If the word “ransom” makes you think of old crime movies, where the darling child of the sheriff is held captured until a certain sum of money has been paid, then you have a good idea what ransomware attacks are about — except your entire computer system is what’s held hostage by cyber criminals demanding payment.
A ransomware infection can be very costly to your business, and not just because you may have to pay a high ransom. While your computer system is held captive, your business could well be unable to operate.
And ransomware cyber criminals are doing a booming business:
Palo Alto Networks’ global intelligence team recently found that the average ransom paid per organization increased from $115,123 in 2019 to $312,493 in 2020. The highest ransom demanded in 2020 was $30 million, twice as much as the highest ransom in 2019. Double extortion, where data is leaked on the dark web if the victim doesn’t pay the ransom, has also become more common.
There may be a COVID connection here: because the pandemic forced more businesses to work online and employees to work remotely, sometimes a company’s carefully selected security tools and backup systems fell behind.
Palo Alto Networks also found that healthcare organizations were especially hard hit by ransomware attacks, conducted by cybercriminals who understood how costly it was for the healthcare organizations to have their systems locked out during a pandemic.
Protecting against ransomware attacks should be a high priority for any business today, so let’s take a look at what ransomware is, how you get it, and what some of the best means of ransomware protection are.
What is ransomware and how do you get infected
The most common ways in which you can come under ransomware attack are:
- Phishing emails. They look like they’re from a legitimate sender, but the real senders are cybercriminals who use email attachments to spread ransomware. One click is all it takes to launch ransomware into your business.
- Drive-by downloading. This happens when a user visits a website infected with ransomware, and the malware is secretly downloaded while the user is innocently browsing.
- Unprotected websites. A newer way of spreading ransomware is for cybercriminals to gain access through a web server that is not adequately protected with firewalls and antivirus software, and from there get into your entire system.
And here are five of the most common types of ransomware:
- Ryuk is especially infamous for attacking healthcare organizations and is actively being pursued by the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency.
- CryptoLocker has been around for a long time. It will encrypt your files in such a sophisticated manner that often the only way out of the mess is to pay the ransom for decryption.
- WannaCry (aka WCry) is a ransomware infection that’s been found in more than 100 countries around the globe.
- Cerber targets Microsoft 365 and has caused damage to millions of unsuspecting users.
- CryptoWall works the same way as CryptoLocker, and was created by cybercriminals seeking a more malicious update to the original.
- Jigsaw encrypts your files, then begins to delete them while making ransom demands. Typically all files are deleted after 72 hours.
To add insult to injury, victims who pay the ransom consequently label themselves as easy targets. It’s a safe bet that ransomware cybercriminals will soon return to knock on their firewalls again.
How to protect against ransomware attack
The first steps in a ransomware protection strategy are the installation of anti-malware software, and awareness training for your employees. Awareness training may include fake phishing emails and other fake ransomware threats, meant to raise employees’ awareness of what suspicious emails and other ransomware attacks look like.
A few internal exercises — conducted by your risk management team in an open, fun, and trust inducing manner with good follow up — are usually enough to create keen awareness of suspicious emails and different types of malware.
Remember, this is not about tricking employees into downloading malicious software; this is about creating awareness of the different types of social engineering that may allow ransomware attacks to succeed. Make sure employees know how and to whom they should report suspected ransomware attacks.
Conduct a careful risk assessment of your third-party providers and contractors. Ask them about their data protection standards and whether they’ve ever encountered any type of malware or other cyber threats, and require them to inform you when a ransomware attack happens.
This may be tricky ground to maneuver with a new third-party contractor, but it’s better to do so up front than to wait until after the ransomware attack when everyone is in stressful recovery mode.
Is SOC 2 for you?
You may consider requiring a SOC 2 audit, which is a special type of audit that examines the security controls used by your data service provider.
SOC 2 audits are designed for each organization and its data service provider, so it’s important to set the scope of the audit wisely. Assure that the audit covers ransomware attacks and any other cybersecurity attacks that might harm your access to the data that the data service provider is managing for you.
SOC 2 was invented by the American Institute of CPAs (AICPA) and covers these five areas:
- Security: use firewalls, malware detection systems, and two-factor authentication.
- Privacy: use two-factor authentication and encrypted files to protect personal and sensitive data.
- Availability: the service provider must have documented recovery plans, backup solutions, and plans for patching any penetration points, to prevent data loss.
- Confidentiality: data should be handled in compliance with all state and federal requirements such as HIPAA, and sensitive personal data should be stored in encrypted files.
- Process integrity: perform ongoing monitoring of the safety of the system, and reports of any infected files or ransomware attacks should come to you quickly.
Keeping a ransomware attack secret is unwise
Technically speaking, a ransomware attack doesn’t steal or release any of the data you manage; it simply renders your IT systems useless and may ultimately delete all your files. Ransomware cyber criminals aren’t after the data in your files. They’re after your money.
So if no breach disclosure laws were violated, a data service provider might choose not to disclose a ransomware attack. That’s why your service agreements are so important and should address the five areas mentioned above.
The reality is that phishing attacks are common, so your company should take steps to protect its data and systems against ransomware attacks.
Moreover, as double extortion becomes more common, where the attackers do share your data and trigger a breach, disclosing a ransomware attack is the only right thing to do — even if admitting an attack invites regulatory scrutiny.
You may alienate a few customers in the process and make the headline news for a brief period of time, but it’s naive to believe that your employees and advisers can keep quiet, so it’s better to get ahead of the PR disaster. That will also create time for you to recover your data and systems, evaluate what happened, and decide how to best prevent the next ransomware threat coming your way.
Cybersecurity and compliance management tools
As you forge a path for your business through the pandemic and our highly interdependent world, many tools can help keep your business safe and your information secure.
ZenGRC’s compliance management, risk and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.