In 2021, there was a significant increase in the use of ransomware against organisations across the world.
Ransomware is malware that encrypts users’ data and grants network access to threat actors. Once they have access to an organisation’s data, they threaten to leak sensitive information and halt business operations until the victim pays a ransom, hence the name.
Unfortunately, paying the ransom does not guarantee that the threat actor will unencrypt your files or keep your data secure. In fact, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) does not recommend paying ransoms at all, since the more profitable ransomware is, the more common and complex it could become.
Instead, CISA – alongside the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the Australian Cyber Security Centre (ACSC) – has specific recommendations for how to prevent ransomware attacks and minimise their impact.
How Has Ransomware Become More Common and More Dangerous?
The increase in ransomware attacks can be attributed to the COVID-19 pandemic in more ways than one: First, the use of cloud networks by businesses, government bodies, and schools has made sensitive information and critical infrastructure accessible to bad actors on the web. Second, the pandemic has lowered the income of many households as lockdowns and supply-chain issues have persisted, making online illicit activities – like the use of ransomware – a more accessible way of earning money.
As ransomware has become more profitable and accessible, ransomware enterprises have become more complex. There are now entire organisations with customer support services that walk victims through the process of paying the ransoms and unencrypting their files.
These enterprises have increased their profitability by selling stolen data to other scam artists. That means that once a victim’s data has been stolen, multiple criminal organisations could use it to threaten and extort them.
How Could Ransomware Get Into My Network?
The most common strategy threat actors employ is phishing. Phishing is a fear tactic in which cyber criminals pose as a legitimate entity – such as the IRS, law enforcement, or antimalware software – and contact individuals to inform them of a problem – say, an issue with their most recent tax filing, an arrest warrant, or most ironically, a security breach in their network.
To address the problem, they tell users to click on a link, which then downloads ransomware onto the user’s computer, giving the threat actor access to their data and network.
How Can I Prevent Ransomware from Impacting My Organisation?
Here are the measures that CISA, ACSC, and NCSC-UK recommend an organisation take to prevent ransomware attacks:
• Keep software up to date.• Train employees on how to spot phishing and how to handle ransomware attacks.• Use unique passwords and enable multi-factor authentication (MFA), especially on administrative accounts.• Segment networks so that breaches only impact portions of it rather than the whole thing.• Limit operations that take place on the cloud.• Enable spam filters.• Back up files regularly, separately from one another, and onto a separate network.
Most importantly, they recommend not paying the ransom, since that would encourage cybercriminals to continue using ransomware to extort money.
How Should I Respond to a Ransomware Attack?
Should ransomware breach your organisation’s network, it is important to act fast and follow these best practices:
• Record the name of the file that was downloaded and the contents of the ransom note. This can be done quickly by taking a picture of the screen with your phone. It’s also useful when working with IT professionals and the authorities.• Turn off the infected device. This interrupts the encryption process, and it may even prevent ransomware from spreading through the network. Do not turn the device back on yourself – enlist the help of an IT professional.• Manually disconnect all other devices in the network. By turning them off using the power button or by unplugging them, they are disconnected from the network, which may slow the spread.• Change your passwords. Enable MFA if you haven’t already.• Locate backups. Do not connect uninfected backups to the network, as that will expose them to the malware. If you have no uninfected backups, an IT professional may be able to help recover your encrypted data, but there is no guarantee that they’ll be able to.• Remove ransomware. This is done by wiping infected drives and devices and reinstalling their operating systems, which permanently deletes the data that was stored on them.• Restore information from the backup. Once your computer and network are ransomware-free, it is safe to upload uninfected backups.• Notify authorities of the attack. This can help to protect you from being targeted again and prevent threat actors from targeting others.
While ransomware has become more commonplace in the era of working from home, your organisation can take steps to prevent and recover from attacks. By quickly responding to security breaches and reporting them, you minimise both their impact on your organisation and the likelihood that they will strike again.
