How Can Organisations Protect Themselves From The Ransomware Pandemic?
Ransomware isn't new.
The security frameworks to defend against the chains of attack leading to compromise aren’t new either.
To understand how best to defend against ransomware, we must understand ransomware itself: the economics, the motivation, the tactics, techniques and procedures (TTPs) as well as the changing landscape of the past 18 months – in a social and technical sense.
What is ransomware and how does it work?
Let’s start with the basics: What is ransomware?
As the name suggests, ransomware is malware designed to block access to a system until a ransom is paid.
Traditionally, ransomware has had a very simple business model. Compromise a system, encrypt that system and then sell access back to the owner by way of a decryption key for untraceable crypto currency.
Ransomware crews operate much like a typical business. They have staff, a team structure, a product, and they invest time and effort into improving that product. They are also obsessed with their reputation amongst their customers (their victims). After all, there’s no sustainable business if someone pays a ransom for a decryption key that doesn’t work!
There has been much debate in recent years as to whether victims should pay a ransom. Many would argue that paying up does nothing but fund criminals, allowing them to further invest in their operation ensuring the continuation of the problem. This seemingly straightforward argument becomes much harder to rationalise with an encrypted system, idle staff and screaming customers demanding rapid restoration of services.
A ransomware event can quite literally destroy a business if not addressed quickly. If an impacted organisation is a critical service provider such as a power utility or a hospital, many factors need to be considered to make a decision that will impact people beyond the scope of the business itself.
How much do ransomware attacks cost?
Ransomware is experiencing 30% year-over-year growth, indicating a $20b problem in 2021 alone if projections continue. And those projections are hard, because not all ransomware is reported, and not all payments are known. Of course, in an environment where legislators want to outlaw payments and where stock markets might punish boards, incidents are not widely disclosed.
But, there is no shortage of events observed, even if details can be often hard to uncover.
This year has seen some major corporations hit the headlines linked to ransomware. From manufacturers and utilities such as KIA Motors and the Colonial Pipeline, to technology firms such as CD Projekt Red and Acer, to financial services such as CNA and AXA Insurance – even security providers such as Kaseya have been impacted. These attacks are not isolated to the victim. Many of them are suppliers and these breaches have severe knock-on effects on downstream customers too.
This ransomware pandemic isn’t limited to corporations and customers, but has likewise impacted healthcare and patients. Hospitals, clinics and federated networks, such as the NHS in the UK, have all been impacted. The Irish Health system, the HSE, is still recovering from attacks four months ago, demonstrating long term impacts in patient care.
It is difficult to estimate how much these attacks have cost the respective victims. Individual ransom requests range from small amounts to tens of millions, and details about what companies actually pay are often not disclosed. Suffice to say, the ransomware crews involved are making a lot of money.
Research from Sophos in their State of Ransomware 2021 report indicated the average ransom paid was $170k. However, the average cost of remediation following an attack grew from $761k to over $1.85m. This is important - the cost of recovering from a ransomware attack is now 10 times the cost of payment itself. The research also found that while organisations paying the ransom increased from 26% to 32%, only 8% managed to fully recover the data impacted.
What’s new in ransomware?
Traditionally, good data backups and a rehearsed restoration procedure were a good investment against paying a ransom. Of course examples of backups also becoming infected persist as grim war stories, but only as edge cases. Increasingly, ransomware crews have found innovative ways to circumvent security measures and ensure their efforts are rewarded:
- Data is now regularly stolen before encryption, allowing an attacker to threaten public release as additional motivation to pay
- Once compromised, access to a network may be on sold to other criminals via access brokers, leading to further attacks of varying motivations
- If a supply chain is impacted by a ransomware event, attacks can seek to influence customers of a supplier to apply increased pressure on the victim to restore service quickly
- Knowledge of an attack can be sold to financial brokers to short sell stock before the attack becomes widely known to the market
- And now, far from requiring deep technical experience, ransomware-as-a-service is further enabling complex malicious technologies to a wider criminal audience, for a relatively small fee
This is an adaptive and agile criminal enterprise with many evolving avenues to making money from technical misery.
Why are ransomware attacks increasing?
Rapid pandemic response resulted in a 'move first, plan later' strategy for many organisations. Many organisations accelerated digital and cloud transformation programs delivering years worth of change in weeks or months. At times, this required punching holes in the security fabric of a business in the name of continuity, building up technical and security debt to be addressed at a later date.
At the same time staff have become more vulnerable to emotive lures that are capitalising on the social and economic change surrounding them.
Other vulnerabilities emerge from changes in work location, increasing unemployment and social unrest, and COVID-based phishing. People are also sharing workspaces or home computers with children, family or flatmates, all of which contribute to greater risk.
To compound this:
- Organisations attack surfaces have increased following cloud and remote acceleration
- The past four years have been record-breaking years for new vulnerabilities (NIST NVD)
- The time to weaponise vulnerability proof-of-concepts has likewise decreased year on year, from weeks, to days (even to hours in some cases)
- Staff, including security staff, are stressed and facing burnout
It's an understatement to say the risk profile for organisations has increased.
How do organisations respond to ransomware attacks?
To have any chance of responding effectively to a ransomware attack, event preparation is key. Like any other incident response, start by creating a ransomware response playbook. This needs to be authored by all relevant stakeholders, and cover all projected scenarios – from the minor to the critical impact. And finally, it needs to be revisited and evolved as a 'living' document.
To ensure effectiveness of the ransomware response, run tabletops of the scenarios projected, and include the decision makers required in the event of an attack. Are teams communicating effectively? Is the decision path clear in each scenario? Are all the decision makers included?
Finally, involve your cyber insurer. The insurance industry has had a difficult time modelling ransomware and cyber attacks in general. Much debate has occurred between customers and insurers regarding coverage, and premiums have been increasing as insurers better understand their exposure. Ensure your organisation is covered to a level that meets your expectation, and if you're not covered find an insurer you can work with.
How can organisations prevent and mitigate ransomware attacks?
Well known security hygiene and prevention best practices remain an important and effective defence against cyber attacks, whether ransomware or other forms of malware. All security leaders should be razor sharp across the following:
- Understand your environment, people and supply chain (and how this has changed post-pandemic)
- Keep systems patched and up to date
- Ensure security defences are covering cloud and on premise infrastructure and assets
- Log and monitor appropriately (with an understanding of what normal looks like)
- Use risk assessments to communicate with leadership and prioritise investment
Why should organisations invest in identity-centric zero trust?
Security hygiene can only get you so far. In this heightened threat landscape it is also vital that you develop a clear understanding of zero trust frameworks, and work them into your security strategy.
An identity-first approach to zero trust ensures the right people have the right level of access, on the right device, to the right resource, in the right context. However, zero trust isn’t something you can just buy into your organisation but it can be applied in stages and though implementing the following modern IAM controls:
Adaptive Multifactor Authentication
Adaptive Multifactor Authentication is one of the most effective means of preventing account takeover. Adaptive MFA grants access based on contextual access policies to differentiate between normal and abnormal behaviours and between low-risk and high-risk user actions. These signals are often the first indicators of malicious activity.
While Adaptive MFA can help stop ransomware actors from gaining initial access, a holistic zero trust architecture is hostile to lateral movement.
Centralised Access Management
Attackers deliberately target organisations with visually complex, legacy architectures and poorly-designed integrations. Implementing an automated, scalable, and neutral approach to access management provides a big opportunity to reduce your attack surface.
The Okta Integration Network, for example, has thousands of pre-built integrations, using modern protocols such as OIDC, that mitigate the risks of password sprawl and allow you to set consistent, dynamic, context-based access policies for all resources – all while making the experience better for your users.
Striking the right balance between user experience and security is key to ensuring productivity, while protecting your organisation. Easy to use authentication options can be adopted quickly, providing frictionless controls that reduce the number of misconfigurations, removing the incentive for users to set up less-effective alternatives.
There is no silver bullet to solving the ransomware problem but good security hygiene and an identity-first zero-trust strategy is critical. Okta was built - from an architectural perspective and a customer perspective - to provide an identity-first approach to zero trust. As a leader in identity and access management, Okta can help protect your organisation against today’s threats, helping you build and implement a comprehensive identity-first security strategy that ties the complexities of protecting people and assets together in a seamless experience. For more information, click here.
For more information on how ransomware works and how to prevent it, read our quick guide. Start your journey to zero trust by downloading our whitepaper: Getting Started with Zero Trust: Never trust, always verify.