Ransomware – how to stay one step ahead

In this article, Anthony Green, CTO of cyber security consultancy firm FoxTech, tells businesses how to stay one step ahead when it comes to ransomware.

There’s no doubt that ransomware is a threat to businesses all over the world. It’s one of the most devastating forms of cyber attack, and it costs the global economy an estimated USD$20 billion in 2021. For those hit by an attack, recovery cost an average of USD$1.8 million, and a third of companies were forced to pay the ransom to retrieve their data.

What is ransomware and how does it work?

Ransomware is a form of malware which can either lock you out of your network or encrypt all your data. Once your system has been infected, the malware will ask you to pay a ransom (typically in an untraceable cryptocurrency such as Bitcoin) in exchange for the return or decryption of your data.

How and why is the ransomware landscape changing?

It sounds like a cliché, but ransomware attacks rely on the element of surprise, which is why cybercriminals are notoriously agile. By constantly changing their tactics, threat actors bewilder their victims and incite a sense of panic that results in the ransom being paid.

2021 saw several major ransomware attacks. Probably the most high-profile were the Kaseya attack and the Colonial Pipeline attack. This led to the US government demanding consequences for major threat actors, contributing to ransomware operator REvil being infiltrated and shut down.

However, this hasn’t solved the problem. Other attackers are keen to avoid similar retribution so many operators are staging false shutdowns and reopening under new names. Ultimately, cybercriminals are extremely agile and elusive, so ransomware is not going away any time soon. Businesses need to get informed and take the right steps to increase the resiliency of their systems.

So, how are ransomware attackers operating, what tactics are hackers currently using, and crucially, how can businesses protect themselves?

FoxTech provides its guide below:

Ransomware as a Service (RaaS)

In 2021 we saw the effects of Ransomware as a Service (RaaS). The RaaS model has expanded massively in recent times, and it’s big business. It facilitated a huge rise in ransomware attacks in 2021, a trend which is predicted to continue throughout 2022.

How does it work? Malicious RaaS companies operate in a similar way to legitimate Software as a Service (SaaS) providers. They have websites, feature updates, community forums and subscriber benefits as well as portals to keep track of your attack attempts. Inexpert hackers who would not be able to develop ransomware code themselves can become RaaS affiliates or pay for a ransomware package. This gives them access to malware developed by a RaaS operator which they can use to launch sophisticated ransomware attacks.

The rise of RaaS means that ransomware attacks are now quicker and easier to carry out. On the other hand, cyber security experts may be able to identify which RaaS operator an attack is coming from by analysing their tactics. Knowledge of the operator’s model in previous attacks can help experts decide how to proceed with a current attack to mitigate the financial and data losses.

How to protect yourself:

  • If you become a victim, contact a cyber security expert immediately – they will have knowledge of each RaaS operator’s model in previous attacks and may be able to identify which operator an attack is coming from by analysing their tactics. This can help them decide how to proceed with a current attack to mitigate the financial and data losses
  • Prevention is always better than cure. Invest in expert cyber security monitoring from a Security Operations Centre that can identify breaches before an attack is launched, and regularly patch vulnerabilities to your network
  • Conduct cyber security training with your employees – most ransomware attacks originate with a phishing email. The National Cyber Security Centre offers an excellent free training programme

Targeting medium-sized businesses

Research on the first quarter of 2022 by threat intelligence firm Analyst1, has shown that cybercriminals are shifting ransomware tactics away from corporate ‘big game hunting’ and instead attacking medium-sized businesses.

After the string of high-profile ransomware attacks in 2021, and the subsequent international pressure to find and dismantle criminal groups, it is thought that the major threat actors are keen to remain under the radar with lower-profile attacks. In addition, smaller companies are likely to be less prepared to deal with an attack, and often have more IT vulnerabilities than large corporate companies.

How to protect yourself:

  • Know your risk, so you can begin to mitigate it. FoxTech offers a free Cyber Risk score which operates like a credit score for your cyber security
  • Smaller businesses that do not have the capacity to employ cyber security experts in-house should look to find a trusted cyber security partner specialising in small and medium businesses
  • Ensure all your security software is correctly configured, and check that none of your sensitive information is internet-facing
  • Test your vulnerability to attack using penetration testing (also known as ethical hacking)
  • Don’t rely on an MSP for cyber security. They’re great at what they do, but most are not security experts and are themselves vulnerable to attack

Distributed Denial of Service (DDoS)

In recent months, DDoS is becoming an increasingly common tactic leveraged before and during ransomware attacks. Attackers use bots to direct huge quantities of fraudulent traffic to a victim’s website and online services, seeking to overwhelm their system and prevent real traffic from getting through.

DDoS might be utilised as a distraction tactic, enabling hackers to enter new parts of the system and steal data undetected. Increasingly, they’re also used to build the pressure to pay a ransom – meaning that a DDoS attack will be threatened if a ransom payment is not delivered on time. Some hackers demand a ransom to prevent a future DDoS attack.

How to protect yourself from a DDoS attack:

  • You need a CDN or DDoS Protection service. This is a service that can filter out malicious traffic while allowing legitimate users to get through. If you already have one, make sure it is correctly configured
  • Get to know your typical internet traffic patterns, so you can identify when something’s not right
  • Implement the cyber hygiene controls recommended by the NCSC

Final advice

Businesses need to remain vigilant, but there is no need to panic. We see many organisations that do not even have many of the basic cyber hygiene controls in place. While this is concerning, we also view it as a positive, because it means there is lots of scope for businesses to make big improvements quite quickly.

Staying informed and working with cyber security experts to implement the right preventative measures will ensure that your cyber resiliency is strong and makes it far more difficult for a malicious party to penetrate your system.