There’s no two ways about it: Ransomware attacks continue to increase. This is especially true against the backdrop of hybrid working, which opens up new opportunities for vulnerability. As a result, many businesses are (understandably) beginning to assume they’ll be victims of an attack at some point. So how can they react when targeted? And what’s the best way to protect against ransomware?
Do attacked businesses normally pay the ransom?
Many organisations are forced to pay up when they’re targeted by a ransomware attack. This is often due to the organised, systematic planning that goes into an attack to make it successful for the threat actors. The image of a solitary hacker working alone from their basement is history — today’s ransomware attacks are often carried out by fully formed organisations with huge amounts of resources at their disposal.
A typical attack sees the threat actors gain access to the business network by way of phishing and vulnerabilities. They can then examine the network to find out what IT solutions the business runs on. The ransomware organisation often has experts for each of the areas they identify in the course of this examination. Each specialist systematically gains access to that area of a business’s IT infrastructure, with the aim of providing no alternative for the affected business other than to pay the ransom.
Why paying the ransom is never a suitable response plan
The payment of a ransom itself is also becoming more complicated. It’s well known that transferring funds to the bad actors often doesn’t result in the data being returned. Even for those willing to take this risk, there’s the question of legality around paying a ransom. With many countries passing laws forbidding ransom payments, the victims may inadvertently become perpetrators of a different crime. Furthermore, a major provider of cyber insurance will no longer cover attacks carried out by nation states. This policy change is quite a slippery slope for the average business, who has virtually no way of knowing whom their attackers are associated with.
What’s the alternative to paying the ransom?
This depends on what ransomware protection measures an organisation has already put in place. If these weren’t enough to bar access to the attackers, they will very likely attempt to delete or destroy any backups and compromise the network. In that case, there are few alternatives other than to pay the ransom.
Essentially, if the business doesn’t have a plan in place already, there is little they can do when attacked. It’s therefore essential to put a plan in place before the attack in order to hopefully be able to lessen the extent of the damage.
Will a disaster recovery (DR) plan also protect against ransomware?
In many cases, an organisation’s data at their DR site is also infected with the same ransomware attack as the primary site. And should the attackers somehow get kicked out of the primary network, they often place backdoors to allow them to gain entry again.
Because ransomware attacks often take place over a longer period, the attackers can become very familiar with an organisation’s network. This includes the location of the DR environment. DR networks are not designed to be airgapped or segregated from the production systems. This means they are thus usually accessible once the production has been compromised.
It’s important that the business realises that ransomware requires its own response plan. This should be separate from the DR plan and budgeted for accordingly. Only this will ensure the level of protection needed to fend off the threat actors.
A ransomware response plan is essential, then. Do most organisations have one?
Very many do. However, the plans are often too simplistic when compared with the attackers’ tactical sophistication, as described above.
Some businesses are under the impression that backups or storing their data in SaaS services (such as O365) is sufficient ransomware protection. But these measures aren’t enough.
Instead, current guidance recommends businesses implement a layered defence. While this approach can be daunting on account of its greater number of components – as well as the way these interact with one another – it provides the possibility to significantly improve an organisation’s level of ransomware protection. And despite the number of layers involved, it doesn’t have to be prohibitively expensive, either.
[We recommend these 10 essential layers of ransomware defence]
If we’re starting to talk budgets, does this mean ransomware protection is more than “just” an IT issue?
Definitely. The technical elements of it are related to IT, of course. But the business as a whole has to evaluate the level of investment required to adequately protect against ransomware. And for this investment, an ounce of prevention is worth a pound of cure. Because funds spent on staff education, cyber awareness training and structuring technical policies as well as business practices around cybersecurity are only a fraction of the cost of a cyberattack.
When making this investment assessment, organisations must ask how they will survive in the event that a ransomware attack struck and was successful. Here, it often becomes apparent that an organisation will require outside support in the event of an attack. Establishing a relationship with a partner before this occurs is crucial to ensuring that you have a course of action planned that can protect against ransomware, or at least mitigate its damage.
Proact is an ideal protection partner. We can provide security expertise to advise on protection and help you develop a ransomware response plan that meets your organisation’s unique requirements. This way, you’ll be thoroughly prepared if the worst happens.
Find out more about how we work to protect and secure your data by getting in touch with us using the button below.