Dealing with a ransomware attack: How can firms spot and recover from these threats?
Becoming the victim of a ransomware attack should be a leading concern for any business. The threats posed by cyberattacks are now widely recognized as one of the biggest risks for enterprises, with one survey by Allianz showing 44 percent of business leaders rate this as a major threat. This compares with 42 percent for business interruption and 25 percent for natural disasters, making it the number one risk for 2022.
Within this, ransomware is among the most common forms of cyberattack – and has the potential to be one of the most disruptive. According to research conducted by International Data Corporation, 37 percent of companies around the world reported falling victim to these incidents in 2021.
For many firms, it’s a case of when, not if, they come under ransomware attack. Therefore, how businesses prepare for these attacks and how they respond once they are breached is likely to have a significant impact on the amount of damage done, as well as the company’s chances of recovery.
Who is a Target for Ransomware?
The first step must be to understand what risks you face. Knowing which businesses are likely to be targeted by these malware attacks and recognizing what these incidents look like is vital in helping plan a ransomware recovery strategy. This should help you minimize the risk of falling victim in the first place, but also ensure you know what steps to take in the event your first lines of defense fail.
How do ransomware attacks work?
Ransomware attacks come in several forms, but the common element is to cause some form of business disruption, then demand payment in order to restore services. Traditionally, this has involved encrypting items such as mission-critical business documents or PC system files, rendering it impossible to work unless you pay in exchange for the decryption key.
But with firms taking more precautions against these attacks, such as having comprehensive backups, and with more decryption keys becoming publicly available as law enforcement shuts down ransomware networks, these attacks have become less effective.
Instead, the major threats in today’s landscape consist of double and triple-extortion ransomware. This adds a data exfiltration element to the attack, so hackers steal information as well as encrypting it. They may choose to sell this on to the highest bidder or threaten to release it publicly unless a timely ransom is paid. This can put more pressure on businesses to try and settle quickly before they face further reputational or legal issues.
Learn more about the types of ransomware attack and how these threats have evolved.
Which firms are most likely to be a ransomware target?
Today’s ransomware attackers rarely work alone. This form of cybersecurity attack is becoming increasingly organized, with global threat actors whose prime consideration for targets being how likely the victim is to pay, or the amount of further damage they can inflict. As such, there’s no typical profile of a business that is likely to be attacked by ransomware groups, at least in terms of size.
Small businesses are just as likely to be targeted as large ones, if for different reasons. For example, some criminals may aim at firms with fewer resources because they are both easier to hack into and may be more likely to pay a ransom to restore services.
On the other hand, bigger firms with significant customer bases or large amounts of sensitive data such as trade secrets, may feel they can afford to take the financial hit of a ransom in exchange for not having this data made public.
However, there are a few sectors that are of particular interest to these criminals. For example, research from Trellix suggests that over half of ransomware attacks are targeted at just three sectors – banking, utilities and retail. Meanwhile, other areas that are commonly targeted include local and central governments, healthcare and legal services.
Key reasons for this include the type of data these firms hold and the fact that any disruption can be highly damaging, especially if organizations deliver public services or critical infrastructure.
What is the business impact from ransomware?
Once firms do fall victim to a ransomware attack – especially one that involves a data breach – the consequences can be costly and wide-ranging.
When it comes to ransoms themselves, companies that do give in to demands in 2022 can expect to pay almost a million dollars to restore services and recover data, according to research from Unit 42. This was a 71 percent increase on the previous year, illustrating just how lucrative this has become for malware creators. In financial terms, it’s estimated that the average cost of a cyber attack now stands at $4.35 million.
Yet the dollar costs may only be the start of the issues associated with a ransomware infection. The reputational damage that can come with this can also be severe, especially if sensitive data has been compromised.
How to Defend Against Ransomware
It’s clear that defending against ransomware needs to be a priority for any business. To do this, firms should take a two-pronged approach. The first step should focus on tightening their endpoint protections to minimize the risk of the network being breached in the first place. However, this also needs to be backed up with tools that can prevent data from being exfiltrated should these initial efforts fail.
How to prevent ransomware attacks
Being able to prevent ransomware code from entering a network in the first place is the best form of defense against these attacks. However, even the most effective protections can be defeated by issues such as zero-day vulnerabilities or human error.
Therefore, businesses need a holistic approach to ransomware prevention that encompasses perimeter defenses, the latest email security trends, comprehensive user education and a fully tested cyber incident response strategy.
This isn’t easy to achieve, but the costs of not doing so are high. It therefore pays to invest in the latest tools and technologies such as artificial intelligence and automated monitoring systems that can adapt to an evolving environment and respond instantly to any threat.
How do ransomware attacks enter businesses?
The most common way for any malware – including ransomware – to enter a business is via email. According to Verizon, as much as 94 percent of malware enters businesses through these channels. Phishing attacks that induce people to download infected files or enter personal login info into fake websites are easy to create and execute, and it can only take one employee failing to spot the telltale signs of fake emails for a business to be compromised.
Once in a network undetected, this type of malware may be free to move around more widely, or even make its way further down the supply chain. In 2022, for example, managed service provider Kaseya inadvertently infected as many as 1,500 of its customers with ransomware after being targeted by the REvil group, while the 2017 WannaCry attack was able to spread silently throughout organizations such as the NHS before being activated.
What tools help protect businesses from ransomware attacks?
There are a range of tools businesses can deploy to fortify their networks against ransomware intrusions. Effective firewalls and email security tools are essential first lines of defense against ransomware attack vectors such as phishing emails. However, this must be backed up by comprehensive cyber security awareness training for employees. Essential data protection best practices such as the use of multi factor authentication are also vital, as this has been proven to deter ransomware attacks.
Tools to prevent data leaving the business if a threat actor does get past these defenses are also a must-have. However, a key challenge for many firms is that, with businesses becoming more decentralized thanks to the adoption of hybrid working strategies and greater use of mobile devices, traditional data protection solutions are proving less effective.
Therefore, businesses need to invest in on-device endpoint protection tools that can stop data being taken out of the business. Anti-data exfiltration (ADX) tools are especially important in guarding against double and triple threat ransomware. Technologies that can detect unusual traffic on any device and automatically block any attempts to steal information mean a ransomware actor will have far less leverage with which to extort a payment.
Responding to a Ransomware Attack
While the right defenses can go a long way towards reducing your risk of falling victim, having a contingency plan in the event you do see a ransomware data breach is essential. This ensures that you have the best chance of shutting down an intrusion before it can do damage, and that everyone in the business knows what to do once a ransom demand is received.
What are the signs of a ransomware attack?
If the first sign of an attack that a business sees is an email or popup demanding a ransom payment, it’s already too late. By this stage, your only option will be to see what backups you have available if files or systems are encrypted, or to make a decision on whether or not to pay.
A key sign of an attack in progress is unusual activity within your network. This may include users attempting to access files or databases they should not have access to, multiple login requests from odd locations, or abnormally high volumes of traffic leaving the network.
Having defenses such as ADX tools in place to identify and stop these activities before they have a chance to do damage should be a key pillar of any firm’s strategy. Without this, malware may move freely within business networks for months before being spotted, giving hackers time to run small-scale tests, hunt down the most vital information and identify any weak points they can exploit.
Learn more about the risk posed by data exfiltration and what you can do about it.
What are the key steps for responding to a ransomware attack?
Should you encounter a ransomware attack in progress via tools like ADX, the ability to automatically shut down activities is the best response. But if you don’t spot these early warning signs, a comprehensive ransomware incident response plan is vital.
This should spell out exactly what steps need to be taken once a ransomware demand is received, and who is responsible for each one. Essential steps for responding at this stage include:
- Identifying and isolating any infected systems
- Ensuring any offline and cloud backup contingencies are secured
- Disabling all automated tasks such as maintenance
- Identifying what ransomware variant you have
- Enacting system restore and ransomware data recovery efforts
- Notifying relevant authorities (eg regulators and law enforcement)
Should you pay to end a ransomware attack?
The most immediate question that firms are likely to ask once they have fallen victim is should they pay? This can be a difficult decision, with both paying and refusing a ransom having pros and cons. However, in general, the advice from organizations such as the FBI, CISA and the UK’s NCSC is not to pay.
A key reason for this is that making a payment signals to ransomware actors that a business is a profitable target. One survey by Cybereason, for example, suggests 80 percent of firms that pay will be targeted again.
Even if firms do pay, this does not greatly reduce overall costs or offer any guarantee that services will be restored quickly. IBM’s 2022 Cost of a Data Breach survey, for example, found that the average cost for firms that paid was only $630,000 less than those that chose not to pay – and this doesn’t include the cost of the ransom itself.
After a payment is made, there’s still the matter of restoring services. Firstly, businesses have no guarantee that ransomware hackers will keep their word and provide the necessary decryption tools, or delete any data they’ve stolen. And even if they do, it can take a huge amount of time to go through systems and apply fixes, so firms may not see a faster resolution than if they turned to their own backups.
How Can You Recover From a Ransomware Attack?
A good ransomware response plan should ensure firms are able to restore services and secure data as quickly as possible. But the long-term consequences can be far harder to deal with.
If businesses pay a ransom, they can expect to see repeated attempts to break into their systems in the future, while if data was exfiltrated from the company, this could pose problems for years, whether this is via litigation, or the risk of trade secrets or customer data being exposed.
How long does it take to recover from ransomware?
A successful ransomware attack can cause a range of issues. For example, it may prevent companies from taking payments or providing services to customers, shut down manufacturing or supply chain operations or leave employees locked out of critical systems. In severe cases, business interruption could lead to organizations being totally unable to function.
According to Statista, it takes firms an average of 20 days to get operations up and running at full capacity following a ransomware attack but this can vary widely depending on the type of business and what systems were compromised. In some cases, it may be months before they can get back to the job of serving customers.
Learn more about the role ransomware insurance can play in helping businesses recover from ransomware attacks.
What are the long term consequences of a ransomware attack?
The direct financial costs of ransomware attacks are far from the only consequence businesses will have to deal with. In the long run, it may well be the reputational harm and legal issues this can create that cause the most lasting damage.
Many customers won’t do business with a firm that is seen as being careless with their personal data, so a public ransomware attack can lead to significant lost revenue as customers turn elsewhere. On top of this, there is the potential for punishments from regulators and the prospect of class-action lawsuits and compensation to take into account.
In worst-case scenarios, the damage can even be terminal. Research by Atlas VPN, for example, found that 34 percent of UK firms and 31 percent of US-based companies end up closing down completely after falling victim to a ransomware attack. This isn’t just a risk for small businesses – in 2020, for example, foreign exchange firm Travelex went bankrupt with the loss of over 1,000 jobs following a ransomware attack.
What lessons can businesses learn from ransomware?
The final stage of any ransomware response would be ensuring firms are learning the right lessons and strengthening their ransomware protection systems to avoid future attacks. A threat report that includes a full digital forensics investigation should find out exactly where the breach occurred, why the firm’s cyber security systems failed and what needs to be done to bolster protections.
Previous large-scale attacks can also offer businesses some guidance of where to focus their efforts. For example, the 2017 WannaCry attack was found to have entered many businesses through unpatched systems, while the Kaseya attack and the SolarWinds malware incident emphasized the risk posed by insecure supply chains.
The growing number of high-profile ransomware incidents should make it clear that every business is at risk. It is only by having a complete solution in place – from endpoint protection and automated monitoring tools to staff education – that companies can minimize their risk and protect both their revenue and their reputation.
Could you already be under a ransomware attack? Try BlackFog’s free seven-day, 25-device ransomware assessment to find out what your situation is.