Ransomware is perhaps the most disruptive and infuriating security threat facing businesses in 2022. A ransomware infection is a symptom of an information and infrastructure security failure that may hurt a business’s reputation and pose a compliance risk. Ransomware not only deprives a business of data essential to its operations; it also forces business leaders to decide whether to pay off criminals—an action that has ethical, financial, and legal implications.
Over the last few years, ransomware has become a persistent threat to businesses of all sizes. According to Sophos’s The State of Ransomware 2021, 37% of businesses were hit by ransomware over the last year. The average ransom paid was $170,000, but the total cost of ransomware attacks—taking into account the ransom, downtime, mitigation costs, and staff time—averaged $1.8 million. Most chillingly, the average victim who pays retrieves only 65% of encrypted data—most ransomware victims suffer permanent data loss even when they pay.
Ransomware is likely to become more prevalent in 2022. It remains a high-value revenue generator for cybercriminals. The Treasury Department estimates that criminals made $600 million from ransomware in the first six months of 2021 and expects the year’s total to exceed the combined ransom payments of the previous ten years. The true cost is likely much higher because businesses are motivated to hide successful attacks once they pay a ransom.
What is Ransomware?
Ransomware is malicious software that encrypts files using a key known only to the ransomware operator, who then demands a ransom in exchange for providing the key to decrypt the data. The ransom demand typically asks for payment in an untraceable cryptocurrency. If the victim pays, they usually—although not always— receive the key and can therefore retrieve the lost data.
The most commonly encountered variants in 2021 included REvil/Sodinokibi, Hades, and DoppelPaymer, although one of the most impactful attacks of the year was carried out by the Darkside cybercriminal group, whose attack against Colonial Pipeline disrupted the supply of fuel to the East Coast for a week in May and resulted in a ransom payment of 75 bitcoins, equivalent to $4.4 million at the time the ransom was paid.
What Causes Ransomware?
Ransomware depends on an existing vulnerability to infiltrate a target system. The most common methods of infiltration are phishing attacks, brute force attacks, attacks against insecure RDP services, and the exploitation of software vulnerabilities. For example, the REvil/Sodinokibi ransomware spread through brute force attacks and server exploits, among other vectors. It initially used a vulnerability in Oracle WebLogic to download the code which encrypts the victim’s files, but the method used changes over time because ransomware is constantly evolving as criminals seek to exploit new vulnerabilities.
Can Data Encrypted By Ransomware Be Recovered?
Businesses should assume that once their data is encrypted by ransomware, it cannot be retrieved. Ransomware uses sophisticated cryptographic technology that cannot be reversed without the key. In the past, security experts have managed to reverse the encryption of poorly coded ransomware, but that is unlikely to happen for modern ransomware.
In some cases, including REvil/Sodinokibi, law enforcement agencies were able to identify and infiltrate the ransomware operator’s infrastructure, allowing them to extract the master key and build decryption software. However, it’s rare that this happens on a time-frame acceptable to businesses, and the most likely outcome of a successful ransomware attack is that data is irretrievably lost until the victim pays a ransom and the attacker provides a decryption key—although there is no guarantee the data will be retrieved even if the ransom is paid.
Should Businesses Pay the Ransomware Ransom?
The temptation to pay a ransom is understandable, especially if your business is facing severe disruption because critical data is no longer available to employees or customers. Many businesses choose to pay. But, as we mentioned earlier, businesses that pay get an average of 65% of their data back. Only 8% get all of it back. Even if you do pay, it’s unlikely your business will be made whole.
Furthermore, the attackers may not delete their copy of the data. It is increasingly common for ransomware attackers to sell or otherwise disclose stolen data. In fact, some ransomware attackers don’t encrypt the data at all. They steal it and promise to delete what they stole if paid a ransom. Needless to say, criminals are not always honest.
It is not usually illegal for U.S. businesses to make ransomware payments. However, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued an advisory in 2020 declaring that it is unlawful to facilitate ransom payments to attackers on the Department of Treasury sanctions list. The FBI advises businesses not to pay ransoms for the reasons we’ve discussed. It also encourages businesses to report ransomware attacks to the Internet Crime Complaints Center.
How to Prevent Ransomware: 6 Ransomware Protection Best Practices
Once the sole copy of a business’s data is encrypted by ransomware, its options are limited. Therefore, it is preferable to prevent ransomware infection in the first place and to ensure that important data is copied to a location ransomware cannot reach.
Regularly Update Software to Apply Security Patches
Many ransomware infections start with software vulnerabilities. The attacker exploits the vulnerability to gain access to a network and then uses that access to infiltrate their malware. It is not possible to guarantee a system is free from exploitable vulnerabilities, but updating software regularly ensures that known vulnerabilities are repaired.
To underline the importance of regular software patching: the EternalBlue vulnerability, which was widely exploited by the catastrophic WannaCry ransomware campaign, was fixed by a software patch months before attacks began. Victims were vulnerable because they had not updated the relevant software.
Back-Up Data to a Secure Remote Location
Ransomware is effective because it deprives businesses of the data assets they need. But that can’t happen if the data also exists in a secure offsite location the malware cannot access. Sophisticated ransomware is capable of finding and encrypting local backups on connected systems, so an effective backup must copy data to a system that is not easily reachable over the local network.
If the business has an up-to-date backup, they can simply delete the infected systems and restore or deploy cloud disaster recovery infrastructure with their apps and the backup data.
Implement Least-Privilege Access Policies
Data should be accessible only to users and services who need it. The more people who have access, the greater the likelihood credentials will be leaked or stolen. If an individual no longer needs access, revoke their permissions.
Limit permissions to those that are required. For example, if a user needs to see information but not to change it, ensure they only have read permissions and not write permissions on the database, disk, or cloud storage service that stores the data.
Follow Cloud and Physical Infrastructure Configuration Best Practices
Cloud configuration errors often lead to vulnerabilities a ransomware attacker can exploit. For example, incorrectly configured access permission on AWS S3 buckets may allow ransomware attackers to download, edit, and delete data. Ensure your business follows industry best practices for data security. If your business lacks the expertise to secure its data, hire a professional who can assess your security implementation and provide guidance.
We wrote more about cloud security best practices in 10 Top Tips For Better AWS Security Today
Carry Out Regular Security Risk Assessments
Ransomware attacks often occur because a business misunderstands risks associated with their behavior or their system’s implementation. The BlueEternal example discussed above is a useful illustration; most businesses know that updating software is a good idea, but they choose not to because they don’t apprehend the seriousness and potential cost of living with that risk.
Risk assessments help businesses to understand potential security threats, including threats that may lead to a successful ransomware attack.
Implement Security Awareness Training
Phishing attacks are one of the most widely exploited ransomware vectors. Attackers send an email to employees or managers containing a link. The link takes the target to a site that infects their system with malware or that dupes them into entering authentication credentials.
One way to combat phishing is to ensure that employees recognize the signs. To achieve that you’ll need to train every employee who might pose a risk. Security awareness training is required by several regulatory frameworks and organizations, including FINRA, HIPAA, and AICPA.
Prevent Ransomware with KirkpatrickPrice
Ransomware is a pressing security threat facing businesses in 2022. If you’d like help to identify and mitigate ransomware risks with remote security services, security awareness training, or a compliance audit, contact a KirkpatrickPrice information security specialist today.