To avoid the dreaded “pay or not pay the ransom” dilemma here are seven measures to enforce at all times.
Over the past 12 months, Check Point Research (CPR) telemetry has shown a 93% increase in average weekly ransomware attack events. The number of ransomware attacks is growing for a simple reason: many victims are paying off the ransoms!
The willingness to pay creates a dangerous vicious cycle, and it increases the motivation of attackers. Additionally, cyber risk insurance is becoming more common, so companies do not hesitate to meet the demands of cybercriminals, further exacerbating the problem.
In addition, cybercriminals are constantly refining their techniques to increase the pressure to pay: for example, through double or triple extortion threats. So, the question is: to pay or not to pay? The answer is not as simple as it first appears.
While the ransom amounts are sometimes in the hundreds of thousands or millions of dollars, outages of critical systems often surpass these amounts. However, enterprises must remember that even if the ransom is paid, it does not mean that the data, or even part of it, will actually be decrypted. There are even known cases where attackers have bugs in the codes so that the organization cannot recover the data even if they wanted to.
The way forward is to minimise the risk of being the next victim of ransomware through the following checklist:
- Be extra vigilant on weekends and holidays: Most ransomware attacks over the past year have taken place on weekends or holidays, when organizations are more likely to be slower to respond to a threat.
- Install updates and patches regularly: WannaCry hit organizations around the world hard in May 2017, infecting over 200,000 computers in three days. Yet a patch for the exploited EternalBlue vulnerability had been available for a month before the attack. Updates and patches need to be installed immediately and have an automatic setting.
- Install anti-ransomware: Anti-ransomware protection watches for any unusual activity, such as opening and encrypting large numbers of files, and if any suspicious behavior is detected it can react immediately and prevent massive damage.
- Education is an essential part of protection: Many cyberattacks start with a targeted email that does not contain malware, but uses social engineering to try to lure the user into clicking on a dangerous link. User education is therefore one of the most important parts of protection.
- Ransomware attacks do not start with ransomware, so beware of other malicious codes, such as Trickbot or Dridex that infiltrate organizations and set the stage for a subsequent ransomware attack.
- Backing up and archiving data is essential: If something goes wrong, your data should be easily and quickly recoverable. It is imperative to back up consistently, including automatically on employee devices, and not rely on them to remember to turn on the backup themselves.
- Limit access to only necessary information and segment access: If you want to minimize the impact of a potentially successful attack, then it is important to ensure that users only have access to the information and resources they absolutely need to do their jobs. Segmentation minimizes the risk of ransomware spreading uncontrollably across the network.
Dealing with the aftermath of a ransomware attack on one system can be difficult, but repairing the damage after a network-wide attack is much more challenging, so please note the above precautions.