Treading A Safe Path - Navigating Hidden Ransomware Risks

Ransomware attacks have continued their inexorable rise over the past decade. While there’s debate about whether the number of attacks has gone up or down in recent months, statistical trends may seem less important than the day-to-day reality faced by many cyber security professionals - thousands of organisations are still falling prey to ransomware.

The figures remain shocking – 3 in every 5 organisations were hit by ransomware attacks in the past 12 months and 70% suffered data encryption. More worryingly, initial ransom demands have surged 20% over the past year.

Ransomware attacks continues to dominate headlines and C-suite anxieties due to the colossal scale of disruption caused. Those tasked with protecting their organisations walk a tricky tightrope, risking losses extending far beyond the ransom itself.

Paying Isn’t A Straightforward Path

Paying the ransom might seem like the quickest way to regain access to encrypted data and business continuity. Where critical, time-sensitive data is at stake, capitulating to the financial demands can appear a necessary evil to uphold commitments to customers and stakeholders. The cost of the ransom may appear negligible compared to the potential losses incurred from operational downtime or the expense of alternative data recovery methods, IR counsel and legal costs, credit monitoring, PR and crisis management. 

However, this apparently simple decision masks a range of more complex considerations that must be addressed before deciding to pay.

Paying the ransom doesn’t guarantee the safe return of data. The National Crime Agency’s operation against LockBit revealed that even when ransoms were paid, the group didn’t always do as promised. There are numerous cases where businesses didn’t regain access to their data or found it was corrupted or incomplete. Frequently decryptors are withheld despite ransom payment, or those provided prove to be faulty.

Paying a ransom can also mark an organisation as an easy target, leading to repeat attacks. Cybercriminals often share information about compliant victims, increasing the likelihood of future ransom demands from others utilising the same vulnerability or exploit. This creates a vicious cycle, making businesses more vulnerable each time they pay up.

Moreover, cybercriminals are now deploying high-pressure tactics in an effort to increase payments, with some groups now targeting the clients of firms it successfully attacks or reporting victims to their insurers and even to the US Securities and Exchange Commission. This intensifies the risk of severe reputational damage and additional penalties.

Navigating Regulatory Risks

In the face of mounting financial pressures, wider implications can get overlooked by victims. Overwhelmed by monetary demands and business continuity issues, many are ill-prepared to navigate the complex maze of long-term regulatory and moral considerations.

From a legal and ethical standpoint, paying a ransom can place organisations in murky waters. Funding criminal activities perpetuates the cycle of crime, so payment poses significant moral dilemmas by supporting the nefarious world of cyber extortion. Capitulation to ransom demands is in breach of a company policies designed to prevent this by forbidding payment.

Payment may also conflict with laws banning the funding of criminal activities. In October, the White House announced an alliance of 40 countries vowing never to pay ransoms. Ransom payment may expose individuals and any organisations involved in facilitating these payments to potential civil and criminal penalties. Victims are obliged to report ransomware incidents promptly to government and law enforcement agencies and cooperate fully with their investigations. 

Preparation Is Key

Among the myriad of measures cybersecurity professionals can implement, here are some of the most effective steps to boost resilience and reduce risk. 

Plan Ahead
A robust incident response strategy should include clear protocols for ransomware attacks. Formal incident response plans are rare – only 1 in 5 UK businesses have one in place and a number of leaders aren’t aware of their company’s stance on ransom payments. Develop a clear ransomware attack response plan and be clear on company policies and local laws concerning cybercrime. Conducting regular drills and policy reviews will ensure that the organisation is prepared for an actual incident. 

Restore & Recover
Maintaining proper backup and recovery practices is an effective way to increase resilience to ransomware attacks. Robust backups protect valuable data ensuring it is fully restorable, while best practice disaster recovery solutions with industry-leading Recovery Point Objective (RPO) and near real-time replication ensure rapid, full recovery of data and services. While backup and DR don’t prevent data exfiltration, being able to retrieve data and restore business operations can limit the impact of an attack.

Watch & Learn
While holistic visibility with continuous monitoring across the entire attack surface is essential, it’s also critical to make use of the information. Log monitoring is a crucial component, encompassing intrusion detection and NDR systems, EDR solutions, firewalls, IAM systems, email and cloud-hosted services. This increases the likelihood of detecting threats at an early stage and also allows organisations to exploit their cyber threat intelligence, informing strategies and future defences. 

Closing Gaps
Organisations can greatly reduce their cyber risk by implementing an effective patching programme to address known weaknesses. 60% of cyber incidents in the past 12 months exploited vulnerabilities identified at least 2 years previously. Keeping up to date with vulnerabilities, establishing a remediation plan, setting priorities and effectively managing patching long-term can be challenging. Managed patching services can be a cost-effective way to keep all your machines up to date with the latest security and core OS patches. 

Enforce Identity Controls 
Cyber criminals are adept at finding and leveraging user credentials to log into IT environments. Multi-factor authentication is an effective way to harden defences; but as attacks become more sophisticated, it’s essential for organisations to not just implement modern MFA, but also to enforce it — particularly proven password-less approaches.

Cloud Control
With 45% of breaches starting in victims’ public cloud, it’s important to be clear where security responsibilities lie. In general, a breach originating from your organisation’s vulnerability that disrupts your cloud data is your responsibility. Many firms discover the hard way that data and other resources aren’t automatically backed up by their cloud providers. Many cloud security incidents can be traced back to misconfigurations and weak access policies, highlighting the importance of IAM and cloud utilities.

Collaboration Is Key
There’s growing recognition that knowledge sharing is an important weapon in the war against cybercrime. While reporting ransomware incidents is often a legal requirement, working closely with law enforcement agencies can also help track and apprehend cybercriminals. Collaborating with industry peers can help businesses stay informed about the latest threats and mitigation strategies, while cybersecurity specialists and MSPs can further enhance an organisation’s security posture and incident response capabilities.

Forewarned Is Forearmed

There’s been a shift in the war against ransomware. Businesses and governments have adapted to increased cyber-risk by stepping up measures to defeat ransomware attackers - bolstering defences, upweighting international law enforcement operations and cutting out ransom payments. Ransomware groups have, in turn, become more aggressive. Faced with a growing refusal to pay, attackers are demanding higher payments, expanding their list of targets and also applying greater pressure on victims. 

This further underscores the importance of a proactive strategy on prevention, detection and recovery. Giving full consideration to the financial, legal and ethical considerations now can take uncertainty out of the equation, streamlining and de-risking fraught decision-making when a ransomware incident strikes.

Outsmarting ransomware groups is not just about refusing to pay; it’s about establishing a state of readiness that reduces risk and eliminates the need to make such decisions in the first place.

Rob Smith is CTO at Creative ITC

Image: fizkes

You Might Also Read:

The Ransomware Arms Race:

DIRECTORY OF SUPPLIERS - Ransomware Protection:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« London Hospitals Were Attacked By Russian Hackers
Cyber Threats To The British Elections »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CircleCI

CircleCI

CircleCI’s platform allows developers to rapidly release code (for web and mobile apps) they trust by automating the build, test, and deploy process.

CERT.BY

CERT.BY

The National Computer Emergency Response Team of the Republic of Belarus.

CyberSource

CyberSource

CyberSource provides online payment and fraud management services for medium and large-sized merchants.

Zertificon Solutions

Zertificon Solutions

Zertificon is a leader in professional email encryption and data security.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

SCIS Security

SCIS Security

SCIS Security provides affordable cyber security services and solutions to small to medium sized businesses and homes.

Sera-Brynn

Sera-Brynn

Sera-Brynn is one of the highest-ranked, pure-play cybersecurity compliance and advisory firms in the world.

PSYND

PSYND

PSYND is a Swiss consultancy company based in Geneva specialized in CyberSecurity and Identity & Access Management.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

Global Accelerator Network (GAN)

Global Accelerator Network (GAN)

Global Accelerator Network are a highly curated community of independent Accelerators, Partners and Investors.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

CYRISMA

CYRISMA

CYRISMA is a revolutionary cybersecurity platform that helps organizations manage risk without the usual headaches associated with enterprise cybersecurity tools.

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

Hushmesh

Hushmesh

Hushmesh is a start-up aimed at securing the world’s digital infrastructure by developing develop the Mesh, a global information space with automated security built in.