Ransomware, the threat is real!

Ransomware, the threat is real!

Unsurprisingly, Ransomware will continue to be an ongoing risk for businesses this year, having grown exponentially in recent years, with many organisations seeing a record number of attacks and paying out bigger ransoms than ever before.

A large part of the reason for the continued threat, is the apparent immunity status that these types of hackers are currently receiving from certain countries on the basis that no activity is taken against organisations within their jurisdiction.

Whilst the ICO reports that 219 incidents were recorded during Oct – Dec 2021, it is important to keep in mind that this will not reflect the true number of Ransomware attempts – only those actually detected and reported.

In some cases, systems and networks can be compromised and go unnoticed for days, weeks, months and even years, until the hacker decides to sell access to Ransomware groups; which is commonly found by the ECSC Incident Response Team.

While it’s difficult to determine the motivation of Ransomware groups, financial gain is usually most common, with threat actors asking for between 10-20% of an organisation’s current cash flow. In our experience, the attacked organisations that have had to make a payment do so because they see no choice, the alternative being to close their business.

The most common form of Ransomware that ECSC support our clients with is Ransomware as a Service (RaaS).

Ransomware IS a business

RaaS is a by-product of threat actors who utilise Ransomware frameworks in order to behave like a traditional organisation by extorting other companies.

Via this approach, RaaS lowers the barrier for entry for budding cyber criminals because they no longer need to be hackers themselves. This proliferation brings increased risk to all.

Using white-labelled Ransomware, threat actors will use their infrastructure to co-ordinate attacks. These attacks use human intelligence to bypass security measures which are in place and exploit existing security weakness, in order to achieve their goal; extortion. From ECSC's experience, key and targeted security controls which will help to detect Ransomware attacks at an earlier stage, will make a significant difference.

Can I prevent Ransomware?

Protection against Ransomware should not be a costly exercise, at ECSC we recommend that at least 10% of IT spend should be invested in cyber security.

One approach is to maintain a resilient and regularly reviewed cyber security policy, tailored to your industry and personal needs. Which should include:

• Multi-Factor Authentication (MFA) must be in use on all external authentications.
• Regular backups off-site and offline. Backups are always the main target by Ransomware threat actors. In most cases, this is the primary distinction between whether or not a ransom has to be paid. It is crucial, not only that you have sufficient backups but also adequate expertise to put these backups in place after an attack.
• Data Leak Protection (DLP) is easily bypassed by threat actors. Strong Firewall and Proxy policies on all network devices are key to reduce exfiltration and Command & Control back-doors(C2C).
• Anti virus software is not sufficient protection against Ransomware, however, it is key. Anti virus should detect abnormal activity and notify your SIEM solution.
• SIEM monitoring on all devices.
• Don’t allow employees to use their own devices for work purposes. Bring Your Own Device (BYOD) has been the route cause of many Ransomware breaches.
• Regular security training for employees must include phishing.
• Policies in place for reporting any suspicious activity.
• Rigorous patching of external devices including network appliances.
• Frequent external vulnerability scanning
• Have an Incident Response Retainer & Plan in place. The earlier you contact your service provider for external support, the better. ECSC have 20 years experience in kicking out threat actors.