Over the past several years, ransomware has grown from being a moderate risk for businesses to a widespread headline-grabbing danger. It can infect a user and bring down an organization in just minutes. As things currently stand, many businesses don't have the proper IT hygiene or security controls in place to prevent, monitor, detect, and respond. With payouts in the tens or hundreds of thousands of dollars, this form of attack is a chance for threat actors to cripple an organization's ability to operate and make a significant amount of money in very little time.
Ransomware is company-, industry-, and victim-agnostic. The hasty move to remote work has given cybercriminals more opportunities to leverage a ransomware attack, whether through a misconfigured system, the victim having less operational and security visibility amid remote work, or bad actors capitalizing on people's search for COVID-19 information. Successfully defending against these rampant cyberthreats requires preparation as well as a deep understanding of what to look for should an attack begin.
Why Ransomware Continues to Be So Successful
A ransomware attack can be executed in as little as 15 minutes. And the effects of ransomware can send shockwaves through an organization and bring operations and revenue generation to a halt, making it a desirable strategy for cybercriminals looking to make money fast. Its target radius spans across industries and can be used against any company or government.
Ransomware is also a unique attack vector in that almost anyone can use it, regardless of whether they are solo criminals, part of a crime group, or a nation-state threat actor. An entire ransomware-as-a-service (RaaS) industry exists in which developers can sell or rent out their variants to cybercriminals, including pre-constructed kits. This means carrying out an attack does not require training or customization to have an extremely effective weapon.
Education and State/Local Government Are Top Targets
Educational institutions are often hit by ransomware due to a usual lack of cybersecurity preparedness and the fact that education institutions house the information of thousands of people. The substantial shift to e-learning in the wake of COVID-19 has made the education sector even more of an appealing target. Assaults on schools have halted in-person and remote instruction for days, in some instances — like Baltimore County Public Schools in November 2020 — while also exposing student and faculty personal information. Parents are also targets, as attackers seek to intimidate them into paying ransom for school assignments and personal information about their children.
Similarly, for government institutions that previously had worked almost exclusively on-premises, the shift to remote work that happened virtually overnight made these organizations primary targets. Like education institutions, these entities traditionally do not have the safeguards, funding, or emphasis on cybersecurity that other industries in the private sector have. The changes amid the pandemic have only exacerbated these issues and broadened exposure.
How All Organizations Should Prepare
To stay ahead of attacks, organizations must take a proactive approach to their cybersecurity strategy and invest in solutions that can identify malicious behavior and facilitate a rapid response within network infrastructure to prevent ransomware whenever possible and limit the spread of an attack if it does happen. Organizations must patch aggressively, establish complete backups, prepare a comprehensive response plan, and focus on educational training for every employee to make sure they are prepared to manage attacks and continue with little disruption. Companies across industries should be practicing their response to a simulated ransomware attack the same way schools practice active shooter situations with lockdown drills.
Paying the ransom might be the right choice if people's lives could be put in danger or there is a possibility of losing tens of millions of dollars in a very short period. However, organizations need to understand that it is not necessarily a sound move in most cases. It can result in additional financial penalties from the US federal government. Paying a ransom also doesn't guarantee that systems will be restored without issue or that the organizations won't be hacked again by the same threat actor.
Organizations should also consider investing in a cyber-insurance policy that covers the costs associated with a ransomware attack, including the cost of the ransom itself, lost revenue, and any other monetary needs associated with recovery. In 2019, Baltimore was hit with a ransomware attack that demanded $76,000. The city did not make the payment and was instead left with the restoration costs and revenue losses that ended up being more than $18 million. Since the city had not invested in cyber insurance, its leaders did not have access to any recovery assistance, which illustrates the importance of such a policy.
Criminal groups have preyed on unsuspecting victims' insecurities during a precarious time to carry out countless ransomware attacks over the last year. Successfully defending against these rampant cyberthreats demands preparation and a deep understanding of the indicators of compromise to monitor for those that signify the start of an attack. This threat should be top of mind for all CISOs, and organizations should be deploying the right tools to monitor their systems and detect, shut down, and contain suspicious activity.
About the Author
James Carder is the CSO and VP of Labs at LogRhythm. James has more than 23 years of experience working in corporate IT security and consulting for the Fortune 500 and US government. At LogRhythm, he develops and maintains the company's security governance model and risk strategies, protects the confidentiality, integrity, and availability of information assets, and oversees both threat and vulnerability management as well as the security operations center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs threat research, compliance research, and strategic integrations teams.