Huge rise in ransomware attacks as UK businesses offer hackers easy money
How to protect mission-critical systems from ransomware attacks
Ransomware attacks have been a growing threat in the IT industry for a number of years — and recent research has shown they are increasing in prevalence during the COVID-19 pandemic. According to figures from the Department for Digital, Culture, Media and Sport, 8% of UK businesses experienced a ransomware attack in the past 12 months with the figure rising to 14% and 16% among medium and large organisations respectively. While 58% of UK based SMEs are reported to pay ransoms.
With remote communication now the norm rather than the exception, phishing emails have emerged as one of the most popular exploits for delivering ransomware payloads to users. However, phishing emails are far from the totality of threats facing users and the reasons why ransomware attacks are rising are multifaceted. In this blog post, we are going to look at the DNA of ransomware attacks, who orchestrates them, and how to mitigate them.
A wide perimeter is an attacker’s dream
Traditionally when targeting mid-sized businesses, ransomware attacks are motivated by profit. After encrypting the target’s files (or filesystem), attackers hold the documents for ransom until it is paid, typically by cryptocurrency which allows the attackers to remain anonymous and evade prosecution.
For attackers, targeting centralised resources - like major on-premise systems - made the most sense as targeting the most valuable information could warrant the highest ransom payment. The potential payback from one successful breach could be massive, although equally cybersecurity defence teams had relatively few entry points into the network to focus on securing. The stakes, for both parties, were higher.
Today, with more workers than ever before operating remotely the security perimeter has shifted from the office to every worker’s home network. While company-supplied devices such as laptops can be secured, unlike the office environment, cybersecurity teams typically have no control over firewalls or application security controls on the devices in the remote worker’s network, particularly if they are using personal devices for work. Thus, the attack surface and vulnerability has increased at both the application and network layers.
While ransomware attacks on mid-sized businesses rarely get reported in the media, the successful attacks on public organisations such as Bletchley Park  and Newcastle University, which are a similar size to many SMEs, are indicative of the sweeping trend which leaves almost no organisation safe.
Cloud and remote working creates vulnerabilities
The substantial widening of the attack surface has given hackers more opportunities to inject payloads onto lucrative major corporate filesystems through targeting the networks and devices of regular users.
As a result of the coronavirus pandemic, many businesses are opening the attack surface as workers connect to company resources through a VPN. When these workers access the internet from untrusted connection locations, such as public hotspots, this increases the probability that man in the middle (MITM) and other exploits will be used to indirectly initiate ransomware attacks. Poor password management in these situations presents an additional risk factor, especially when MFA (multifactor authentication) is not configured.
Additionally, business data held in the cloud is being secured by teams (external or internal) that are managing these services. The overall probability that users with higher system privileges, will fall victim to a phishing attack or similar exploit leading to a ransomware encryption has likely increased.
Examples of common attacks include encrypting:
- drives on private laptops
- cloud-hosted file systems, like Google Drive or Dropbox
The rise of the cloud that has been evident for some time has also meant that more mission critical business resources like CRM and ERPs are being clustered online. The security of these can also indirectly lead to ransomware attacks where the cloud-service provider is the subject of an attack.
Knowledge is key
Staying one step ahead in today’s multifaceted threat landscape requires an awareness of emerging attack strategies and attackers’ “best practices.” Threat intelligence, in particular, can provide cyber security and IT managers with the advance knowledge of which company systems might be targeted by attackers and which vulnerabilities need to be patched before it is too late. CyberGuard Technologies, in partnership with Kaspersky, provides clients access to Global Threat Intelligence Services.
Additionally, vulnerability scanning can help businesses audit the safety of their existing systems and detect potential malicious code or files that have already been injected onto systems. Once identified they can be safely quarantined.
Both these elements (threat intelligence and retrospective knowledge) can help IT administrators to set down more effective guidelines designed to help remote users keep critical business systems safe, and should be part of a baseline set of security practices rolled out throughout the business. For example, ensuring that the company has:
- a strong backup strategy in place
- a firewall to protect all central applications, for example making sure that every cloud resource is protected by an effective Web Application Firewall (WAF)
- multifactor authentication (MFA) in place wherever possible
- implemented proper measures to protect web and email security
- made sure patches are applied regularly and they are kept up to date.
Ransomware is big business
Market research  has indicated that ransomware attacks cost UK businesses £346 million per annum. The rise in attacks, which many businesses are experiencing because of the coronavirus pandemic, is likely to see that figure grow substantially over the rest of this year.
With more users than ever before connecting to more cloud resources from a wider variety of networks than ever, it’s imperative that IT managers do everything in their power to prevent their mission-critical information repositories from falling victim to ransomware attacks. Threat intelligence and a comprehensive security audit are just two good starting points for those who do not feel like shelling out to cybercriminals in ransoms.
To discuss your cyber security provision contact one of our Cyber Security Consultants by emailing [email protected].