Are you prepared for a Ransomware attack?
By Pawel Wilczynski, Cybersecurity Manager, Baker Newman Noyes.
First, what is ransomware?
Ransomware is a type of malware, or malicious software that encrypts a victim’s files and demands a ransom be paid in order to decrypt them. It’s a growing problem for both individuals and businesses, as the sophistication and reach of ransomware attacks continues to increase. If you’re not familiar with ransomware, this article will give you a quick rundown of what you need to know. I’ll also cover the basics of how to protect your company from ransomware, and what to do if you are hit by an attack.
Why is everyone talking about this now?
According to the 2022 Verizon Data Breach Investigations Report, ransomware attacks rose 13% in 2022- more than the last five years combined – and accounted for 25% of all cyber-attacks. It’s important to remember, ransomware by itself is really just a model of monetizing an organization’s access. Ransomware was listed as the third most common attack vector, not far behind the use of stolen credentials and “other” types of attacks not caused by phishing or exploiting vulnerabilities.
Additionally, ransomware accounted for almost 70% of all malware breaches in 2022, resulting in an inability to access company data and jeopardizing an organization’s overall cybersecurity. It is not uncommon for the data of those affected by the ransomware to be sold on the black market, prior to the ransomware payment. Additionally, there is a growing trend for companies to choose not to pay attackers, and instead recover their data from backups. To counter that tactic, the attackers often are deploying Distributed Denial of Service (DDoS) attacks along with ransomware. This strategy overwhelms network resources, rendering them incapable of serving their intended users. Victim companies are unable to conduct business, even if they have viable backup data.
Is my business really a target?
In short, yes. You may be surprised to learn that all companies are targets, regardless of their size. Attackers often identify targets based on the company or organization that will secure the greatest “reward,” or financial impact. That might mean a single, massive attack on a natural gas pipeline, such as the Colonial pipeline incident, or many attacks spread across dozens of smaller organizations. The rise of Ransomware as a Service (RaaS) on the dark web, where the ransomware companies will go as far as setting up a call center to assist with ransomware deployments, does not help the issue.
The reality is that any business with a working email address can be affected by ransomware. This is a question of when, not if. Companies need to have procedures in place that allow them to pivot quickly from “we’ve been threatened” to an effective response plan.
How can I prepare?
You may think, if large companies like Colonial Pipeline, Apple, or Kaseya with their substantial security budgets are affected by ransomware, my small or medium size business doesn’t stand a chance. Not exactly!
You can take several steps to be more prepared to respond to, or even avoid, ransomware attacks. Below, I have outlined a few of the steps you should consider to respond to a ransomware attack.
Step 1: Ransomware Strategy and Policy
Your company should have an enterprise ransomware policy in its incident management program that defines the actions to be taken in the event of a ransomware attack. This policy should be approved by the board of directors or equivalent management body at your company. A ransomware-specific incident response playbook should always include the following:
- A list of the people responsible for managing the response to the breach and their roles (i.e., an incident response team)
- Detection & Analysis and Containment, Eradication & Recovery protocols
- Defined and documented chain of custody for the artifacts, to preserve the forensic evidence
- Forensic investigation procedures
- Communication strategy, cadence, and what information needs to be shared with stakeholders, employees, or the public
- Post-incident activities, including lessons learned to allow for better preparation for future incidents
Alternatively, if your company has hired or partnered with a third-party vendor to manage your incident response plan, ensure they have created a well-defined playbook and have shared it with your team in advance.
Step 2: Risk Assessment
While performing annual risk assessments, companies should include the probability and potential impact of a ransomware event, based on real-world scenarios, from their respective industries and company size. Considering ransomware as a risk scenario will allow you to determine the potential impact of refusing payment, and your ability to restore or rebuild from data backups.
Step 3: Information Protection
Protecting information relies heavily on asset inventory, data classification, and defined data flows. Without knowing what data resides or traverses which systems on your networks, the company will not be able to design adequate controls to protect classified data.
Step 4: Technical Safeguards
Companies should have approved and implemented Vulnerability and Patch Management Policies to identify, assess, track, and remediate vulnerabilities affecting all data within the enterprise. A good asset inventory will make this job much easier. Having a Software Bill of Materials (SBOM) for each critical application used to operate your business is an added advantage that will set you apart from the competition and enhance the vulnerability remediation process.
Multi-Factor Authentication (MFA) is a common control, that, if implemented properly, can reduce the risk of a ransomware incident. However, recent breaches at several high-profile companies, including Cisco, happened because of MFA fatigue. In this and many other incidents, attackers exploited the human factor and sent repeated MFA push requests, hoping at least one would be approved by the user. When users allow connections that they did not originate, attackers gain access to the enterprise systems.
User education, combined with proper configuration of security controls and settings, can help prevent such incidents.
Most companies have already implemented data backups, but it is also imperative to regularly test to evaluate if backups are sufficient to recover your systems on time. It is equally important to make sure backups are segregated from other normal networks, to protect them from attackers.
Step 5: Human Safeguards
Security awareness training plays a big part in your company’s ability to prevent a ransomware attack. Providing regular training, where users learn how to spot, avoid, and report phishing attempts, can reduce the risk of an incident. It is also essential to conduct periodic phishing exercises to make sure employees recognize phishing attempts and report them to appropriate parties.
How do I know I am ready?
A ransomware readiness assessment can help identify gaps in the controls, processes, or procedures that make a company vulnerable to a ransomware attack or would hinder their response. Companies can conduct ransomware readiness assessments using internal staff or a trusted partner or choose a hybrid model where they hire a vendor, and utilize their internal team to interact with the third-party vendor to leverage the best knowledge and experience on both sides.
You have the power to respond—not react—to the attack!
About the Author
Pawel is a manager in the information systems and risk assurance practice at Baker Newman Noyes. He specializes in cybersecurity, risk, and IT systems assurance services. Clients turn to Pawel for help conducting cyber assessments, readiness assessments for major frameworks, standards and regulations, and all things cyber. He works with a variety of clients, with a particular focus on financial and insurance institutions and the technology industry.
Baker Newman Noyes (BNN), one of the top 100 tax, assurance, and advisory firms in the nation, fosters strong, personal relationships through timely advice that helps clients achieve their goals. BNN’s professionals are entrusted by organizations and individuals to deliver effective accounting and financial solutions with diligence, vision, and responsiveness. The firm draws on deep experience and fosters collaboration between practice groups to find solutions to any situation, with a focus on banking and financial services, healthcare, life sciences, manufacturing and commercial, nonprofit, professional services, real estate and construction, public sector entities and privately held and family-owned businesses. With a Net Promoter® Score of 86, BNN has received the Best of Accounting™ Award from independent research firm ClearlyRated for providing superior client service for five consecutive years. BNN serves clients globally from its headquarters in Portland, Maine, and full-service offices in downtown Boston and Woburn, Mass., and Manchester and Portsmouth, N.H. Follow BNN on LinkedIn, Facebook, Instagram, and Twitter.
Baker Newman Noyes (BNN), one of the top 100 tax, assurance, and advisory firms in the nation, fosters strong, personal relationships through timely advice that helps clients achieve their goals. BNN’s professionals are entrusted by organizations and individuals to deliver effective accounting and financial solutions with diligence, vision, and responsiveness. The firm draws on deep experience and fosters collaboration between practice groups to find solutions to any situation, with a focus on banking and financial services, healthcare, life sciences, manufacturing and commercial, nonprofit, professional services, real estate and construction, public sector entities and privately held and family-owned businesses. With a Net Promoter® Score of 86, BNN has received the Best of Accounting™ Award from independent research firm ClearlyRated for providing superior client service for five consecutive years. BNN serves clients globally from its headquarters in Portland, Maine, and full-service offices in downtown Boston and Woburn, Mass., and Manchester and Portsmouth, N.H. Follow BNN on LinkedIn, Facebook, Instagram, and Twitter.
