Ransomware attacks are on the rise; it’s a multibillion-dollar crime syndicate that’s only going to get worse. Baker Tilly’s cyber security specialists discuss common weaknesses and how to effectively prepare for the inevitable, because it’s a matter of when, not if, a business gets hit. It’s the customer service story you never want to tell. What we say is it’s not a question of if you’re going to be hit someday with ransomware, but when.

A simple crime with a sting in the tail

What sets ransomware apart from many other kinds of cyberattack is the simplicity of the crime, which combines both technological and psychological attacks on the victims. Unlike malware that might corrupt files, ransomware uses encryption tools to lock them, so they are just out of reach of a business that desperately needs its systems and data to be able to continue shipping goods, paying staff, responding to customers or delivering on contracts.

While it is relatively easy to enact this encryption — some ransomware tools trade on the dark web for as little as $70 — the lock is also very difficult to undo.

For many companies, the cost of paying the ransom is relatively small. Although some targets are hit with ransoms significantly higher, that kind of price is in the reach of many businesses, according to Baker Tilly experts, making it more tempting to authorize the Bitcoin or other cryptocurrency commonly used to make the transaction untraceable. But the cost of ransomware goes far beyond the ransom payment. Besides an average downtime of three weeks, 80% of ransom attacks now include the threat to leak company data, which can trigger its own crisis in terms of loss of trust (reputational risk) and breach of privacy.

Then there are the recovery and business interruption costs, even if a ransom is paid. In fact, a survey by cybersecurity group Sophos of more than 5400 companies earlier this year found that of those who were attacked and paid up, only 8% recovered all their data, and on average only two-thirds of files were restored.

Risks of ransomware

As gangs’ techniques and tools develop, they’re also shifting tactics, with one attack every 11 seconds.
Starting with a risk assessment is always the best course of action because it helps you understand your risks’ significance, criticality, and impact. Then you must prepare to handle the risks and respond to them efficiently. This necessitates a variety of actions, including securing the systems, educating the users, conducting periodic awareness programs, and installing all available security updates.
Email phishing attacks and compromised remote access remain the main vectors for ransomware. Usually, end customers click a link and download anything without thinking. So you begin by safeguarding your endpoints and systems, and you pay close attention to backups and incident response strategies, as well as how you might use them to recover if necessary.

Ask yourself the following important questions.

Do you have good authentication? Good passwords?
Multi-factor authentication?
Do you have good user security awareness training?
Do you have a good patch management process to keep the systems up to date and patched?
Do you have good provisioning/de-provisioning systems in place to pull terminated users out and add users in?
Do people only have access to what they need to have access to, and have you clamped that down?
Have you segregated administrative accounts from regular accounts?

Balancing convenience with risk

The kinds of preventative steps needed to keep a company safe are not necessarily difficult to implement from a technical standpoint, but they pose a challenge to workplaces reliant on having seamless access to data, files, servers and systems on demand.

If you think about where ransomware is successful, everybody wants to pin it on the person who clicked the link, but when you start to unravel a successful ransomware attack, you must go all the way back to the beginning.

Anticipating the likelihood of an attack also means having a robust disaster recovery plan.

Many businesses hesitate to implement controls that prevent an authorized — or unauthorized — user rampaging across systems, because of the inconvenience and this only opens the door for employees to be tempted rather than fooled into clicking a link that could bring the business to its knees.

Our experts have seen clients who, when confronted with the risks, believe they are somehow immune to the risk of ransomware because they store files or use software based in the cloud. Although that might be more secure than using an old server, it is not a perfect solution, since ransomware can move from a data centre to another via your company and malware can encrypt files in the cloud.

We have clients who think that if they put their data into the cloud through Microsoft then everything will be secure, or that their cloud provider will be able to detect and protect against threats. Sometimes they can, sometimes they can’t but that’s a complex picture. Breaches in the cloud often boil down to a company not configuring their cloud access properly.

Preparing a gameplan

Planning is key for the best chance of protecting the business. Organizations can consider several solutions that can all prevent an attack from being successful. Something as simple as keeping all systems up to date with the latest versions and patches is a good first step. The vast majority of ransomware abuses known security issues in common operating systems and applications such as Microsoft Windows, Office and Acrobat Reader. These software providers have usually already provided patches and upgrades and it is on organizations to ensure these patches and upgrades are applied as quickly in their IT environment.
It is estimated between a third to a half of infected companies pay something to criminals holding their data to ransom, but there is no guarantee you will get your data back, regardless of whether you pay.
Educated staff are less likely to open infected attachments which put the organization at risk. Training staff about ransomware and security risks greatly reduces the risk of infection. Users can be trained to identify phishing emails and malicious messages including ransomware.

There are many products in the marketplace but there is no guarantee they detect the latest versions of ransomware.
However, organisations must be proactive to minimise the harm of a potential ransomware attack.
Organisations must ensure they always have recent and complete backups which will be a serious lifesaver if you are targeted and want to recover data without paying the ransom. You should not only backup all your data, but also regularly test them to ensure they are complete, accurate and useful. There are regular incidents where organisations discover that the backups, they thought they had were incomplete or useless, leaving them in exactly the situation they tried to prevent.