The Ultimate Guide To Fighting Ransomware

By Sumit Bansal, Managing Director, ASEAN, Sophos

Ransomware poses a very real threat to all organizations regardless of their size, industry or location.  Just recently, a Malaysian company well-known for its domain and web hosting services fell victim to a ransomware attack. The company is reported to serve more than 160,000 clients throughout the world and had some of its services disrupted in the attack. Furthermore, according to the company’s Twitter feed, which has now been deleted, it claimed that the attackers demanded US$900,000 (RM3.77 million) in Bitcoin as ransom.

Ransomware-as-a-service gangs are making it easier than ever for cybercriminals of all skill levels to get their hands on off-the-shelf, ready-to-use ransomware kits. Attackers are raising the stakes, and the first step in fighting back is in understanding the threat—what ransomware is, the costs and how to best protect your business.

Understanding ransomware

Ransomware is a malicious software designed to block access to a computer system until a sum of money is paid. In layman’s terms: It’s a cyberattack on your personal (or your employer’s) computers that locks up the machines, making all data and other assets on them and your network inaccessible, unless an amount of money is paid to the attacker (typically in a cryptocurrency like Bitcoin) in exchange for your data and computers to be freed. Your software and hardware are held for ransom by either an individual or a group of cyber attackers, who will theoretically hand back over the keys to your property once that ransom has been paid.

That is the basic kernel of what a ransomware attack looks like, but in recent months we’ve begun to see new variations. For example, in typical attacks, the attacker will encrypt your data, making it inaccessible and only offering the decryption for it once the ransom is paid. But lately we’ve seen a string of more “extortion-style” attacks. In these scenarios, when an attacker infiltrates your system, they just outright copy your data, rather than encrypt it. The victim still has access to their own machines and data. Instead, the attacker threatens to take what they’ve stolen and dump it onto the web. In a best-case scenario, a public release of private data would just embarrass the victim; in a worst-case scenario, it’s publicizing very sensitive, confidential datasets, such as national security information stolen from a government agency or healthcare records stolen from a hospital).

While extortion-style ransomware still makes up a small share of ransomware attacks overall, it’s a trend that’s slowly growing. In an independent survey commissioned by Sophos to examine ransomware trends over the past year, extortion-style attacks grew to 7% of all ransomware attacks in 2021, up from 3% in 2020.

Another primary contributor to its growth is that attacks have become increasingly more sophisticated and harder to defend against. According to surveyed Malaysian organizations, they expect to be hit by ransomware in the future with 59% citing that ransomware attacks are getting increasingly hard to stop due to their sophistication. 58% also say that ransomware is so prevalent that it is inevitable that they will get hit. Further into this, majority of Malaysian organisations (65%) agree that cyberattacks are getting too advanced for their organisation’s IT team to deal with on their own.

We’ve seen private ransomware groups increasingly adopt the tactics of nation-states, using attack methods like zero-day vulnerabilities, in-memory attacks and strikes aimed at critical points in distribution systems and supply chains. These aren’t amateur hackers; they’re professional criminal organizations using the tactics of nation-states, or, in some cases, actual nation-states themselves.

The costs of ransomware

Ransomware costs are on the rise, according to the State of Ransomware 2021 report. The global average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021.

There’s more than just the ransom payment to consider. A myriad remediation costs that come into play after an attack, include downtime, people time, device costs, network costs, lost business opportunities and money spent upgrading or overhauling IT systems.

In Malaysia, the  average cost to an organization to remedy the impact of their most recent ransomware attack reported  was RM308,834.40 in 2021. In some good news, this is a decrease from the previous year, however, businesses should not see this as an indication to relax, on the contrary, the threat is just as prevalent as ever and businesses should take the necessary steps to protect themselves from a potential ransomware attack.

3 steps for preparing your business

Considering these high costs, your ransomware experience shouldn’t be solely reactive. There are several steps you can take now to both reduce your chances of being attacked and reduce the damage, including:

1. Back up your data and store those backups off-network and off-site.
2. Deploy layered protection across as many endpoints on your network as possible.
3. Pair your anti-ransomware technology with an active threat-hunting team. Automated tech can’t do the job alone and may miss certain indicators of an attack. A 24/7 human-led threat-hunting and incident-response team can jump into action and immediately respond to potential indicators of attack that software alone might not catch.

5 steps to take if you’re hit by ransomware

In the unfortunate scenario that your business is attacked by ransomware, here are five steps you should quickly take:

1. Activate your business continuity and incident response plans.
2. Disconnect machines from the affected network. Do not shut off the power to the network altogether; doing so could eliminate the forensic evidence of the attack that will be needed for an investigation later.
3. Make sure everyone is in the loop. Ransomware is not just an issue for your IT teams. Everyone from your PR and communications shop to your legal team and insurance provider all need to be aware of what’s happening so they can coordinate in tandem.
4. Move backups and communications offline. Your backups aren’t going to be of any use if they’re just as vulnerable as everything else on your network, so make sure they’re hosted off-network and, ideally, physically off-site. Your critical communications should also go offline—phone, text, face-to-face.
5. Last but not least, don’t pay the ransom. In a desperate situation like a ransomware attack, paying the ransom feels like the easiest, fastest way to resolve the situation. But paying the ransom only incentivizes more ransomware attacks. And it doesn’t even pay off for the victims.—If you’ve invested in data backups ahead of time, skip the ransom and rely on your backups to restore your data.

The best thing you can do is assume you will be attacked. Don’t think of ransomware as a vague, abstract issue that only impacts other organizations. Everyone company is vulnerable, none are hack-proof and, chances are, your organization will be attacked at some stage. When that happens, you don’t want to be blind-sided. Accepting that a ransomware attack is inevitable , means  implementing proactive, defensive measures today.