Ransomware: KYND is here to help
Ransomware attacks are costing businesses billions. How can you avoid falling victim?
How would your business manage if all its computers suddenly stopped working?
That’s the scenario that Maersk – one of the world’s largest logistics companies – faced on a Tuesday afternoon in late June 2017. With no warning, every computer, server and digital device shut down one after the other (including key-card gates for workers to access the building!). Employees frantically unplugged computers to disconnect them before they too succumbed to this mysterious fatality. By the end of the process, Maersk had 4,000 servers and 45,000 PCs in need of recovery. They had been offline for 10 days. And the whole episode cost in the region of $300 million.
The cause? Ransomware.
Maersk had fallen victim to NotPetya, an example of ransomware. Ransomware is a type of computer virus which gets its name from the way it operates: locking the victim’s devices and holding them ransom until the owner makes a payment to have them unlocked. Ransomware variants differ in how they gain entry onto devices, how they spread between devices, and how they demand payment from their victim. But they are all consistent in the effect they have on our increasingly computer-dependent businesses: loss of data, business interruption, and a hefty financial impact. While this form of computer malware is not new (the first variants were developed in the late 1980s!), ransomware has recently emerged as an increasingly common attack method for cyber criminals.
According to research from specialist insurer Beazley, the number of ransomware incidents grew 131% last year. This high number of incidents was associated with a similarly high financial impact on businesses, with the total global cost in 2019 estimated at $170 billion. There have been numerous incidents at high-profile organisations, including 70 state & local governments across the US, global aluminium producer Norsk Hydro, and leading currency exchange company Travelex. These incidents show the prevalence and severity of ransomware across sectors. And being a small business doesn’t mean that cybercriminals won’t take an interest in you, in fact more than 3 in 5 ransomware attacks targeted small and medium-sized businesses last year.
What can you do to stop ransomware?
Given the risk posed by ransomware, the obvious question is: “How do I prevent this from affecting my business?” Unfortunately, there is no single silver bullet. The National Cyber Security Centre’s guidance is to follow a “defence-in-depth” approach – that is, to use many layers of defence throughout your network to prevent attackers from being successful by exploiting one individual loophole.
In general, a good way to think about providing this “defence-in-depth” is to prevent ransomware from:
- Getting onto your devices and network
- Taking hold of devices and spreading throughout your network
- Causing irretrievable loss of your systems and data
Stop ransomware getting onto devices
The first line of defence for any threat is always prevention, and it’s no different with the defence against ransomware. Making your network less susceptible to downloading ransomware can be accomplished through a few key methods. Since around 85% of ransomware is deployed via email and remote desktop openings, prioritising the security of these vectors can massively minimise your exposure to ransomware.
Remote desktop software is commonly used by businesses across the world. It allows workers to access key company assets from wherever they might be. But this accessibility for employees can also mean accessibility for attackers. Unless properly protected, remote desktop protocols can offer an easy open-door for attackers to deploy ransomware on the network. However, it is possible to block unauthorised access to these sensitive systems. By closing relevant remote desktop “ports” and restricting access just to devices connected to the internal network, attackers will not be able to easily discover and test your systems; ultimately, reducing their ability to deliver ransomware onto your core devices.
Once you’ve closed the doors to remote desktops, the next key opening is your organisation’s email system. At KYND, we’ve written quite a lot about email security: How to prevent your emails being spoofed, Email fraud costs Toyota £30m and 92% of FTSE 100 are vulnerable to email spoofing. Implementing strong security settings on your email helps to prevent criminals from sending emails containing ransomware while pretending to come from within your business. This protects both your own organisation as well as your business partners. Similarly, inbound email protection filters and flags suspicious emails being sent to your organisation – again reducing the likelihood that an email containing dangerous malware could end up landing into your company devices.
There are further techniques to minimise the opportunity for ransomware delivery. “Protective DNS” and secure web proxies can act as secure gateways onto the web, preventing users from downloading dangerous files including ransomware. In addition, thoroughly training your employees in safe cyber behaviours will allow them to spot and avoid malware. Combined, all these actions can vastly reduce the likelihood that ransomware ever ends up being downloaded onto your organisation’s devices.
Stop ransomware infecting and spreading in your network
These defences do a great job at stopping the vast majority of ransomware threats. However, an attacker only needs to be lucky once to affect your business, so it’s important to continue that “defence-in-depth” approach by stopping ransomware from infecting your colleagues’ devices and spreading within your network.
Most ransomware will make use of known vulnerabilities in operating systems and software. Attackers will even scan for those that are vulnerable, choosing their victims for no other reason than their susceptibility. While this means that all businesses are theoretically at risk, regardless of size or fame, it also means that one of the most powerful ways to stymie ransomware is to ensure you’re regularly updating all software when updates and patches are released by software producers. It might be annoying to see those popup reminders every now and again. It’s an administrative effort to go through all servers applying patches and checking compatibility. It’s definitely frustrating to have updates delay your computer’s restart, especially when you need to finish your work on a deadline. But it’s a mere fraction of the inconvenience and cost of being hit by ransomware.
Ransomware will also make use of weak default settings in software and operating systems to infect devices and spread between them. Updating the default system settings across all your devices to secure standards (known as implementing a “hardened baseline configuration”) will lock-down the functionality available to ransomware programs, stopping them from being able to take control of these secured devices. This will mean that standard users will require permission to install invasive software or perform more in-depth changes to their computer, but adding this little bit of friction will also stop malicious programs from hijacking devices in the blink of an eye.
Finally, minimising the infection and spread of ransomware requires the enhanced protection of key administrator accounts. The rapid spread through entire organisations that has characterised famous ransomware attacks is possible when the malware is able to infect important administrator accounts, which have permissions to perform sensitive actions in an organisation’s network. That means that protecting these accounts with “multi-factor authentication” (MFA) is key.
MFA is a way of ensuring that attackers and ransomware can’t get access to an account even if they get hold of the passwords. When MFA is required, users need an additional “factor” (such as a code generated on a device, a code sent via text, or a fingerprint) in addition to their password. This means that we can be more sure that users have proved their identity, and that their account is not being accessed by an unauthorised person or program such as ransomware. This extra layer of defence is a key pillar of any organisation’s resilience against ransomware. At KYND, we recommend implementing MFA for accounts whenever possible, but especially for users who have access to important programs and services. By implementing MFA along with regular updates and hardened baseline configurations, organisations can improve their resilience when ransomware is downloaded onto a device in their network.
Stop ransomware causing irretrievable damage if it does hit
But let’s say that an ingenious piece of ransomware is able to make its way onto your network despite your external defences, and then it’s able to exploit a previously unknown vulnerability to infect all or most of your organisation’s devices. What then?
This is where ensuring you have a good safety net is essential. In the case of ransomware, that safety net is provided by backups. Backups are copies of your essential data and core configurations – basically, a duplicate of everything you would need if you had to rebuild your digital infrastructure from scratch. They mean that if the worst happens (ransomware infecting all of your organisation’s devices), you’re not at the mercy of the attacker. Without backups, the only option with a chance of recovering your systems is to pay the exorbitant fee demanded and hope that the attacker makes good on their promise by sending you the key to unlock your devices.
Corporate backups function much like a fire station. It cannot prevent a fire from breaking out, but it can save buildings and lives if there is one. In the case of the fire station, it’s important for it to be always well-staffed and well-equipped, ready to handle an emergency whenever it occurs. It’s a similar situation for your backups – they should be ready to be used whenever disaster strikes.
Backup exercises should be conducted regularly (at least monthly) to ensure data and configurations are up-to-date and fit for purpose. This means that if they are used, less work is lost by “going back” to the date of the backup.
Likewise, the security of backups should be taken incredibly seriously. Backups should be hosted on separate infrastructure, completely disconnected from your network. The recovery credentials for backups should be unique, stored separately from other credentials. These protections ensure that backups are not affected or accessed by the same ransomware that disables the core network. Backups should also be encrypted to ensure no accidental breach of data. Given that each backup will include your organisation’s most important data, it should be protected by the same (if not more!) rigour as the original.
Finally, just as a functioning fire station requires its firefighters to be trained and tested, ready to go at a moment’s notice, so should your backup system be regularly tested to ensure the recovery is effective. Without this, you run the risk of the recovery process failing just when you need it most – in the aftermath of a ransomware attack. But with a well-tested process in place, you can be confident that your organisation will quickly recover from a ransomware attack without needing to pay ransom. While you hope never to need your backups, making sure that they’re in place will add a final layer of defence to mitigate the impact of ransomware.
How can KYND help you defend against ransomware?
All these steps to protect against ransomware may seem a little overwhelming. Thankfully KYND is here to help. We’ve recently released a new Ransomware feature in KYND ON for you to manage your organisation’s response to this growing threat.
First, KYND analyses the outside-in view of your business. With a non-invasive process, we produce automated insights about the visible vulnerabilities that could increase your risk of ransomware. We then give you targeted recommendations based on the specific vulnerabilities we’ve identified. This allows you to direct your energies on fixing the issues that most need attention, safe in the knowledge that we’re monitoring the rest.
Also included in the ransomware area is a focused self-assessment, which allows you to systematically review your internal set-up. Using an accessible format, this self-assessment allows you to audit, track and prioritise your organisation’s response to the threat of ransomware. As you complete the assessment, KYND will provide straightforward recommendations to help you strengthen your defences. This means you have a go-to action plan for taking concrete steps that you know will have an impact improving by your security.
Finally, as with everything KYND, we’re always here to help. With our ransomware insights, our team are happy to provide in-depth advice and support to our KYND ON customers.
Interested in protecting your organisation from ransomware? To speak to a KYND person, find out more or see a demo, get in touch. Until then, stay safe!