Ransomware Attacks: How to Prevent, Detect, and Respond

Ransomware attacks have been on an upward trend throughout 2020 and will likely continue in 2021. Ransomware encrypts a company’s data or IT systems, and the victim must pay a ransom to get it unlocked. Ransomware composed nearly a third of all cyberattacks in 2020, according to Paul Mazzucco, TierPoint’s chief security officer. “We’ve seen a huge uptick. Protecting against ransomware has become an all-hands-on-deck activity.”

Ransomware trends in 2020 – looking back

While nearly every industry has been hit with ransomware, the most targeted organizations are professional services firms, medical providers, local governments, and logistics companies, said Mazzucco. According to a report on the top 11 ransomware attacks in 2020, five out of the 11 organizations were municipal governments, while the remaining victims included legal, manufacturing, financial services companies, IT services, facility management, and higher education. Healthcare organizations, schools, and municipal and government agencies are often targeted by ransomware due to the highly sensitive, and valuable, data they store and their often limited IT budgets, and weaker cybersecurity.

In October and December of 2020, the FBI and other federal agencies issued alerts warning that healthcare and K-12 schools were in imminent danger of ransomware attacks. This happened at the same time that hospitals were dealing with the second wave of Covid-19 patients, and while schools were struggling to create quality distance learning environments for their hundreds or thousands of students.

New variants of ransomware can also target Internet of things (IoT) and smart devices. That can cripple organizations that are heavy users of IoT infrastructure, such as manufacturing companies and smart cities. A big part of the problem is that IoT devices often have little to no security.

“These are small chipsets with a Unix overlay and often little else. Things like traffic management and security cameras are not very well protected, and the cities themselves are often not prepared to mitigate these attacks,” said Mazzucco.

A city that has invested in smart infrastructure—such as traffic congestion sensors, smart lighting, air quality sensors, trash bin monitoring for waste management, and smart parking—is extremely vulnerable to a ransomware infection, which could paralyze the infrastructure.

Unfortunately, ransomware attacks are cheaper and easier to deploy than ever. A novice hacker can attack a major company or municipal government without much money or even technical expertise. There’s a booming market for ready-to-use ransomware kits and Ransomware as a Service products on the Dark Web.

Also read: Should You Be Concerned About Ransomware as a Service (RaaS)?

“For less than $1,000 anyone can get on the Dark Web and download a ransomware toolkit, often with support services included,” said Mazzucco.

Newer ransomware products have advanced features that make them harder to defend against, said Mazzucco. “They’re self-replicating and self-protecting and can spider your network and encrypt your files with a random AES encryption key so it’s almost impossible to decrypt with a standard key.”

What should an organization do when it is hit with ransomware?

One option is the pay the ransom. However, there’s no guarantee you’ll get your data back. Often, the attackers take the money but never send the decryption key, or they may demand more money after the first payment. Some attackers will threaten to release your data onto the Dark Web–which is why it’s critical to encrypt sensitive information.

If you have a reliable and current backup of data and systems, you can skip the ransom and go straight to recovery. Unfortunately, backups often fail, so it pays to test your backups regularly, instead of discovering you have no backup or one that is two months old after you’ve been hit with ransomware.

A Gartner survey cited by Mazzucco found that nearly 40% of IT departments back up their data only annually or semiannually–making them nearly worthless for most businesses. Another 20% either do not bother to backup or do not know. That means that 60% of IT departments could lose 100% of their data in a ransomware attack.

In addition to an enterprise-level backup-and-recovery solution, a ransomware defense strategy should include multiple layers of security, including:

• next-generation firewalls
• web content filtering
• email spam filters
• vulnerability scanning
• zero-day anti-malware

Standard anti-malware applications may fail to detect ransomware, or any malware if it’s a new variant, which is why malware developers often modify their code. Zero-day anti-malware products get regular updates on the latest variants and may look at behavior and file integrity to determine if it’s suspicious.

Data encryption helps ensure that, if your data is stolen, it can’t be sold on the Dark Web. Mazzucco also recommends encrypting your backups.

“If your backup infrastructure is not encrypted and if the backup is attached to the network or system that is infected by ransomware, then your backup systems are likely infected as well,” he explained.

People are also a critical component of a cybersecurity strategy. A “human firewall” of end users who follow good cybersecurity practices and are up to date on the latest cybersecurity threats can prevent most ransomware attacks. Prevention and recovery will also depend on people outside of the IT department, such as human resources to develop end-user education programs, legal professionals to ensure the company follows all data security regulations, marketing to communicate with customers, cybersecurity forensics professionals to investigate how the attack occurred, and even law enforcement in some cases. Mazzucco notes, “Ransomware recovery is a group effort.”

Also read: The Future of IT Security: The Good, the Bad, and the Ugly

Protect your business from Ransomware

Want to learn more about cybersecurity for your organization? Read our Strategic Guide to IT Security.

Contact us to learn more.