Do you Know how to Protect Against Ransomware in 2023?

Ransomware has quickly become one of the biggest cyberthreats facing any business. Over the last couple of years, this type of attack has hugely grown in profile.

Yet the ransomware attacks being launched in 2023 are very different from those that made headlines a few years ago, such as the WannaCry attack that did so much damage by shutting down access to IT networks. Today’s breeds of malware often do far more than lock down devices and disrupt access to data – they are also used as the launchpad for a range of extortion threats by exfiltrating sensitive data.

It’s clear how quickly ransomware has evolved over recent years to become a major source of headaches for cybersecurity professionals. Every business is now at risk, and the consequences of falling victim are higher than ever. Therefore, prevention is far more effective than cure when it comes to defending against these threats.

Ransomware has become one of the most popular options for cybercriminals because it offers a very high success rate for relatively little effort. Once businesses have fallen victim to such attacks, they may often feel they have little choice but to give into demands and pay up – and this can quickly add up to a lot of money.

Our State of Ransomware in 2022 report found that last year, the average ransom payout reached more than $258,000. However, this is only a small fraction of the total cost of a ransomware attack. Other expenses include expenses related to lost business, data forensic investigations, remediation to harden systems, reputational damage and legal costs, such as regulatory fines and customer lawsuits. In total, the average cost of a ransomware attack – excluding direct payments to hackers – is expected to surpass $5 million in 2023.

The odds of a business falling victim to a ransomware attack remain high – and firms should not make the mistake of thinking they are too small or do not hold enough sensitive data to be worthwhile targets for cybercriminals. In fact, smaller firms often make even more tempting targets than their larger counterparts, and there are a number of reasons for this.

Firstly, less-sizeable enterprises frequently cannot afford to spend significant resources on cybersecurity, which leaves them more vulnerable. What’s more, once hackers are able to access networks and exfiltrate data, they may be more likely to get paid.

While large companies can often afford to refuse to negotiate and ride out any disruption while they restore backups and build resiliency, for a small business, a ransomware incident can be an existential threat. Indeed, one study by Atlas VPN suggested more than a third of UK businesses that fall victim to ransomware are forced to shut down for good.

The challenges associated with ransomware are compounded by the fact that shifting tactics have made such incidents even harder to detect. In many cases, firms may not even be aware their systems have been compromised by hackers until they receive a demand for payment, by which time it will often be too late.

Traditional defenses usually work by looking for telltale ‘signatures’ of malware attacks they can compare to a database of known threats. But this does not protect against zero-day vulnerabilities that have not yet been identified by security researchers. Neither can they protect against ‘fileless’ malware attacks, which often take advantage of legitimate tools such as PowerShell to evade detection. According to our 2022 Ransomware Attack Report, 87 percent of incidents last year involved PowerShell.

Understanding how ransomware gangs typically operate is an essential first start in learning how to protect against ransomware. Once firms are familiar with the most common tactics used by these groups, they can direct their resources more effectively and ensure they’re focusing their attention in the right area to spot attacks before they have a chance to do damage.

While there are a huge range of ransomware variants out there, the majority of attacks still rely on one of a handful of tried and tested solutions. In 2022, for example, half of all ransomware incidents came from just four variants. These were:

• LockBit (16 percent)
• BlackCat (13 percent)
• Hive (12 percent)
• Conti (nine percent)

LockBit in particular proved highly popular among hackers, seeing a 600 percent increase compared with the previous year. One reason for this is its Ransomware-as-a-Service model, where anyone can buy access to the tool from its creators and use it to launch attacks. It is also a constantly evolving platform with the ability to move laterally within networks and harvest data undetected.

As for the Hive ransomware, the US Justice Department announced early this year that it had successfully taken the network offline, with a multinational law enforcement operation helping thwart over $130 million in ransom demands. However, ransomware gangs are rarely gone for good, and it is a constant arms race as hackers adapt their tactics and create newer variants, building on lessons learned previously.

Ransomware, like most other forms of cyberattack, can often be traced back to human error. This is rarely malicious – although insider threats are certainly a risk firms will need to be aware of. In most cases, ransomware is able to gain network access because of issues like poor email security, such as failing to spot the telltale signs of a phishing attack.

Visiting unsecured sites that can initiate drive-by downloads, weak passwords or access management, and open remote desktop protocol access are other common ways in which networks can become infected with ransomware.

We’ve noted above how small businesses are particularly at risk of ransomware attack – with as many as 82 percent of incidents targeting such firms by some accounts – but there are also a few key sectors that are especially likely to come under attack.

For instance, our research noted the most common sectors to fall victim include education (17 percent of incidents in 2022), government (16 percent) and healthcare (15 percent). Government and healthcare organizations are currently of particular interest to hackers, with both seeing almost 50 percent increases in the number of incidents last year.

There are several reasons why targeting these organizations is particularly lucrative for a ransomware gang. They often deal with highly sensitive data that is critical to their day-to-day operations, so cannot afford any more downtime than necessary. They also may be more willing to make a payment to avoid public disclosure of data, given the confidential nature of the information they hold.

Unlike some other types of malware where the main purpose is to be disruptive, many ransomware attacks come with unique characteristics that make them more dangerous. The risks of extortion and public exposure of information if ransomware groups are able to successfully exfiltrate assets like personal data are very high. Therefore, firms must follow a few key steps to avoid having to make a decision on whether or not to give in to ransomware demands.

User education is the first line of defense against any ransomware threat, and one of the key elements of this is ensuring that employees have a good understanding of email security and know how to spot phishing emails.

However, it’s not enough to provide a one-off session on what to look for. A good security awareness training program must be an ongoing process that’s regularly updated and backed up by tests to ensure users are following the guidance they receive.

Beyond this, emphasizing the importance of strong password practices, eliminating account sharing and having a clear process for what to do if devices are lost or stolen are all key parts of a comprehensive anti-ransomware training program. This is especially important if a business has remote workers who will be accessing sensitive data from outside the office.

If you do encounter a ransomware attack that has compromised your systems – whether this is through your own proactive defenses or if you receive a demand for payment – there are several key steps that must be taken immediately to minimize any damage. This includes the following:

• Isolate any infected systems
• Ensure your backup data is secure
• Turn off regular processes such as maintenance tasks
• Determine which variant is the cause of your ransomware infection
• Enact your data recovery plan
• Follow all relevant reporting requirements

To make this as easy as possible, it’s essential that businesses have a clear response plan they can refer to during this process. This should detail exactly who in the organization is responsible for which actions, what the policies are for dealing with ransomware groups, cyberinsurance providers and regulators, and what steps will need to be taken in order to learn lessons and improve protections going forward.

All law enforcement agencies, including the UK’s National Cyber Security Centre and the US’ Cybersecurity and Infrastructure Security Agency, advise against making a ransomware payment in order to retrieve data or ensure compromised information won’t be published. There are several reasons why handing over money is usually a bad idea.

Firstly, you’re unlikely to actually get your data back. Relying on cybercriminals to keep their word is clearly a plan fraught with risk. Indeed, according to one study, only eight percent of ransomware victims actually recovered all their data after paying, with almost a third getting back less than half.

For those who’ve fallen victim to double extortion ransomware, there is also no guarantee that ransomware operators will delete exfiltrated data as promised. In fact, there are compelling reasons for them not to do this, as once a company has paid up once, this sends a clear signal that they’ll do it again. It’s therefore no surprise that four out of five firms that pay a ransom are targeted again.

If you are to successfully prevent ransomware attacks, you need to combine effective user education with the latest cybersecurity software to ensure data security. This means looking beyond traditional antimalware software in favor of modern solutions that have been specifically designed to counter the threat posed by ransomware.

It’s important to remember that just because you’ve got an antivirus solution in place, this doesn’t mean you’ll be protected against ransomware. In fact, ransomware attackers have become very proficient at bypassing these systems with tactics that are particularly hard for this type of protection to detect, such as fileless malware.

Another issue is once a threat actor has successfully breached your perimeter defenses, traditional protections may be blind to them. This can enable sophisticated attackers to move laterally within the network to track down valuable information such as personal data and then exfiltrate it from the business without being spotted by tools whose primary purpose is to look for incoming threats.

The good news is that even if you have been compromised, there are still opportunities to shut down an ongoing ransomware attack before it can do damage – provided you have the right tools in place.

Some of the most dangerous types of attack today are those that exfiltrate data for use in later extortion attempts, so dedicated ransomware protection software that is able to detect these activities and shut them down before data leaves the business is vital.

These anti data exfiltration (ADX) tools work as endpoint security, sitting on every device on your network to constantly monitor outgoing traffic. By looking for patterns of usage and building an understanding of what normal behavior looks like, these tools can automatically step in to prevent any abnormal data exfiltration attempts.

This means there is no need to send data for analysis, ensuring efforts are blocked at the first sign of an issue, while reducing the risk of disruptive false positives that can be seen with older data loss prevention software.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.