Mounting a defence in the ransomware war
Ransomware attacks are escalating – it’s a criminal industry already worth billions and it’s only going to get worse. Baker Tilly’s cyber security experts discuss common weaknesses and how best to prepare against the inevitable because it’s a case of when, not if, a business is hit.
It’s the customer service story you never want to tell.
Locked out of their critical IT systems, facing the loss of important corporate and customer data, the Dutch business could only speak glowingly of the call centre offering support.
Within a matter of minutes, a helpful operator was able to guide the business through the process of making a payment so they could get their files restored.
But the catch is this wasn’t an IT help desk on the phone.
It was one of the well-staffed, smoothly run ransomware call centres that allow people to negotiate and pay the criminal enterprises that have encrypted their data in the first place.
“Prevention is important, but so is your response. What are you going to do? What kind of plan do you have to get your company back in business again?”
– Martin van Ernst
Ransomware is now one of the world’s most profitable (and seemingly low risk) criminal enterprises — with an underground network estimated to cost legitimate business around USD20 billion this year alone.
While that sum is 57 times the amount collected by ransomware gangs only a few years ago, the worst is yet to come, and some experts suggest that within a decade, USD265 billion will be stolen and extorted annually through ransomware crime.
And with that growth in revenue has come remarkable sophistication as crime gangs efficiently target victims, with an estimated 150% surge in attacks in the past year.
“It’s a growth market,” says Baker Tilly Netherlands IT Advisory Partner Martin van Ernst.
“What we say is it’s not a question of if you’re going to be hit someday with ransomware, but when.
“If you choose that state of mind, then you have to do something about it.
“Prevention is important, but so is your response. What are you going to do? What kind of plan do you have to get your company back in business again?
“When you have those plans, you can sleep a little better.”
A simple crime with a sting in the tail
What sets ransomware apart from many other kinds of cyberattack is the simplicity of the crime, which combines both technological and psychological attacks on the victims.
Unlike malware that might corrupt files, ransomware uses encryption tools to lock them so they are just out of reach of a business that desperately needs its systems and data to be able to continue shipping goods, paying staff, responding to customers or delivering on contracts.
While it is relatively easy to enact this encryption — some ransomware tools trade on the dark web for as little as $70 — the lock is also very difficult to undo.
Some groups, such as the No More Ransom project, involving a range of cybersecurity and international policing partners, make decryption software available for free, but these address only a fraction of the tools commonly used.
This is where the second psychological nudge is used to get companies to pay.
“Frankly, it’s probably only going to get worse, not better, and we’re probably going to see more successful ransomware.”
– Jeff Krull
For many companies, the cost of paying the ransom is relatively small: a median $47,008 in the first quarter of this year, according to Coveware.
Although some targets are hit with ransoms significantly higher, that kind of price is in the reach of many businesses, according to Baker Tilly experts, making it more tempting to authorise the Bitcoin or other cryptocurrency commonly used to make the transaction untraceable.
And the more people pay, says Partner at Baker Tilly US Jeff Krull, the greater the incentive for criminal gangs to double down.
“Frankly, it’s probably only going to get worse, not better, and we’re probably going to see more successful ransomware,” Mr Krull says.
“The bad guys are making money doing it, with the proportion of organisations who are paying ransom.
“There’s been so much financial reward for the people doing the ransomware that the groups are now well-funded, with far more resources and the ability to come after organisations.”
But the cost of ransomware goes far beyond the ransom payment.
Besides an average downtime of three weeks, 80% of ransom attacks now include the threat to leak company data, which can trigger its own crisis in terms of loss of trust (reputational risk) and breach of privacy.
Then there are the recovery and business interruption costs, even if a ransom is paid.
In fact, a survey by cybersecurity group Sophos of more than 5400 companies earlier this year found that of those who were attacked and paid up, only 8% recovered all their data, and on average only two-thirds of files were restored.
“I believe any organization that’s only relying on insurance, or a low relative cost of ransom payouts, as their way to mitigate the risk, is really putting the organization in the firing line right now,” Mr Krull says.
“The bad guys may know how much somebody has in insurance and use that when they’re figuring out how much they’re going to charge, or they may know how much somebody has in the bank, and use that to set the pain point on paying the ransom.
“Ask almost anybody who got hit with ransomware if it was worth not having done some of the good hygiene things they could have done to protect their business and I suspect virtually all of them will say, ‘we really wish we had taken that step’.”
Risks of ransomware
Although the average payout for ransomware might be small, there is huge potential for high yield returns.
Not only has the volume of attacks scaled dramatically, to one every 11 seconds, but as their techniques and tools improve, gangs are changing tactics.
Ransomware first responder Coveware suggests that the size of companies who fall victim to ransomware is growing, with half the victims in Q2 this year having 200 or more staff.
Although experts are divided over how closely ransomware attackers consider the industry of their victims, some groups are over-represented, in part because the software they use has been exploited or because they hold sensitive data and are more likely to pay.
The public sector, for example, is the single biggest target, followed by professional services including law firms, accounting firms and financial groups, and health care.
And with an attack in May that brought down Colonial Pipeline, a major US oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum, the energy sector has suddenly realised its exposure as well.
“There is a difference in response readiness depending on the type of industry they operate in, but for energy and the financial services sector the threat is very clear.”
– Anestis Dimopoulos
Baker Tilly Southeast Europe Head of Digital and Risk Advisory Anestis Dimopoulos, says he sees a heightened awareness among the firm’s energy clients in the wake of the Colonial Pipeline attack and events such as the 2017 malware attack that shut down power across Ukraine.
“There is a difference in response readiness depending on the type of industry they operate in, but for energy and the financial services sector the threat is very clear,” he says.
“Even outside the technical areas in the business, this is something leaders are thinking about all the time. We were recently working with an energy sector client on a completely different business issue and ransomware risk came up.
“What would they do if a ransomware attack happened and affected the transmission network of the company? How can they recover from that? How can they respond to that?”
Mr Dimopoulos says the first step in addressing these questions is to understand and assess the risk and its impact.
“It always starts with a risk assessment, understanding your risks, how important they are, the criticality and the impact,” he says.
“Then you need to prepare to manage the risks and respond effectively to them. That means different measures, securing the systems, educating the users, frequent awareness programs, and applying all the latest security updates to the systems.”
Email phishing attacks and compromised remote access remain the key vectors for ransomware, with malware introduced into a network that can initiate an attack.
“Usually, the end users are the ones that, lacking awareness, just click a link and download something,” Mr Dimopoulos says.
“So you start by protecting the endpoints and your systems, and you pay a lot of attention to backups and incident response plans and how you can use them to recover if you need to.”
Balancing convenience with risk
The kinds of preventative steps needed to keep a company safe are not necessarily difficult to implement from a technical standpoint, says Mr Krull, but they pose a challenge to workplaces reliant on having seamless access to data, files, servers and systems on demand.
“If you think about where ransomware is successful, everybody wants to pin it on the person who clicked the link, but when you start to unravel a successful ransomware attack, you have to go all the way back to the beginning,” he says.
“Do you have good authentication? Good passwords? Multi-factor authentication? Do you have good user security awareness training? Do you have a good patch management process to keep the systems up to date and patched? Do you have good provisioning/de-provisioning systems in place to pull terminated users out and add users in?
“Do people only have access to what they need to have access to, and have you clamped that down? Have you segregated administrative accounts from regular accounts?”
Anticipating the likelihood of an attack also means having a robust disaster recovery plan, Mr Krull says.
“Do we have a way we could actually recover in alignment with the timeframe we would need to?
“Some people say they have a disaster recovery plan, and you say ‘great, how long would it take you to recover?’ But they have never tested it and it could take weeks.
“The truth is in three weeks the damage is done, and you probably have somebody saying, ‘let’s just pay the ransom’.”
Krull warns many businesses hesitate to implement controls that prevent an authorised — or unauthorised — user rampaging across systems, because of the inconvenience.
But that also opens the door for employees to be tempted rather than fooled into clicking a link that could bring the business to its knees.
“People don’t want to do this stuff like checking with data owners for access each time because it’s boring. The process is simple but it takes time and effort,” he says.
“For all your controls, for all the great things you’re doing, do you think there’s no one in your organisation who wouldn’t act if somebody walked up to them on the street, handed them a paper bag full of $5,000, and said, ‘hey, at 3:22, you’re going get a link, all I need you to do is click it, put in your credentials, and you’re done’?
“I suspect there’s somebody in almost every organization who you could get to do that, and that’s a really insidious thing.”
All three experts have seen clients who, when confronted with the risks, believe they are somehow immune to the risk of ransomware because they store files or use software based in the cloud.
But although that might be more secure than using an old server, it is not a perfect solution.
“Ransomware can move from a data centre to another via your company and malware can encrypt files in the cloud,” says Mr van Ernst.
“We have clients who think that if they put their data into the cloud through Microsoft then everything will be secure, or that their cloud provider will be able to detect and protect against threats.
“Sometimes they can, sometimes they can’t but that’s a complex picture.”
Mr Krull says breaches in the cloud often boil down to a company not configuring their cloud access properly.
“The big cloud providers have a huge incentive not to get hit and if you see a problem it is often that the organisation interacting with the cloud provider set something up incorrectly,” he says.
“They might have turned off a default setting, exposed a bunch a stuff to the internet that shouldn’t have been, misconfigured something or they are sloppy in credentialling.
“It’s not to say it’s impossible, however.
“Sometimes you hear in disaster recovery planning a company saying, ‘no, everything’s at this giant cloud provider’. That’s great, but what’s your recovery plan if they disappeared? They say, ‘well that’ll never happen’.
“That’ll never happen is not a good answer.”
Preparing a gameplan
Pitcher Partners’ Head of Security Eric Eekhof says ransomware should rightly feel alarmed about the surge in ransomware, but planning is key for the best chance of protecting the business.
“Organisations can consider several solutions that can all prevent an attack from being successful,” said Mr Eekhof.
“Something as simple as keeping all systems up-to-date with the latest versions and patches is a good first step.
“The vast majority of ransomware abuses known security issues in common operating systems and applications such as Microsoft Windows, Office and Acrobat Reader.
“These software providers have usually already provided patches and upgrades and it is on organisations to ensure these patches and upgrades are applied as quickly in their IT environment.”
Mr Eekhof said one of the biggest myths in resolving ransomware attacks is to pay the ransom.
“It is estimated between a third to a half of infected companies pay something to criminals holding their data to ransom, but there is no guarantee you will get your data back,” he says.
Regardless of whether you pay, however, the real cost lies in addressing the vulnerabilities in your system in the first place, estimated to commonly cost 10 times an average ransom.
“Educated staff are less likely to open infected attachments which put the organisation at risk,” said Mr Eekhof.
“Training staff about ransomware and security risks greatly reduces the risk of infection.
“Users can be trained to identify phishing emails and malicious messages including ransomware.”
There are also several technical solutions that can be implemented in an organisation’s IT environment to prevent the execution or spreading of ransomware once detected.
There are many products in the marketplace which are constantly being updated by their supplies but there is no guarantee they detect the latest versions of ransomware.
However, Mr Eekhof says organisations must be proactive to minimise the harm of a potential ransomware attack.
“Organisations must ensure they always have recent and complete backups which will be a serious lifesaver if you are targeted and want to recover data without paying the ransom.
“You should not only backup all your data, but also regularly test them to ensure they are complete, accurate and useful.
“There are regular incidents where organisations discover that the backups they thought they had were incomplete or useless, leaving them in exactly the situation they tried to prevent.”