Is Your Business Exposed to Ransomware Attacks?
From 2017 through 2018, incidence of ransomware attacks has declined significantly. Your initial reaction to this statement might lead you to believe that Ransomware attack is something you no longer need to worry about. Reaching this conclusion and taking a ‘do-nothing’ approach is not wise, and increases your risk of attack. The rate of ransomware attacks is declining, and the average ransom demand is falling. However, the impact to those affected remains significant. Cybercriminals remain a threat to the security of your network and to the profitability of your business.
What is a Ransomware Attack and Who is at Risk?
A Ransomware Attack occurs when a malicious code infiltrates a computing system and disables access to its data and functions. While specific mechanisms of infiltration continue to change, the consequences of a ransomware attack remain consistent. When a ransomware attack invades your system, it becomes inoperable.
Ransomware can be grouped into two main types, including Commodity Groups and Targeted Groups.
Commodity groups are designed to promote a high volume of attacks. The operating schemes may be less complex than targeted ransomware, but the cumulative effect of this type of invasion is very high.
Ransomware-as-a-Service (RaaS) is provided by a vendor for the purpose of hijacking IT systems. Some of these vendors offer technical support and customizable attack variables such as ransom demand price. RaaS includes platforms such as GandCrab, Saturn, and Data Keeper, all new in 2018. An example of how RaaS can work is provided below (GandCab). Details for each of these are provided in a report by Barkley .
GandCab – Cybercriminals deliver this malware by tricking victims into downloading exploit kits and by sending fake pdf files for download in spam mails. Executing these files activates malware attached to the downloaded file. The malware initially terminates running Microsoft system files, which allows it to then encrypt user’s files with the .GDCB extension. At this stage, the computer receives a ransom demand.The Romanian government has delivered a decryption key to affected users. Soon after, the software developer released GandCab V2, which is immune to the decryption key provided by the Romanian government. Some commercially available cybersecurity firms claim to have solutions available to prevent infection by GandCab V2.
GandCab is only one example of many RaaS platforms, most of which include several variants, each with unique attack modes and decryption requirements. Maintaining up to date awareness of this large volume of emerging cybersecurity risks is a full time job.
The Target Group type of ransomware does not operate on high volume basis for generating profit. Instead, the cybercriminals customize ransomware attacks. The attacker carefully selects specific targets perceived to have a motive for paying a high ransom. Most often cybercriminals target businesses and health organizations because shut-down of their IT systems can be catastrophic to their critical business workflow
With a targeted attack, the attack does not typically occur immediately after the malicious code is planted. Typically, before activating the attack, the cybercriminal monitors the system activity for weeks or months. This helps them learn the system vulnerabilities, identify valuable assets, and carefully plan the attack to maximize impact.
A good example of a targeted Ransomware attack is SamSam. This virus by means other than phishing or opening email attachments. The virus enters the system initially through exposed RDP connections or by a cybercriminal using stolen system access passwords. Upon entering the server, the malware finds administrative credentials and uses them to spread the virus to other computers in the network. Then the malware deploys the ransomware and issues a ransom demand.
Consequences of Ransomware Attacks
According to a Symantec report, average ransom demand fell from over $1,000 in 2016, to $522 in 2017. The same report suggests however, that although ransom price fell, the number of variants increased by 46% in the same time period. This supports the conclusion that the threat of ransomware continues. Most importantly, you should know there are greater concerns than ransom demand price. The real cost of a ransomware attack is much more than the ransom demand.
Sophos reported on a survey polling more than 2,700 IT decision-makers from mid-sized businesses across ten countries. This report suggested the average total cost of a ransomware attack in 2017 was $133,000. Further, 5% of respondents reported ransomware attacks that cost $1.3 to $6.6 million. The majority of costs above and beyond the ransom demand stem from the following aspects, which are commonly associated with a ransomware attack.
System downtime: Employee labor cost (including overhead) continues to accrue while your system is down. You cannot charge your customer for this lost time. This cost is borne by your company.
Failure to deliver on business commitments on time: Your production schedule slips while your system is down. As downtime accrues, your operating expense increases due to overtime put in to bring the schedule current. You may fail to deliver product to your customers on time. This can result in damage to customer relationships, and even loss of contracts.
Unavailable to take new business during downtime: If your business operation includes frequent processing of new orders, you may lose revenue when your customer places orders with your competition while your system is down.
Potential permanent loss of data: The hackers do not provide decryption key after paying ransom in many instances. When this happens, unless you have good real time backup, in a separate network to the one attacked, you may permanently lose data. The cost of such an occurrence can be catastrophic to your business.
Reducing Risk of Ransomware Attacks
Considering the significant consequences of ransomware attacks, you would do well to reduce the risk of attack. You also need to ensure you have good real-time backup of your data in a location outside your computing network. This will reduce potential for permanent data loss in the event an attack occurs. Additionally, you should consider the following opportunities your risk of attack and to reduce the consequences should a ransomware attack occur.
Strategic assessment of IT system architecture– Performing a strategic assessment of your IT system architecture, with a strong focus on cybersecurity, can enhance your ability to meet your business objectives. This activity will help you understand in detail which elements of your system are necessary to deliver optimum business performance. This in turn can help you determine which elements of your IT system can be eliminated or reconfigured to produce the best results while simultaneously reducing your cybersecurity risk.
Optimize selection/operation of AV software– Many anti-virus software options are available on the market to help you reduce your risk of a cybersecurity breach of your network. There is not one best system for all businesses. It makes sense to match your specific business workflow and accompanying exposure to cybersecurity threats with the various options for cybersecurity protection.
Seek help from competent IT MSP– The challenges of ensuring cybersecurity are great. Use of a competent IT MSP can help you effectively assess your cybersecurity risks and develop/implement plans to reduce your risk.
Effective Cybersecurity Risk Management
Maintaining up to date awareness of emerging cybersecurity threats is a full time job. Effectively managing this monumental task requires significant dedicated resources and access to real time information. Such a daunting task is very expensive for a non IT business to manage. A competent IT MSP can lower your cybersecurity management cost by sharing dedicated resources among their customer base. The IT MSP can also help businesses select and operate the best cybersecurity options to help you reduce your risk of attack. Finally, the MSP can help you expedite recovery in the event of an attack.