In August, a white hat hacker stole around $600 million-worth of cryptocurrency from a bitcoin-based platform before returning almost all of it. Earlier in the year, a ransomware collective gave Ireland’s Health Service Executive (HSE) a free decrypt tool after it was hit by an attack. So, are cybercriminals developing a conscience at long last?
Not in the slightest. Ransomware remains one of the world’s biggest criminal industries – in fact, one of the biggest industries full stop. It’s difficult to put an exact figure on such shadowy activity, but it’s estimated to cost the global economy at least £30 billion and as much as £120 billion annually.
What makes ransomware such an enduringly popular crime? There are many reasons, but chief among them are its ease and return on investment. In fact, it takes very little technical skill to get started. Ransoms are demanded in bitcoin or some other untraceable cryptocurrency and the disruption to victims is so great that most organisations pay up quickly.
For example, just this summer in the US, Colonial Pipeline paid hackers almost $5 million after they managed to shut down the East Coast’s main fuel supply artery. While most of the payment was recovered, the decryption keys were never found. REvil, the hacker group that claimed responsibility for the attack has all but disappeared, but it’s not likely they’ve gone away for good.
Such payments might make sense for the organisations affected, but they only serve to encourage criminals. O’Reilly recently conducted research which found that 6% of respondents have worked for organisations that fell victim to a ransomware attack. How do you avoid joining them?
Back to basics
The fight against cybercrime is often portrayed as an arms race, with both sides constantly seeking to develop new attacks and countermeasures. While it’s true that security technology is always developing, organisations must not passively wait for the “next big thing” to arrive, especially if it means neglecting the basics of cybersecurity.
Strong passwords, two-factor authentication, defense in depth, staying on top of software updates, good backups, and the ability to restore from backups—these “bread and butter” defenses are just as important as the latest AI-powered technologies. Unfortunately, few organisations practice truly effective security hygiene, turning an effective ransomware attack from a matter of “if” to “when”.
Everyone’s at risk
Ransomware attacks only make the headlines when a large organisation has been attacked, giving the false impression that smaller businesses generally pass below hackers’ radar. That’s a dangerously false assumption. Yes, attackers are looking for the biggest payouts, but they’re also probing for weakness, so often the smaller the organisation, the greater the risk – you just might not read about it in the BBC.
Small and midsize businesses often have limited IT staff and no professional security specialists, making them especially tempting targets. And as attackers get more sophisticated, they are able to target a greater number of organisations. Some criminal groups offer “ransomware as a service,” running attacks for customers. Others develop the software or create the attacks that find especially vulnerable victims. Everyone is at risk, but small companies should be even more cognizant of their security practices.
The human factor
The best defense against ransomware is to be prepared, and that means taking the human factor into account. The weakest element in any security posture is people themselves, and it’s human nature to look for shortcuts and workarounds—for example, by choosing easy-to-guess passwords or sharing them with others.
A good way to overcome this tendency is by mandating two-factor authentication (2FA), which requires a second safeguard in addition to a password. This could be something you have, such as a token on your smartphone, a fingerprint or other biometric authentication. And don’t just make 2FA advisory; it must be mandatory.
Education is also critical. Every employee should be aware of common risks such as phishing attacks, and be extremely skeptical of unexpected email attachments and website links, even in messages that appear to be from friends or colleagues.
Backup best practice
Backups are absolutely essential in the fight against ransomware. Just as important is the ability to restore from a backup. The easiest solution to ransomware is to reformat the disks and restore from backup. Unfortunately, few companies have good backups or the ability to restore from a backup—one security expert guesses that it’s as low as 10%. Here are a few key points:
First, actually perform regularly scheduled backups. Don’t rely solely on cloud storage; backup on physical drives that are disconnected when a backup isn’t in progress. Keep in mind that backup devices should be physically disconnected when they’re not in use. Otherwise, a ransomware attack can encrypt your backup.
You also have to test the backups to ensure that you can restore the system. If you have a backup but can’t restore, that’s as bad as not having one at all. Alarmingly, less than half of our respondents said that their company regularly practiced restoring from backups, while a further third said they didn’t know.
When attackers strike
What do you do if you fall victim to an attack? The obvious temptation is to pay up, even if that contributes to the problem by ensuring ransomware remains profitable for criminals.
It’s true that hackers have to maintain credibility in order to extract future ransoms, which is why many organisations trust them to hand over the key to decrypt data. However, at least one security vendor says that 40% of ransomware victims who pay never get their files restored. This makes it even more important to keep good backups, however you decide to respond.
Another problem is extortion. If attackers steal sensitive data as well as encrypting it, they can demand money not to publish it online. This may leave you with substantial penalties under laws such as GDPR and CCPA. Extortion attacks are becoming increasingly common, making it more important than ever to follow best security practices.
Whether or not you choose to pay, it’s far less damaging (both financially and reputationally) never to fall victim to ransomware in the first place. While there’s no such thing as a hack-proof organisation, if you make things as difficult as possible for attackers, the more likely they are to pass on to more vulnerable targets.
Staying on top of the basic security best practices is a good place to begin. Keep your software updated, use 2FA and implement defense in depth wherever possible. Take backups seriously and get into the habit of restoring from backups regularly. And, above all, don’t rely on criminals having a conscience.