Rising to the challenge of ransomwareBy Dónal Munnelly,
Ransomware attacks sound like the type of cyber threat only large companies need worry about. But a flavour of it will be well known to almost everyone. Who hasn’t had one of those ‘tech support’ calls from someone pretending to be Microsoft or an internet service provider?
Cybercriminals randomly call numbers farmed from a range of sources to try and persuade people to give them access to their computers to ‘fix an issue’. One of the things they may do when you hand over control is install ransomware on your drive, a type of malware that prevents you from accessing your own systems or data. To unlock them, you have to pay up.
When such attacks are automated and the malware is delivered at scale, they become a highly lucrative cyberthreat, turning a lot of the things we like about the digital world against us. After the data is encrypted, deleted or stolen, a ransom note from an anonymous email address will typically demand a payment to recover the data, usually via a cryptocurrency that makes it impossible to trace.
Pressure to pay-up
Victims often have little choice but to pay. We saw a local example of this back in July 2020 when NUI Galway was caught up in a global attack on Blackbaud, a cloud provider of education administration software. Blackbaud paid out once they had evidence that the stolen data was destroyed. The university only became aware of the incident – and the payment – after the event and has subsequently launched its own investigation into what happened.
Compounding the ransomware problem is coronavirus, which has prompted a wave of attacks targeting medical organisations. A tragic case in Germany cost a human life when ransomware inflicted so much chaos on the IT systems of a Duesseldorf hospital that a patient in need of urgent care was rerouted to another hospital further away.
Initially third-level universities involved in coronavirus vaccine research were targeted. The focus then moved to healthcare providers and has now changed to pharmaceutical-manufacturing. This highlights how criminals will follow the money, target organisations who are more likely to pay due to the impact of a loss of data at a critical time.
Multi tiered defences
The way that ransomware can be used for very different types of threat, from one-to-one social engineering scams to assaults on global cloud providers, is a reminder of why organisations need cyber protection to be layered. It’s about a combination of internal IT policies, security solutions, and third-party contracts with external providers that spell out where security responsibilities start and stop.
The policy part is about protecting the human firewall, addressing people’s awareness of phishing scams, which are often the first crack that criminals exploit. They play a numbers game and only need a small percentage of people to click on one of thousands of automated emails to be successful and open the doors to ransomware.
Ongoing awareness training and policy reinforcement is the best defence against human nature. We are all capable of being duped, not helped by ever more sophisticated social engineering techniques and phishing emails that look increasingly authentic. Many companies have taken to doing their own phishing exercises to test their employees, just like they do penetration testing to test their firewalls. When they make a mistake and click on a fake link, they find themselves on a list for further security training.
Keeping systems and anti-malware software up to date is essential, along with 24/7 monitoring to spot ransomware markers early. Vulnerability scanners are increasingly used to constantly probe and test infrastructure. Unlike penetration testing, which usually involves third-party experts putting network defences through their paces, they can be set up and run internally.
Robust data backup and co-location are other must-haves. In the eventuality of ransomware locking you out of your data, you will at least have a version you can access. None of these are failproof, however, but they are the bare minimum. At the very least, they may signal to cyber criminals that there are easier targets out there than your business.