Ransomware Defense Calls for Solid Fundamentals, Rigorous Enforcement

Chris Cooper
Author: Chris Cooper, CEng FBCS CITP FCIIS CISM, Cybersecurity Strategy and CISO Advisor, Member of ISACA Emerging Trends Working Group
Date Published: 24 May 2021

Every 11 seconds, an employee will click on a link or open an attachment in a seemingly innocent email and his or her organization will be rapidly infected with ransomware.

Just think about that for a moment. That statistic from Cybersecurity Ventures means that nearly 8,000 companies around the globe are infected every single day. According to a new ISACA ransomware survey, nearly half of respondents (46%) consider ransomware to be the cyberthreat most likely to impact their organization in the next 12 months.

The growth of this attack type is relentless, and its targets are indiscriminate: large or small, public or private, any and all industry sectors. From the recent Colonial Pipeline attack to the Metropolitan DC Police Department and numerous small and medium enterprises (SME), there has been a barrage of high-profile ransomware incidents around the globe in the past month alone.

It is worth noting that ransomware is not exclusively delivered by email, but reports suggest that 90% of infections are delivered in this way.

What is driving the growth of ransomware?
There are many reasons why ransomware is growing so rapidly, but to my mind some of the key ones are:

  • Fire and forget – typical ransomware is a factory operation; thousands of emails can be fired off into the ether, with no need to take any further action until the command and control server reports that an infection has been successful.
  • Human factor – whether the user is the weakest link in the security chain is a hot topic of discussion. But what cannot be doubted is that people do open these emails. In fact, according to the 2018 Verizon Data Breach Investigations Report’s Phishing Statistics, around a third of people open these emails and 12% of those will also click on any link within it. My own experience with phishing simulations conducted in various organizations is that these numbers are quite conservative.
  • Pandemic – with everyone’s routines affected and other people/things to worry about, it is understandable that users may not be so attentive to these emails. Unusual situations also give cybercriminals the opportunity to theme ransomware around COVID-19 (for example, in a message around vaccine registration).
  • Ransom payments – it’s a sad fact that increasingly affected companies have been choosing to pay the ransom to cybercriminals. A report from Sophos shows that a third of all infected companies pay the ransom.

The ISACA ransomware survey shows that 85% of respondents (in this US-based survey) think their organization is somewhat or highly prepared to deal with a ransomware incident. But does that reflect reality? Below are my thoughts about the foundations your organization needs to have in place to protect itself.

Protecting your organization from ransomware: the fundamentals
Protecting your organization from ransomware: the fundamentals

The risk of receiving a ransomware email is high and the average cost of responding to a ransomware attack (excluding any ransom payment) was US$1.85M in 2020, according to a recent Sophos report. Here are some pragmatic, foundational steps can you take to protect your organization:

Vulnerability Management (Patching)

The unfortunate truth is that many companies are woefully slow at patching systems. But this relatively simple and low-cost process is extremely effective at reducing the ability of ransomware and other threats from spreading in your organization. Typically, the only real downside is the inconvenience of some down-time of systems. If you do nothing else, then do this!

Cyber Awareness Training

Cyber awareness training is essential to address the human factor. But remember, this is about “cultural change,” so a training course once a year will not cut it. There needs to be a year-round awareness program. For example, monthly nano-training could only take 1-5 minutes of the user’s time.

Backups

Ensure that you have an established and tested backup and recovery process. It should include some offline backups and go back far enough in case an infection is dormant in the network for several months before activation.

Security Monitoring

It is reasonable to assume that every organization will be affected by ransomware or face some other type of cyberattack at some point. If we make that assumption, then a key mitigation must be the speed of detection. Put simply, the quicker we see the problem, the quicker we can stop it spreading and undo the damage caused.

Network Architecture

This one needs some more fundamental changes and ongoing management, but microsegmentation of the network, in general, is a very good way of preventing ransomware and malware from spreading.

There are of course plenty of other elements that you can consider, but I would strongly recommend that you start with those above first. They cannot guarantee you are safe, but they will limit the impact in the worst case.

What about cyber insurance?
Many companies now invest in cyber insurance either as a dedicated policy or as part of their general business insurance. In some jurisdictions, there are now regulatory or statutory requirements to have cyber insurance. But don’t think that having insurance negates the need to take reasonable protection, and be aware that some insurance companies are now excluding coverage for the payment of ransoms to cybercriminals.

Should you pay the ransom?
So, let’s assume you have been the victim of a ransomware attack. Should you pay the ransom to get the data back?

Well, that is a decision that the board of directors must make, but let me give you some information to consider:

  • According to Sophos State of Ransomware data, only 8% of companies paying the ransom get all their data back, and on average less than 65% of data is recovered.
  • Ransom demands can vary from thousands to multi-million dollars, with the average across industrialized countries being $215,000, according to Sophos.
  • Increasingly, cybercriminals are threatening to disclose sensitive data, and the balance of odds is that they will release the data whether you pay or not.

Ultimately, there is well-established precedent in other crimes as to why paying ransoms is a bad idea. But most of all, the more companies that pay will only drive the growth of ransomware even further.

If you only take one thing away from reading this blog, let it be to make sure the fundamental controls are in place and rigorously enforced.