It seems that everyone in the cyber security sphere is talking about ransomware these days. Last year, attacks such as WannaCry, NotPetya and BadRabbit took the business world by storm, costing billions in damages. Ransomware is by no means a new threat (it has been around since at least 2005), but it is one of the fastest growing and most costly. Cyber crime is constantly changing, and criminals keep creating news ways to steal money. Ransomware has gotten increasingly sophisticated since 2005, but the people using and deploying it haven’t necessarily – now some cyber criminals are making more money selling high-tech ransomware strains to non-technical criminals than if they were to conduct the attacks themselves. The result is that more and more ‘hackers’ have access to ransomware and need very little technical know-how to operate it, leading to more and more ransomware attacks each year. It may come as a surprise, then, to hear that the FBI received less reports of ransomware attacks in 2017 than in 2016 and 2015, despite the increase in attacks.
The FBI reported just 1,783 reports of ransomware attacks in 2017, compared to 2,673 in 2016 and 2,453 in 2015.
“Ransomware has doubled year over year again—it happened last year as well,” stated Gabe Bassett, senior information security data scientist at Verizon. “The reason we’re seeing this incredible prevalence is ransomware is a great value proposition for the attacker. They don’t have to do a lot of the complex work. They just drop a piece of malware and then let it run.”
“They don’t even have to understand it—there’s very low risk, very high reward,” Bassett said. “And it’s very easy to monetize through cryptocurrencies.”
However, despite the overall increase in ransomware attacks, trust in governments and reporting to police was down in 2017. According to the FBI’s recent yearly internet crime report, it received just 1,783 reports of ransomware in 2017, much smaller than the 2,673 reports it received in 2016 and the 2,453 reports received in 2015. The drop in reporting came as a surprise, but seems to signify a shift in the way businesses see cyber crime. Trust that their governments will protect them is down, with many companies turning to private cyber security firms in order to ensure their business is not disrupted by data breaches or downtime caused by cyber attacks.
Why ransomware works – the human factor
An organisation’s network is only as secure as its weakest link. A typical business will have protections in place such as a firewall and antivirus as a bare minimum, and cyber criminals have long learned that it is far simpler to trick a user into compromising their network than to try to bypass complex technical security measures. It is reported that up to 96% of malware is sent through emails – furthermore one study showed that 93% of phishing emails contained ransomware in some form.
Many employees cannot spot sophisticated phishing emails, and a small percentage of ‘clickers’ is all that is required for a criminal to infect a network with ransomware. In fact, it doesn’t even need to be ‘clickers’ plural, as just one unsuspecting employee clicking on a phishing link or opening a malicious attachment can be enough for an entire business to get shut down by ransomware.
Furthermore, there is an increased risk for departments such as HR and Finance who open email attachments on a regular basis as part of their job. This had lead to cyber criminals targeting people with specific job titles at higher rates, or with more customised email scams.
This has lead to the perception among some organisations that security awareness and anti-phishing training is only required for staff with access to sensitive data or who work in these fields. However, this is quite a damaging ideology to hold, as cyber criminals will ensure that they are targeting as many staff as possible. For them, it’s just a number game – keep sending phishing emails until they find the staff member who will happily click without realising.
Ransomware and the GDPR
Even with the GDPR only a few short weeks from coming into full force around the world, many companies may not release that a ransomware attack can constitute a breach of the regulation. The GDPR is all about how organisations handle data, and how they fulfill their obligations to the people to which the data belongs. Under the GDPR, EU citizens will be able to submit data access requests to companies, who will have to lawfully provide them with a copy of any data they may hold on them. Now, the problem arises when the company in question is unable to provide that data because it has been encrypted by ransomware.
Article 32 of the GDPR contains several major technological requirements for organisations, and specifically states that businesses must have “The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident”. It also states that businesses must have a process for regularly testing and assessing their data protection systems and data retrieval procedures.
Some businesses may think that in the event of a ransomware attack, they can just pay the criminals to get their data back, with no harm done. Unfortunately though, this has not proven to be the case, as a recent survey by CyberEdge revealed that less than half of companies who pay ransoms actually recover their data. In short, criminals are not reliable people to do business with.
The only way to ensure that your data (and your customers, staff and clients’ data) is safe is to have a comprehensive backup and disaster recovery system in place – one that is robust and regularly tested to ensure it is working. Backups frequently fail and depending on what backup system is being used, one failed backup may cause the entire chain to fail, rendering any subsequent backups as useless.
How to protect against ransomware
There are three main avenues that can help your organisation stay safe from ransomware threats – security awareness training, backup and disaster recovery, and operational cyber security.
ALL staff should receive security awareness training, so that they can spot a phishing email (even a complex one) when they see one, and can keep themselves safe when browsing online. The GDPR requires this for any staff who have access to sensitive data, which in today’s business environment is everyone with a company email account at the very least. We also recommend taking this a step further and actually phishing your own users, with simulated non-malicious phishing emails, so that they keep security top-of-mind and you can show the data protection commissioner that you have a proactive approach to data security.
Most businesses have some form of backup system in place, but often they are not particularly comprehensive or frequently tested. What do you do if your backups fail in the event of a data breach, and you didn’t realise in time to correct the problem? What happens when you backup to a local hard drive, then your premises suffers a disaster or even your on-site backup hardware fails? What do you do in that situation? Backup and disaster recovery is a proactive solution, and is not something that an organisation can perform re-actively – in other words, you need a proper backup system in place BEFORE disaster strikes.
There are many simple steps that IT admins can take to stop ransomware from infecting and spreading through a network. These measures range from renaming and changing default admin credentials, restricting admin access for users who don’t need it, using robust email, web and DNS filtering, and much more. Many of these measures are affordable to implement as they only need to be configured, and don’t necessarily require purchasing new hardware or software. However, cyber security is constantly changing and requires constantly-evolving expertise – either from an in-house cyber security specialist or through outsourcing to a specialist cyber security firm.
Ransomware protection requires a layered approach
No one measure is going to keep an organisation safe from ransomware, and no one measure is going to satisfy the stringent requirements of the GDPR. In fact, the GDPR purposely uses vague terminology to ensure that companies must adhere to current industry best-practice instead of enshrining today’s best practice in the rules.
To reiterate a point we made earlier, a network is only as safe as its weakest point. That means that common cyber security weaknesses cannot be neglected by businesses if they want the best chance of complying with the GDPR and preventing a data breach.
Furthermore, the measures that are currently in use to keep a network safe may be circumvented by hackers at any time, and new measures will be developed to combat new threats. It is not enough to review cyber security every few years – your cyber security team or outsourced provider must constantly be learning and reacting to threats as soon as they crop up.
Tech Guard has developed a bundle for small-medium enterprises to get the IT essentials up to scratch for the GDPR and aid compliance with the complex regulation. Speak to us today to learn more.