There is little doubt that cyber crime is considered a lucrative business, with the growing impact of attacks, particularly in the form of ransomware, being felt by businesses of all sizes across the globe.
According to Pieter Nel, Regional Head for SADC at Sophos, in the company’s recently released report: ‘The State of Ransomware 2022’, there are some worrisome figures relating to South Africa.
“The report’s statistics show that some 51% of the surveyed organisations were actually hit by a ransomware attack. Of the organisations that had data encrypted in a ransomware attack, some 49% paid the ransom. Moreover, 95% of businesses also claimed the attack had impacted their ability to operate, while 92% of the victims said they had lost business and/or revenue because of the attack,” he says.
“The reasons for ransomware's success are varied, of course, but do speak to a broader set of causes. One of these may be an underlying weakness in the company. Attackers are known to go after weaknesses in technology, processes and people, in order to break into networks and then manoeuvre around to steal data, evade detection and drop ransomware.”
Another challenge he highlights is cyber criminals acting as a community, pointing out that we find ourselves in a world where many criminals have specialised and offer their unique criminal services to others. Some focus their efforts on initial access by breaching companies with weak security on externally facing services. Others are skilled at phishing, which nets them valuable network credentials. Both of these groups can resell their ill-gotten information to other criminals who are skilled at hands-on attacks and data exfiltration.
“This clearly shows that cyber security should have a fully fledged plan for dealing with ransomware attacks, to ensure protection both in the present as well as in the future. It is also no longer enough for organisations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code,” he adds.
“Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks,” he explains.
“Moreover, in the aftermath of a ransomware attack, there is often intense pressure to get the business back up and running as soon as possible. Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. However, it is also an option fraught with risk.”
Nel says that for one thing, companies don’t know what the attackers might have done, such as adding backdoors, copying passwords and more. If organisations don’t thoroughly clean up the recovered data, they will end up with all that possibly toxic material in their network and potentially be exposed to a repeat attack.
“In recent years, it has become increasingly easy for cyber criminals to deploy ransomware, with almost everything available as a service. Secondly, many cyber insurance providers have covered a wide range of ransomware recovery costs, including the ransom itself – this has likely contributed to ever increasing ransom demands.”
However, continues Nel, cyber insurance is getting tougher and, in the future, ransomware victims may be less willing or less able to pay sky-high ransoms. Sadly, this is unlikely to reduce the overall risk of a ransomware attack. This is because ransomware attacks are not as resource-intensive as some other, more hand-crafted, cyber attacks, so any return is a return worth grabbing – meaning cyber criminals will continue to go after the low-hanging fruit.
“Sophos offers some key recommendations around best practices to help defend against ransomware and related cyber attacks. To begin with, install and maintain high-quality defences across all points in the organisation’s environment. You must also review security controls regularly and make sure they continue to meet your needs. Secondly, proactively hunt for threats in order to identify and stop adversaries before they can execute their attack.
“You should also harden the IT environment by searching for and closing key security gaps like unpatched devices, unprotected machines, open RDP ports, etc. Extended detection and response solutions are ideal for this purpose. Ultimately, you should prepare for the worst: know what to do if a cyber incident occurs and keep the plan updated, while also being sure to not only make backups, but to practise restoring from them to ensure you can get back up and running as soon as possible, and with minimum disruption,” concludes Nel.