The first case of ransomware dates back to the 1980s when a UK doctor exploited AIDS researchers with a bootloader virus on floppy disks that locked down computers and asked victims to mail back cash – by post. Since this modest yet vicious start, the costs and impact of sophisticated ransomware and ransomware-as-a-service attacks have exploded. According to recent reports, ransomware attacks increased by 93% in the first half of 2021 compared to the same period of 2020. Today’s attackers are breaking into networks, enumerating and reconning victims, then positioning ransomware on as many devices as possible to execute and encrypt all at once.   

Attackers have also moved beyond traditional single extortion attacks that just encrypt files and ask for compensation. Double extortion attacks don’t just encrypt data, they steal the data and hold it for ransom by threatening to leak it publicly. Triple extortion attacks also steal partner and customer data or execute a DDoS (Direct Denial of Service) attack against services. This happened recently to a Finnish healthcare company when attackers threatened to release confidential psychotherapy records of 40,000 patients.  

Many mid-market organisations struggle to understand the layers of security required to mount a formidable defence against ransomware. While email is still a common threat vector, the paths of a ransomware attack can vary widely. So how do these companies bridge the ransomware security gap?

The first step is patching. It’s vital to update corporate software, especially on any publicly available resource like web applications or web servers. Flaws in this software can allow attackers to get malware into your organisation without any user interaction. According to analyst firm Gartner, 99% of the vulnerabilities exploited at the end of 2020 would have been known to security professionals and IT administrators at the time of the incident. In fact, 80% of successful attacks exploit vulnerabilities that have known patches to fix bugs and vulnerabilities in software.

Problem of passwords

Next is strong password practices. Most of the time an attacker uses stolen or leaked credentials from a simple phishing email or the dark web and simply log in. Once they have basic access, they can usually elevate their access rights to the domain admin, using other tools and tricks. A strong password should be long and random – at least 14 characters or a long passphrase. A better approach is using a password manager, which allows an individual to create one complex password or phrase to access all others. When you use a password manager, 32-character random passwords become possible without having to remember them.  

One factor or two

The next level up is Multifactor Authentication (MFA) – the only way to strongly validate the trusted identity of users. MFA simply requires more than one method of authentication such as a biometric fingerprint, facial recognition or digital certificate. While traditional MFA solutions can be costly and complex, cloud-based MFA cuts down on costly deployment and management, while a choice of authentication methods such as push notifications, one-time-passwords or QR codes sent to a mobile device provides good security and user experience.

Banging on about backup

Backup is vital for lots of reasons, but it is also critical for protecting against ransomware. If an organisation can recover files that have been encrypted from a backup, it eliminates the threat of single-extortion ransomware attacks. But attackers often target backup services and disable them before an attack. Therefore, organisations should practice what’s called 3-2-2 backup, which means backing up multiple copies to multiple services, with multiple offline copies too.

Malware prevention

Advanced malware prevention is also a requirement to protect against ransomware. Traditionally, malware detection has been signature-based, meaning that it relies on a human or automated security tool to spot the malware first and look for some sort of unique pattern to identify that file so future attacks can be blocked. But the signature doesn’t exist until an attack has already happened.  But today’s malware is very evasive and polymorphic with thousands of different versions.  According to recent research, close to 75% of malware evades signature-based detection, so more advanced protection is needed. Advanced malware detection uses machine learning algorithms and behaviour detection to stop Zero-Day malware. 

Focus on the endpoint

Cybercriminals look for the weakest point of entry to attack a corporate network. This is often through endpoint devices including laptops, tablets and phones, or other IoT and wireless devices. With the massive shift to working from home due to COVID-19, traditional corporate network security can’t protect users outside its perimeter.

This means that your security strategy needs to strengthen defences on home workers’ endpoints. Using endpoint detection and response (EDR) security prevents a computer from being hijacked by monitoring and blocking any suspicious activity or unknown applications until validated.

Started with a phish 

According to the Verizon Data Breaches Investigations Report, some 90% of breaches start with a phishing or social engineering attack.  Organisations must make sure every user knows the basics of email security, especially understanding the techniques used in spear-phishing, targeting individuals. 

Organisations should also consider adopting a Zero-Trust approach to cyber security. This means granting least privilege access, everywhere, all the time. With the rise of remote workers, trust needs to be re-evaluated. It doesn’t matter if someone’s on the trusted network, they need to have restrictions on access, which is also monitored. An accountant should not have access to engineering source code, for example.  

Cybersecurity is getting more complex every day. The old defence-in-depth mantra very much applies today when it comes to ransomware protection and layered security. No single solution can stop it. Fortunately, there is consolidation around technology solutions – such as network security, MFA and endpoint protection that give IT pros centralised solutions for fighting ransomware.