Ransomware is a rapidly increasing risk to businesses and organisations around the world. Although there are arguably now fewer ransomware attacks against consumers, attacks against organisations are clearly increasing. A report by Malwarebytes indicates that there has been a +300% increase in ransomware attacks on businesses in the first half 2019. There has also been a significant increase in the number of ransomware attacks targeting public sector, government and local government agencies since the start of the year.
The total number of ransomware detections has dropped dramatically since the peak in 2016. However, between January and April of this year there were still over 40 million. If you compare this to 2018’s numbers, at 55 million, 2019’s tally, at time of writing, was already close to the total ransomware detections for the whole of 2018. It would appear that this year, ransomware activity is on the increase again.
Statistics show that there has been significant change of focus and that businesses are now the primary target for ransomware attackers. It is almost certainly an economic shift and due to their search for a higher return on investment. This year, ransomware such as Ryuk, which targeted logistics and technology companies and small local government organisations has been able to secure significantly higher ransom payouts.
As well as the focus on business targets, ransomware continues to become more crafty and deceptive. Examples of attacks by such entities as ENTSCRYPT, Wiper or GermanWiper, can operate without the need for a carrier file and make retrieval from an infected machine impossible.
Although phishing is still ransomware’s typical distribution channel, it seems that cyber criminals are looking to broaden ransomware’s deployment. They look to gain access to the local area networks of organisations and spread their payload laterally. This tactic was used successfully by the LockerGoga ransomware, which infected industrial and manufacturing firms. GandCrab ransomware operates by compromising an enterprise host system to gain access to the domain controller and has reputedly earned its masters $2 billion in the process.
How to defending against ransomware
To combat the threat of ransomware attacks, organisations should implement a combination of the following best practice controls:
Patching – update software to the newest version as soon as practical and ensure all security patches are applied as quickly as possible. This will help prevent abuse of unpatched vulnerabilities in older versions of software.
Backups – Make sure that all important data is backed up frequently and that multiple copies are available. Apply the 3-2-1 rule that involves creating at least three copies of the data in two different storage formats with at least one copy located offsite. This will ensure that data remains accessible even if ransomware succeeds in infecting the machine where it is stored.
Train Users – Users need to be wary of suspicious emails and other communications as they may be attempts to deliver ransomware or steal user credentials that will be used for future attacks. Links contained within an email should not be clicked and attachments should not be downloaded unless you know they are from legitimate source.
Access control – The use of system administration tools should be restricted to specific employees who genuinely need access.
For organisations that want to strengthen their overall security posture we would strongly recommend an external security review and penetration testing by a security specialist, as a minimum. Some organsisations may also want to consider a Managed Detection and Response (MDR) service, which can help businesses that do not have a dedicated security team keep on top of security threats. MDR solutions can detect anomalous behaviour and apply accumulated threat intelligence resources in order to spot threats before they can damage an organisation’s systems and endpoints.
If you believe that your organisation could benefit from security testing, please feel free to contact us via our contact page