching
Patches fix security vulnerabilities in software, but it remains staggering how poorly managed this control remains. This is usually because of the perception of disruption.
Security leaders need to be business aware enough to assess the risk to business operations before patching. This is not just a downtime issue – the organisation must have clarity on the processes that are reliant on a given version of software as well as any concerns regarding legacy systems.
Control 5: Backup
Backups are the most effective way of recovering from a Ransomware attack but most organisations don’t know how their backups are performing. They don’t know if the spare tyre is flat or has air.
When Travelex was hit, teams had to resort in using pen and paper to work because there was no clear recovery plan, or back-ups. Business operations were in tatters for a considerable time.
Backup itself can become an entire strategy, from assessing cloud options, spare, clean hardware, and testing exercises. But the truth is that the effort is more than worth it, and it is a vital control.
These controls and actions span much further than activities in 2023. As the risk of ransomware continues to increase, these controls are the first steps in developing security against, and response to, the biggest cyber risk to business operations.