Ransomware is malicious software that encrypts all the files on a computer and demands payment to recover the files. Ransomware poses a threat to both individuals and businesses that rely on computers to operate.
Ransomware is constantly evolving, with some reports saying it has become the most lucrative revenue stream for cybercriminals. Increasingly, downtime and data loss from a ransomware attack are costing significantly more than the actual ransom. Additionally, delivery is becoming more sophisticated, with up to 97% of phishing emails delivering ransomware.
A report from Datto cites the example of the US city of Atlanta, which was infected with SamSam ransomware in March 2018 for 5 days which affected multiple systems, including the ticketing system for the police, and software used by the court system. The ransom demanded was US$51,000 but by August 2018 the cost of downtime and recovery had reached over US$17million (ouch!).
On average, the ransom demanded from organisations is US$4,300 and recovery costs on average are $46,800. A ransom may not be just for return of access to your data – in rare cases attackers can demand ransom for not publishing your sensitive data.
Damage from ransomware was put at US$325million in 2015, estimated US$1billion in 2016, US$5 billion in 2017, and predicted to be US$11.58billion in 2019. It is also estimated that less than 1 in 4 attacks are reported, making ransomware a much larger problem than reports indicate.
Sophos Labs report more lucrative targeted attacks using SamSam ransomware are being manually guided. While well-known ransomware like WannaCry, Petya, and CryptoLocker are random and indiscriminate, they are automated and predictable. Manual attacks are unpredictable by their very nature, as attackers can react to defences. SamSam attacks are least prevalent, however this hybrid approach makes them more successful, thus worth the effort.
Ransomware attacks on Apple products increased 500% in 2018, and predictions of attacks on IoT, wearables, and social media are gaining momentum. Ransomware in the cloud is also on the increase with 50% of cloud-based ransomware affecting Office365.
So what can you do?
A single defensive measure against ransomware is ineffective. Instead, a layered approach provides better protection.
The top 5 ways to prevent ransomware interrupting operations within your organisation are:
- User training on phishing, spear phishing and dodgy websites – try this free tool from the SANS Institute.
- Business Continuity and Disaster Recovery measures put in place and regularly tested.
- Good endpoint hygiene.
- Conduct regular Vulnerability Assessments.
- Block and filter outbound connections (not just inbound).
A close 6th point is to block Microsoft protocols at the network perimeter. Several breeds of ransomware are known to attack via Remote Desktop Protocol.
Agilient have experienced consultants and auditors available to assist in all aspects of reviewing your organisation’s ransomware prevention and preparedness.
Contact Us today to learn more about how our experienced consultants can help your organisation remain secure from today’s threats, and be sure to follow our LinkedIn page for the latest security updates.
Author: David Steele, Agilient Cyber Security Consultant