Ransomware attacks in the new digital norm: How can businesses mitigate risks?

Cyber threat actors are constantly adapting to the changing security landscape as they upgrade their tools and amplify their strategies in exploiting network vulnerabilities.

With the implementation of remote work, businesses of all sizes have been the target of cybercriminals during the COVID-19 pandemic. Employees connecting to corporate resources from often poorly secured home networks and devices served as an entry point for ransomware attacks and various social engineering techniques such as phishing and CEO fraud target this weakness.

According to a recent Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased sevenfold in the last half of 2020 and became even more disruptive. The report also shows a steady increase in ransomware attacks involving data exfiltration, which subsequently leads to extortion and threats to release the data if the ransom was not paid.  
In Singapore, according to the recent 2020 Singapore Cyber Landscape report, the number of reported ransomware cases increased by 154 percent compared to 2019. While most of the incidents reported were from Small and Medium Enterprises (SMEs), ransomware operators were observed to be targetting larger companies in the manufacturing, retail and healthcare sectors.

Targetting a disrupted and unsuspecting remote workforce, cybercriminals trick users into divulging critical data such as access credentials or passwords and other personal identifiable information (PII).

The attack sequence starts by exploiting people’s concerns about the pandemic, as well as other social events such as elections.

Upon gaining access to the employee's computer system, hackers will then deploy the malware that spreads across the network. Once enough systems have been compromised, the hacker triggers the malware to encrypt all infected systems, rendering the files and data on those devices inaccessible to the organisation. The hacker then attempts to extract a monetary payment from the organisation in exchange for the key needed to decrypt the compromised files.  Anxious to regain control of their data and avert potential leak of confidential proprietary information leak should hackers sell it on the darknet, some organisations cooperate with the perpetrators.  With the power to inflict reputational, financial and legal damage to the company, the victim organisations are compelled to negotiate with the attackers and pay ransom.

High-profile cases such as the Colonial Pipeline attack in May 2021 highlights the potential of cyberthreats in holding critical systems at ransom and hampering systems' abilities to deliver essential goods and services.

According to a report from the Identity Theft Resource Center (ITRC) ransomware payouts have grown to more than USD 233,000 per event in 2020 from USD 10,000 per event in Q3 2018. However, cooperating with cybercriminals is equally risky as there have been a growing number of incidents where the victims did not receive the decryption keys to their data even after the ransom has been paid.

Integrated Approach of People, Process & Technology against Ransomware Attacks

Protecting organisations from a ransomware attack should involve keeping updated backups of critical files offline and scanning devices that are trying to access the network to offload malware. However, beyond these steps, companies should also understand how ransomware attack works.

With remote and hybrid work set up, phishing is the primary starting point for other forms of cybercrime such as ransomware. Thus, cybersecurity awareness and training should not be limited to IT teams and must be extended to all employees to keep cyberattacks at bay. By providing employees with training on best practices cybersecurity hygiene and keeping them informed with the current security threats, businesses can improve their overall cybersecurity posture.
The primary goal of ransomware attacks is to encrypt their victim's files. Rather than fighting this process, IT security teams can beat cyber attackers at their own game by surreptitiously redirecting them to take over fake files intentionally created and placed on the network.
This allows organisations to create a fabricated network that automatically deploys attractive decoys that are indistinguishable from the traffic. This pseudo network is then seamlessly integrated with the existing IT and operational technology (OT) infrastructure to lure attackers to reveal themselves.

Once the ransomware compromises an endpoint and starts to encrypt local and network drives, the decoy can immediately detect its malicious activity and simultaneously isolate the infected endpoint to immediately protect the rest of the network.

By using the ransomware's encryption activity against itself, security teams can locate the ransomware, limit its movement and mitigate its impact.
 
Ransomware will continue to be a hot topic for the rest of 2021 and beyond as cybercriminals continue to target organisations' critical data and assets for financial gains. IT security teams should utilise all available technologies and methods to protect the company network against cyber intrusions.