Don't pay the ransom

In the world of cyber-attacks, Ransomware still gets many of the headlines. And for good reason. It’s become an industry, with cyber-criminal organisations operating like legitimate businesses – they even have ‘customer service’ departments and Trustpilot-style ratings on the dark web.

While putting a number on it is a challenge, it’s now reckoned to be worth north of ten billion dollars globally.

Ransomware is a type of malware, a class of malicious code that, once on a victim’s computer, will encrypt valuable data, preventing user access. The victim receives a ransom demand – typically for bitcoin or another means which is difficult for authorities to trace once paid. Pay the ransom and you’ll get a key in return to unlock the data.

Hopefully.

At first these types of attacks targeted individual computers. Attackers quickly realised its potential and began to go after organisations who were willing to pay bigger sums to retrieve employee and customer data.

A ransomware incident cripples a business or organisation, and there is no moral code among the cyber-criminal community, meaning anyone can be a target.

A ransom demand may be the first you know about it. Chances are that cyber criminals have been in your network for some time, planning and preparing for the moment it happens, to make sure the infection is complete, and you have no option but to pay them when they decide the time is right. They’re experts at evading detection, know how to defeat and bypass protection layers once they’ve breached your outer defences, and make sure to cripple your backups too, so you can’t perform a restore to try and bypass a ransom demand.

Data breaches

In an evolution, cyber criminals are now stealing data and blackmailing victims with the threat of its release. So even if you have a method of recovery, they can still demand payment.

As with expensive vehicles and gadgets, data may also be stolen to order, with cyber criminals selling it on a dark web marketplace. If your organisation is attacked in this way, you could be facing a massive fine for a breach of personally identifiable customer or employee information (PII).

Imagine, too, a critical product design or code has been stolen. With the blueprint for a new product or service now open to the highest bidder online, this would put your business plans and investments back significantly, at the very least.

The anatomy of an attack

So, how do the attackers gain entry?

The list is a wide as it is long – it could be a vulnerability in a system or website, or a poor configuration for remote access that gets hijacked. The most common method is a phishing email, used to capture an employee’s log-in details, or to trick them into clicking a malicious link in an email which automatically infects the device.

How to mitigate and prevent an attack

While there are many means for hackers gain entry, there’s plenty you can do to protect yourself from attack, and to prevent them from taking your whole business out should they get in.

• Minimise the attack surface – this is a security person’s way of saying, close-down as many potential vulnerabilities and misconfigurations in your environment as possible. To achieve this, you must have full visibility of what’s running, remove anything not essential or no longer needed, keep systems updated, and ensure configurations follow secure best-practice principles.
• Use the latest anti-malware endpoint protection technology – User devices (endpoints) are the most likely first points of infection. Install next-generation endpoint protection software that goes beyond what traditional anti-virus (AV) can do – which only detects the presence of malicious code it has seen before. Attackers can now get round this easily enough, so in addition to AV, use modern tools that can detect suspicious behaviour on a device and remove unwanted code or programs from internet sites or downloaded software.
• Improve resilience of all internet-facing systems – these are potentially your most vulnerable. The principles of minimising your attack surface very much apply here.
• Implement advanced email security – ensure you have software capable of removing suspicious links and attachments from email, or at least quarantining the message until it can be viewed safely and verified.
• Ransomware-proof your backups – ensure backups are encrypted, you have offline copies, access is tightly controlled, with only authorised personnel and multi-factor authentication methods in place, i.e. more than one way of proving it’s a legitimate person trying to access the backups, not a hacker.
• Privileged or administration accounts – cracking into access-all-areas accounts in a system is an attacker’s dream. You must have further controls in place to ensure access is only granted for designated personnel, at specific times and for pre-approved reasons.
• Ensure account separation on devices – ensure only admins can install or change software.
• Deploy web browser security – ensure users are protected from visiting malicious sites or clicking on malicious pop-ups and links by using appropriate web browsing security software.
• Implement Security Awareness Training – Make sure phishing training is delivered and regularly updated. See our article on combating phishing
• Segregate your network – make it harder for cyber criminals to move around your network with segmented network designs.
• Detect and Response – You may want to implement further defence-in-depth approaches by having more sophisticated methods of detection , such as managed detection and response services (MDR), should your primary defences get breached.

What to do if you have been breached

The first thing to do is consult your playbook, or incident response plan. If you haven’t got one, this is not a good time to be trying to work out what to do, so as a first piece of advice – create a response plan for incidents, including anything specific for ransomware attacks. This will help draw out all the things you will need to consider in the event of breach.

With ransomware attacks specifically, this will go beyond technology and may include your policy for paying the ransom, your communications plan with media, public, customers and suppliers and even ensuring you have a bitcoin trading account should that be your last resort.

There are some reactive technical measures one can follow, but it very much depends on your skill level and how widespread the attack is. In many cases, it would make sense to involve incident response specialists. Some cyber insurance policies include this. You can pay a retainer to an incident response organisation to guarantee they’ll come to the rescue within a specified time frame should you ever need to ‘break glass’ and summon them.

Finally, there’s the authorities. If you become victim and you’re in a regulated industry, you may need to inform the relevant regulatory body, certainly the Information Commissioner’s Office (by law, within 72 hours), and the police, in case they can offer investigatory support.

If you are unsure who to contact, the UK Government’s Signposting Service may help gov.uk. As always, there’s further advice and guidance on the NCSC’s website ncsc.gov.uk.

If you have not already, we heavily recommend you check out our article on how to get started with securing your business. See our article on securing your business