COVID-19 has made 2020 a terrible year for many businesses, bringing unprecedented challenges that many have struggled to overcome. The year was made worse by cybercriminals stepping up their attacks, with ransomware used to pile even more misery during extremely challenging times.
Ransomware is nothing new of course. It has been used since the early 2000s to extort money from individuals and businesses. Ransomware grew in popularity in the mid-2010s when encryption methods were adopted that were tough to crack, and the past couple of years have seen ransomware grow into the biggest cyber threat for businesses, and 2020 has been especially bad.
In Q3, 2020, ransomware attacks increased by 40% according to data from Kroll. Almost 200 million attacks occurred in the quarter, and attacks continued to increase as the year progressed. Not only are more businesses now being attacked, the amount demanded by the attackers has also dramatically increased. A report from Coveware, a firm that assists companies recovering from ransomware attacks, indicates ransom demands doubled in Q4, 2019 and there has been another doubling of demands in 2020. A recent H1 2020 Cyber Insurance Claims Report from Coalition indicates 87% of all cyber-related insurance claims are the result of ransomware attacks.
Ransomware gangs have also adopted a new tactic to increase the likelihood of their ransom demand being paid. In 2019, the Maze ransomware gang started stealing data prior to encrypting files and using double extortion tactics. In addition to paying to recover data, victims had to pay to prevent the public release of their stolen data. Since then, at least 17 ransomware gangs have adopted this tactic and threaten to publish or sell stolen data if the ransom is not paid.
The healthcare industry was hit particularly hard by ransomware in 2020, especially in the latter half of the year. Healthcare systems and hospitals have been battling with the pandemic and during these extremely challenging times they have been targeted by ransomware gangs. There was a major spike in attacks on hospitals in September and the attacks have continued at high levels since.
The pandemic has given ransomware gangs new opportunities to conduct attacks, as more remote workers introduced vulnerabilities that are easy for the gangs to exploit. Vulnerabilities in new VPN and remote access solutions are exploited, emails spreading ransomware have targeted remote workers, and ransomware has been delivered via drive-by downloads masquerading as free online collaboration tools. COVID-19 has also been exploited in lures that deliver ransomware, first offering advice on the new virus, then possible cures, and latterly vaccine related lures.
The large increase in attacks toward the end of 2020 does not bode well for 2021, and there are no signs that ransomware activity will fall in 2021. In fact, the situation may even get worse before it gets better. As long as ransomware attacks continue to be profitable, the attacks will continue. What businesses need to do is make sure they take steps to block attacks, identify them quickly when they do occur, and make sure they have a plan in place to help them recover quickly should disaster strike.
Some of the important steps to take to prevent, detect, and limit the severity of an attack are summarized below:
Prevention
With so many methods of deploying ransomware, there is no single solution that will prevent all attacks. You should therefore consider the following:
- Implement an advanced spam filter with best of breed protection against malware and ransomware, that uses signature-based detection to block known ransomware variants and sandboxing to identify new threats.
- Ensure patches are applied promptly and software is updated quickly to the latest version.
- Train your staff how to recognize email-based threats and provide general security training to eliminate risky behaviors.
- Stay up to date on the latest threat intelligence and take proactive steps to address threats.
- Use a web filtering solution to block access to risky and malicious websites to prevent downloads of ransomware from the Internet.
- Enforce the use of strong passwords to prevent brute force attacks.
- Implement multi-factor authentication wherever possible.
Detection
If you can detect unauthorized accessing of your systems in real time, you may be able to block an attack before ransomware is deployed. Many threat actors spend time moving laterally to identify as many devices as possible before conducting an attack and they will attempt to find and exfiltrate data, which provides a window to detect and block the attack. You should implement a monitoring system in place that generates alerts when suspicious activity is detected and, ideally, one that can automatically remediate attacks when they are detected. Many attacks occur at the weekend and public holidays when monitoring by IT teams is likely to be reduced so consider the mechanisms you have in place when staffing levels are lower.
Remediation
You may not be able to block an attack, but you can prepare and limit the damage caused. First and foremost, backup your data as you do not want to be at the mercy of the attackers. Ensure a backup is stored in a location that cannot be accessed from the network where the data resides, store a copy of a backup on a non-networked device, and ensure backups are performed regularly and are checked to make sure data can be recovered.
You should also create a disaster recovery plan that can kick into action as soon as an attack occurs to make sure your business can continue to function until the attack is fully mitigated.