Don’t pay the ransom, warn experts as ransomware attacks spike
Ransomware attacks are proliferating and becoming increasingly sophisticated, making it likely that every organisation will fall victim to an attack at some point. The best course of action is to not pay the ransoms if attacked, and to prepare for recovery instead.
This is according to cyber security experts who were addressing a webinar on ransomware in the cloud, hosted by Rubrik in partnership with ITWeb.
Jeff Lanza, former FBI agent, speaker and author, said that in the early days of ransomware attacks, some FBI agents would quietly advise victims of ransomware attacks to just pay. “They don’t do that anymore – it just encourages the behaviour and could also fund other criminal activity. If you identify your organisation as a ‘payer’ you may well end up on a ‘known payers list’ on the Dark Web and get attacked again. The best course of action is to have a plan for recovery without paying the ransom,” he said.
Lanza said ransomware was reported to be worth $21 billion last year, projected to grow to $265 billion by 2024, with few disincentives or consequences for criminals who carry out these attacks.
If you identify your organisation as a ‘payer’ you may well end up on a ‘known payers list’ on the Dark Web and get attacked again.Jeff Lanza, former FBI agent.
Vileen Dhutia, head of security sales, EMEA at Rubrik, said: “Ransomware is becoming more prevalent – predicted to happen every two seconds this year. Ransoms these days are in the tens of millions of rands, I haven’t seen customers able to get a PO of that size out in a week. There is no audit trail for that, and how does the CFO account for that?”
In addition, he noted that organisations could not be assured of getting all their data back even if they did pay the ransom.
“If you don’t get your data back, you also have the costs of downtime and recovery,” he said. “The volume and impact of attacks is increasing. Double extortion is bad enough, but you have POPIA to consider, and the possibility that the criminals could be short selling your stock before they attack too.”
Wouter Strydom, enterprise account manager at Rubrik, said that in South Africa a ransomware attack takes place every 27 seconds, with average ransom requests around R10 million.
Protecting data in the public cloud
Data in the public cloud is as vulnerable to ransomware as data anywhere else, they warned.
Strydom said: “There is a misconception that everything in the cloud is safe, but the cloud is basically just an extended data centre, so your own tools, policies and procedures must be extended to the data that sits in the cloud. Siloed approaches to managing data in hybrid environments create inconsistencies, with different tools and processes for managing data on-premise and in the cloud. Organisations need consistency in the toolsets they use to manage data on-prem and in the cloud.”
In South Africa a ransomware attack takes place every 27 seconds.Wouter Strydom, Rubrik.
Dhutia said: “Cloud providers, and PaaS and SaaS companies provide you with a platform, but protecting the data and ensuring cyber resilience is your responsibility. Cloud providers generally recommend that you protect your data yourself.”
“The amount of data in the cloud has grown, mission critical applications are moving to the cloud and now we have the challenge of protecting hybrid workloads,” he said.
On top of the challenges organisations face in securing and managing complex hybrid environments, is the fact that hackers understand cloud toolsets well, Dhutia said.
“What we’ve learned is that the most interesting and under-invested area of IT is incident response and recovery. Rubrik has pioneered the category of data security, starting with the zero trust model over eight years ago. Traditional backup and recovery platforms are very much a full trust model, but if an attacker has your credentials, they can access traditional backup platforms. We need to make data tamper proof and ensure that you can recover a clean copy of your backup so that the impact of an attack is lower and time to recovery is lower.”
He also recommended having an incident response plan, ensuring that it is tested and rehearsed, and keeping a copy of it printed out.