Ransomware Tactics Get Uglier; Here’s What Companies Can Do

Ransomware is threatening organisations at an increasing rate. In a new global survey conducted by Fortinet, as many as 67% of companies report having been a ransomware target – with nearly half saying they had been targeted more than once and almost one in six saying they had been attacked three or more times. That’s according to Fortinet’s 2021 Global State of Ransomware Report.

Because of this, 94% of organisations indicate that they are concerned about the threat of a ransomware attack, with 76% being very or extremely concerned. In fact, 85% are more worried about a ransomware attack than any other cyber threat. Their top concern (62%) about it is the risk of losing data.

Top concern – Risk of losing data

Today’s businesses run on data. So, while loss of productivity and the interruption of operations are also top concerns, they are events that can be recovered from much more quickly than a significant loss of data, the report says.

Recent high-profile cases include the Colonial Pipeline attack that disrupted oil and gasoline distribution across the United States’ East Coast region and the JBS Foods attack that led to concerns about a global meat shortage have helped fuel those concerns.

“According to a recent FortiGuard Labs Global Threat Landscape report, ransomware grew 1070% year-over-year. Unsurprisingly, organizations cited the evolving threat landscape as one of the top challenges in preventing ransomware attacks. As evidenced by our ransomware survey, there is a huge opportunity for the adoption of technology solutions like segmentation, SD-WAN, ZTNA, as well asSEG and EDR, to help protect against the threat of ransomware and the methods of access most commonly reported by respondents,” says Rajesh Maurya, Regional Vice President, India & SAARC at Fortinet.

He adds, “The high amount of attacks demonstrates the urgency for organizations to ensure their security addresses the latest ransomware attack techniques across networks, endpoints, and clouds.The good news is that organizations are recognizing the value of a platform approach to ransomware defense.”

Based on the technologies viewed as essential, organisations were most concerned about remote workers and devices, with Secure Web Gateway, VPN and Network Access Control among the top choices. While ZTNA is an emerging technology, it should be considered a replacement for traditional VPN technology. However, most concerning was the low importance of segmentation (31%), a critical technology solution that prevents intruders from moving laterally across the network to access critical data and IP.

Likewise, UEBA and sandboxing play a critical role in identifying intrusions and new malware strains, yet both were lower on the list. Another surprise was secure email gateway at 33%, given phishing was reported as a common entry method of attackers.

Ransom – To pay or not to pay

The top concern of organisations regarding a ransomware attack was the risk of losing data, with the loss of productivity and the interruption of operations following closely behind. In addition, 84% of organisations reported having an incident response plan, and cybersecurity insurance was a part of 57% of those plans. In regards to paying ransom if attacked, the procedure for 49% was to pay the ransom outright, and for another 25%, it depends on how expensive the ransom is. Of the one-quarter who paid ransom, most, but not all, got their data back.

However, another recent report by cybersecurity firm Sophos raises a greater concern by bringing to light that companies in various sector, especially in manufacturing and production were the least likely (19%) to submit to a ransom demand to have encrypted files restored and the most likely (at 68%) to be able to restore data from backups.

The practice of backing up data could be a reason why this sector was also the most affected by extortion-based ransomware attacks, a pressure technique where attackers don’t encrypt files, but rather threaten to leak stolen information online if a ransom demand isn’t paid. The survey studied the extent and impact of ransomware attacks during 2020.

“These sector’s high ability to restore data from backups enables many companies to refuse attacker demands for payment in the case of traditional, encryption-based ransomware attacks,” said Chester Wisniewski, principal research scientist at Sophos.

“However, it also means that adversaries are forced to find other approaches to make money from victims, such as stealing data and threatening to leak company information if their financial demands aren’t met. Backups are vital, but they cannot protect against this risk, so manufacturing and production businesses should not rely on them as an anti-extortion defense. Organizations need to extend their anti-ransomware defenses by combining technology with human-led threat hunting to neutralize today’s advanced human-led cyberattacks.”

On the whole companies are worried about being attacked with ransomware in the future, more than any other form of cyber threats, possibly because these attacks are so sophisticated, they have become harder to stop. Forty-six percent believe that since ransomware is so prevalent, it is inevitable they’ll get hit by the cybercrime, the Sophos study says.

What companies can do?

In the light of the survey findings, Sophos experts recommend the following best practices for all organizations across all sectors:

1. Assume the organization will be hit. Ransomware remains highly prevalent. No sector, country, or organization size is immune from the risk. It’s better to be prepared and not be hit than the other way round.
2. Make frequent backups. Routine backups are the number one method organizations used to get their data back after an attack. Even if organizations pay the ransom, attackers rarely return all of the data, so backups are essential either way. Aim for an approach that involves at least three different copies, using at least two different backup systems, and with at least one copy stored offline and preferably offsite.
3. Deploy layered protection. In the face of the considerable increase in extortion-based attacks, it is more important than ever to keep the adversaries out of the network in the first place. Use layered protection to block attackers at as many points as possible across an entire estate.
4. Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides scale and automation, while human experts are best able to detect the telltale tactics, techniques and procedures that indicate when a skilled attacker is attempting to break in. To bolster in-house skills, enlist the support of a specialist cybersecurity company. Security Operations Centers (SOCs) are now realistic options for organizations of all sizes.
5. Don’t pay the ransom, if this is an option. Independent of any ethical considerations, paying the ransom is an ineffective way to get data back. Sophos research shows that after a ransom is paid adversaries will restore, on average, only two-thirds of the encrypted files.
6. Have a malware recovery plan and continuously test and update it. The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Organizations that fall victim to an attack often realize they could have avoided a lot of cost, pain and disruption, if they had an incident response plan in place.

The “State of Ransomware in Manufacturing and Productions 2021” report is available on Sophos.com.