Avoid paying a King’s ransom for your data
By John Michael
The path of digital transformation, accelerated by the unique requirements of the pandemic, has led to untold efficiencies and revolutionary connectivity – but it has also ushered in a new era of threat. More pernicious ransomware puts data at greater risk than ever, and the rise of remote and hybrid working means criminals now have a vast number of new avenues through which it can be deployed. Analysts are calling this the ‘golden age of ransomware’ – and it’s time for the industry to fight back.
Recent ransomware attacks have demanded upwards of US$70 million1 and cybercrime itself costs organisations $6 trillion per year in global damages2. Spreading through means including phishing emails, unprotected personal computers, exposure to public Wi-Fi, and Zero-Day vulnerabilities, 46% of those hit with a ransomware attack pay the ransom at an average of over US$800,0003. The money behind ransomware makes it an increasingly professional criminal endeavour.
Ransomware-as-a-Service (RaaS) sees ransomware authors offering clients off-the-shelf malware variants and cybercrime expertise. Criminals are also getting bolder, moving from locking down data to stealing and threatening to share it – known as double extortion – or making ransom demands to a business’s third-party clients, called triple extortion. An attack could cause serious reputational damage as well as significant business downtime4 and the resulting financial loss.
The human element is a greater liability
Ransomware’s rise has much to do with the vast growth in network-connected hardware and software. IoT devices, particularly if not patched, can act as a gateway to an improperly secured network. The speed at which IT departments were forced to roll out remote access systems during the pandemic left many inadvertent loopholes. These are easier to exploit following the move to more home and hybrid working, which sees employee hardware placed on insecure home networks and public Wi-Fi.
While Zero-day attacks, which exploit platform vulnerabilities, are a real and present threat, they aren’t something that can be easily prepared for. Moreover, phishing – a common method of network infiltration – has become ever more complex and devious over time. The richest prizes have come from those with the highest level of access, and hackers perform detailed reconnaissance on key targets.
Employing a Zero Trust strategy
Minimising the possibility of IT infrastructure attack means taking a Zero Trust approach – building a framework whereby no entity which interacts with your organisation has any implicit trust. Every device, user, platform, tool or vendor must clearly demonstrate its security credentials, particularly as liability for data breaches is highly unlikely to be passed on to third parties. Employees must be trained to understand this, and a workplace culture must be built around cyber hygiene and resilience.
However, even savvy employees can slip up in a tired moment. Hackers with enough insider knowledge may be able to gather sufficient information to infiltrate a network regardless of an organisation’s policies. The tactic now must be to secure the key asset of any business – its data – by implementing consistent encryption and employing a backup policy. Backups must be as protected as core data, ideally with strong encryption, and kept in triplicate online, offline, and off-site.
Protecting the keys to the kingdom
Key access must be protected. The Zero Trust philosophy is doubly important here: trusting keys to a cloud storage provider, for example, could result in the data and keys being compromised in the event of a data centre breach. Moving encryption to a hardware module ensures that data can be protected end-to-end and rendered functionally useless as collateral for hackers. Using hardware encryption on backup drives or USB sticks further strengthens protection in the case that the media is lost or stolen.
There may be no real technological way to stop ransomware attacks from happening, particularly with the human element so vulnerable. True security comes from physical and logical separation between keys and data: if we can render ransomware attacks useless and have a plan in place for recovery, they will end up little more than a very temporary inconvenience.
1 - https://www.theverge.com/2021/7/5/22564054/ransomware-revil-kaseya-coop
2 - https://www.sdxcentral.com/articles/news/cisco-ceo-cybercrime-damages-hit-6-trillion/2021/05/
3 - Sophos State of Ransomware 2022 - https://assets.sophos.com/X24WTUEQ/at/c5234fvn45pvmk5w6nhh4vkh/sophos-state-of-ransomware-2022-infographic.pdf
4 - https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/