Why your organisation will need a comprehensive plan to deal with ransomware in 2022

Some may decide that avoiding the disruption caused by having critical data encrypted is worth the cost of meeting the demand. Others may be covered by insurance or decide to ditch affected systems and start again.

It should be remembered, however, that even paying the cyber criminals does not guarantee access to the data will actually be restored. Also, recent industry research found that 80 per cent of organisations that opt to pay end up being attacked again.

With the number of attacks rising quickly, the chance of an organisation falling victim is growing. For this reason, it’s vital to have in place a plan covering the steps to be taken if an attack occurs.

This comprehensive plan should cover three important elements: protection of identity credentials, securing web applications and access, and backing up data.

ID credential protection

Cyber criminals mounting a ransomware attack rely on securing the identity credentials of a user, most likely through email phishing. Because phishing is the primary attack vector, it’s important for security teams to maintain a culture of awareness around credential security.

Processes need to be developed that train users on email security and deploy anti-phishing technology that can identify and flag unusual activity. If the attacker cannot access credentials, it is much more difficult to escalate the attack from phishing to ransomware.

Worryingly, an attacker only needs one person within an organisation to click on a link or open an attachment. Recent Barracuda research showed that, on average, 3 per cent of people who receive a phishing email will click on the link. Usually, the goal of the attack is to capture account credentials, allowing the hacker to then move laterally across the company and ransom the entire organisation.

VIEW ALL

Securing web applications and access

The rapid shift to remote and home working during the pandemic has pushed even more applications out of traditional data centres and into the cloud. Sometimes, the rush to keep business services functioning meant that security was overlooked, and cyber criminals are ready to exploit these vulnerabilities.

The State of Network Security in 2021 report found that Australian companies with staff working predominantly from home had a significantly higher network security breach rate (93 per cent), compared to companies with staff working predominantly in the office (67 per cent). A full 72 per cent of those surveyed said their organisation has been the victim of at least one ransomware attack in the last year.

The Verizon 2021 Data Breach Investigations Report also shows that for hacking, web applications are the biggest attack vector in use and account for more than 80 per cent of all data breaches. Online applications like file-sharing services, web forms, and e-commerce sites are among the resources that can be compromised by attackers.

Web applications tend to be attacked through the user interface or an API interface. Often these attacks involve credential stuffing, brute force attacks, or Open Web Application Security Project (OWASP) vulnerabilities. Once the application has been compromised, the attacker can introduce ransomware and other malware into the system.

Web application vulnerabilities are the next attack vector that needs to be assessed to determine how secure an organisation’s applications really are. Areas that should be reviewed include the organisation’s website, any forms stored on it, and whether the website accepts file uploads.

At the same time, as organisations experience a high level of network breaches and face ongoing connectivity and security challenges as they adapt to hybrid work environments, they realise that moving to SaaS applications and the public cloud improves both the user experience and security. As a result, they’re starting to embrace new SASE technologies.

Backing up sensitive data

A comprehensive ransomware protection strategy should also contain steps that cover data backup and recovery. The trouble is that cyber criminals know this too, and increasing numbers are seeking it out before their presence within a targeted IT infrastructure has even been detected.

The backup admin console is particularly important for the criminals as it gives them access to backup schedules, configuration, retention policies, and the ability to start deleting things. Often, the criminals will also target backup storage itself, hoping to delete primary backup servers and any secondary DR copies that might exist.

There also remains an all-too-common misconception that, because data is stored on a cloud platform, it can’t be affected by ransomware, however, this is simply not true.

For example, a child browsing the web on their school tablet or laptop at home can easily be tricked into clicking on a malicious link by accident. If that device is connected and synced to OneDrive as part of the school’s Office 365 account, a ransomware file can be automatically uploaded to OneDrive and encrypt the school’s files and data held in the Microsoft cloud.

It’s therefore important to properly defend and isolate backup data. Think about how often systems need to be mirrored and how fast you can rebuild systems from those images.

Hope for the best, but prepare for the worst

Every organisation hopes it never falls victim to a ransomware attack, however the reality is that it’s likely to happen at some point.

By taking time to think through what measures to put in place to minimise risks and develop a response plan for when an attack happens, organisations can be as prepared as it is possible to be.

Mark Lukie is the APAC sales engineer manager at Barracuda.