Blue Teaming
KimCrawley,
Oct 12
2021
Ransomware has devastating effects on the corporate networks it strikes. Ransomware used to primarily target consumers. But in the past several years, cybercriminals have shifted to targeting businesses and institutions with much greater frequency. The reason why is easy to understand. A cyber attacker would be lucky to extort a few thousand dollars worth of cryptocurrency from a consumer and their home network. But a large company, school, or government agency could pay millions of dollars in ransoms. They have larger budgets than consumer households, and their data is worth a lot more money. Any computer, phone, or Internet of Things device has the potential to be infected with ransomware. But it’s especially important for businesses to prevent ransomware attacks.
Ransomware is one of the most destructive kinds of malware. If ransomware successfully infects a computer, it will maliciously encrypt data on connected HDDs and sometimes other data storage within its network. When ransomware infects a computer in a corporate network, it will usually try to use the network to infect other computers and network attached data storage. The cyber attacker has the decryption key, not the rightful owners of the corporate network.
Ransomware will produce a ransom note that the victim is supposed to read-- as a text file, webpage, pop-up window, or in some other form. Ransomware infections will not go unnoticed by victims. The ransom note will demand that a certain amount of money be paid to the attacker in order for an organization to reacquire access to their data, presumably by decrypting it. Before cryptocurrency emerged in 2009, ransoms would often be demanded with a victim’s credit card number. But transactions through cryptocurrencies such as Bitcoin or Monero are much more difficult for law enforcement to track. So for over a decade, cyber attackers have been demanding cryptocurrency payments. In recent years, we have frequently seen ransomware attacks which demand millions of dollars worth of cryptocurrency.
Organizations have been doing a better job of backing up their critical and sensitive data, often as a response to the rise in ransomware attacks. The idea is if ransomware infects a corporate network, instead of paying a hefty ransom to cybercriminals, a company can simply remove the ransomware and recover data from their backups. So in the past few years, some ransomware attacks have also threatened to breach a victim’s sensitive data to the public if a ransom isn’t paid within a certain time frame.
Sophos’ The State of Ransomware 2021 report has some of the best recent research on how ransomware has been impacting organizations around the world. According to the report:
The average total cost of recovering from a ransomware attack, factoring downtime, additional labor hours, device cost, network cost, lost opportunity, and paid ransoms was $1.85 million USD. Ouch!
Cyber attackers cannot be trusted. Only 65% of organizations that paid ransoms recovered their data that way. When a company pays a ransom to a cybercriminal, they’re almost as likely to not get their data back as they are to deal with an “honest” criminal who actually returns it.
The average ransom paid by medium sized companies was $170,404 USD.
37% of surveyed organizations around the world reported a ransomware attack within the last year.
“Having trained IT staff who are able to stop attacks is the most common reason some organizations are confident they will not be hit by ransomware in the future.” That’s good intuition. Train your employees to prevent ransomware attacks!
Backup as much of your organization’s data as possible, and perform backup operations on a frequent basis. I would recommend it at least once per week. This can be automated to save your IT department time and effort.
Many organizations have found the 3-2-1 rule of backups to be useful. Keep three different copies of the data, in two different formats, with at least one offsite.
If possible, have backup data storage which is only connected to the corporate network during backup and recovery operations. That way, if ransomware spreads through your network and encrypts as much data as it can access, your isolated backups will be missed by the ransomware.
If your organization lacks the space and resources to maintain full backups on your premises, leverage cloud networks for your backup data storage. If possible, having as many backups as possible both on your premises and in your cloud network is a great idea.
Make sure that each and every endpoint computer and server in your corporate network has frequently updated antivirus software which runs frequent automated antivirus scans. This can prevent many ransomware infections.
Good antivirus solutions use heuristics and scan memory in addition to scanning data storage with signatures. Sometimes ransomware can most effectively be detected in memory.
Maintain robust logging on as many network devices as possible. Use log analysis software, and a SIEM if your company can afford one. That helps defensive security specialists detect and mitigate ransomware attacks more effectively.
Train all employees to avoid phishing attacks and to only open emails, text messages, and URLs in Slack messages from entities they trust and are familiar with. All employees with access to the corporate network should be trained this way, not only your IT department. These are frequent vectors for ransomware attacks. Your IT department and other cybersecurity specialists should be trained about detecting and mitigating ransomware attacks.
Hack The Box for Business has employee training programs which can help your company improve your security. Check out the services we have to offer your business. We also welcome company inquiries through our contact web form. Let’s work together to protect your organization from ransomware!