Organisations could find themselves doubling the cost of clearing up after a ransomware attack if they pay off cybercriminals. According to a new survey for Sophos’ State of Ransomware 2020 report, the average cost of tackling the effect of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was more than US$ 730,000 (£593,000). This average cost rose to us$1.4 million (£1.1 million), almost twice as much, when organisations paid the ransom.
This ransomware attack, against a company that has already suffered a similar such attack previously, is indicative of the enhanced threat that ransomware poses. Businesses cannot assume that just because they’ve already been targeted once before, they will not find themselves targeted again. Targeting is increasingly opportunistic and new groups are becoming involved with new ransomware under development. Indeed, our latest research into cyber threats in the age of Covid-19 shows that global ransomware is on the rise, with 60% of the most recent campaigns against one vertical in Australia incorporating some form of ransomware. Unless organisations wake up to this threat, and improve their user awareness, such threat will inevitably increase throughout the year and the tide of attacks, as currently seen, will worsen.
Ransomware is working extremely well for cybercriminals due to monetary gains that are achievable, so all organisations need to ensure they have adequate resiliency measures in place prior to an attack to preserve business-as-usual should the worst happen, and to thereby mitigate any potential loss. To re-iterate advice, non-networked backups and a fallback email and archiving process need to become standard security measures if organisations are to significantly mitigate the current ransomware threat. Individual users can assist greatly by being aware of the potential for unsafe attachments but should also be wary of clicking any email links received in any communication, as criminals are increasingly utilising URL links rather than file-based attachments to infect networks. This attack should again provide the stark reminder that cyber resilience can no longer be an afterthought, but needs to be an urgent focus for all organisations going forward for what are difficult and uncertain times. Enhancing cyber-resiliency now, through technology, and the cyber hygiene efforts and awareness of all employees, is certain to be key to business continuity in the difficult and likely lengthy period of disruption to usual business which lies ahead as the result of the ongoing pandemic.
I would like to say that companies should never pay, but we are seeing some situations where it is necessary to pay, and to do so quickly. Ransomware authors have been attacking hospitals and healthcare organisations during the pandemic, and when lives are on the line, a decision to pay might be best.
Frequently though, payment doesn’t necessarily mean that files will be decrypted or that the attacker won’t leverage their foothold on your network to extract more funds. The best way to respond is to isolate the source of the attack (likely a spearphishing email), work with your IT organisation to put better monitoring and security in place, and only then deal with your ransomware problem. If you are going to have to rebuild your network and machines anyways, this is a great chance for teams to implement good network segregation, DNS-based filtering, and proper antivirus, if they don’t have it already.
To mitigate the impact of an attack and to put organisations in the position of not paying, off site backups are key. Whether it is to an S3 bucket on AWS that does versioning, a file server in a colocation centre, or recorded to tapes and stored in a closet in another building, you have to have versioned, off-site backups. These should go in one direction only, or be designed with least privilege in mind.
Ransomware attacks are among the fastest-growing cyber threats (one report projected that in 2021, companies will fall victim to an attack every 11 seconds). The first and most important thing to do when you\’ve been hit by an attack is to disconnect the infected device from your network immediately (that means turning off GPS, Bluetooth, WiFi, etc) and removing external hardware like USB sticks and SD cards. Next, you should make everyone else in the company aware of the attack with advice on how to identify and avoid the attack themselves. The safest recovery method then is to wipe the device and restore its system and files using your backup data.
We really encourage making backups! But if no backups have been made, there are certain decryption software you can use to try to recover files that have been encrypted by the ransomware. Rather than connecting to the internet to download them (keep that device off the network!), use another computer to do so and copy them onto an external device you can plug in to install them. If you are able to recover your data, save it to the same external storage device to be added back on the device once it\’s been wiped.
The 3-2-2 backup rule works well for protection. An organisation should always have three copies of its files stored in two different mediums at two different locations. At least one of these locations should be offsite (such as in the cloud).