How to make your business resistant to ransomware

Numerous UK institutions have already fallen foul of ransomware this year, including The Royal Mail, The Guardian newspaper, and even schools. So why is this form of attack proving so unstoppable and what can we do to defend against it?

Businesses here in the UK top the charts when it comes to paying out ransoms. According to the State of the Phish 2022 report, 82 percent of businesses have surrendered their cash, the highest in the world, with the global average coming in much lower at 58 percent. This contradicts the government’s own research where 56 percent said they would never pay up, revealing a clear discrepancy between business intentions versus what happens in reality.

Ransomware attacks continue to rise and were up 13 percent according to the Data Breach Investigation Report for 2022, higher than in the last five years combined. They‘re also widening their scope, with SMEs now increasingly targeted, a quarter of which were reported to have suffered attacks during 2022.

The increase in scale and reach can be put down to two things: the entry bar has been lowered and attacks are proving more lucrative. It’s now much easier for less adept attackers to get into the game. Due to the emergence of Ransomware-as-a-Service (RaaS), malware and encryption payloads can be bought by threat agents (such as organised crime gangs, or hacker groups), who can then use it to execute the attack, without having to research and create their own exploits.

How it’s evolving

Over 2022 we’ve seen a shift from the encryption of data to extorting payments by threatening to release sensitive company files and documents into the public domain. In some cases, both methods are used to maximise the likelihood of pay out. Double extortion attacks, whereby the victim has to pay out a second time, were experienced by 28 percent according to the State of the Phish report and we’re also now seeing triple extortion, whereby partners, customers and suppliers are targeted as well as the business itself.

Clearly, paying up isn’t a successful strategy, which was echoed by the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) last year when both took the unusual step of saying businesses should stop paying ransoms and that this would not be seen as a form of mitigation and would not reduce the likelihood of penalties. So, what can businesses do to defend themselves?

Ransomware typically stems from malware being introduced by employees who inadvertently download or open malicious files via the web or emails respectively. This is usually exacerbated by the business failing to sufficiently secure user endpoint devices (such as restricting admin privileges or removing unnecessary software / facilities), which leads to unauthorised code execution. In the case of The Guardian, for example, the suspicion is that an employee clicked on a link in a phishing email.

Baseline your security

The advice put forward by the NCSC is to implement a baseline security standard such as Cyber Essentials, Cyber Essentials Plus and ISO 27001, and to regularly audit the organisation’s controls against these. Currently uptake of these standards remains low. The Cyber Security Longitudinal Survey found only 19 percent of businesses had adopted Cyber Essentials and only 15 percent were ISO 27001 compliant, so it’s expected that incentives will be introduced. These might include free sign-up for small businesses, tax breaks or lower cyber security insurance policies for those that demonstrate they have achieved those certifications and accreditations.

This baseline is just that, however, and should form part of the business’ security policies, procedures and plans to support information security and to govern user behaviour. There should be an overarching information security policy as well as an acceptable use policy, incident response plan, access control and data handling policies. These should then form the basis of how the business conducts its activities on a day-to-day basis and can be enforced through regular security awareness training for staff. Keep it ‘real’ rather than off-the-shelf, through the illustration of near misses or attacks within the sector that warn of the risk of clicking on unknown links or opening files or attachments.

Technical controls

When it comes to technology, take care of the basics by ensuring Operating Systems and applications are patched and up to date, implement multi-factor authentication on critical online services (email, CRM, online apps, file storage/sharing etc), and log and monitor the network for attacks. Locking down data is essential so ensure that data storage is resilient to unauthorised attempts to modify files, using techniques such as inherent file versioning and/or offline data snapshots and backups.

Deploy malware and Endpoint Detection Response (EDR) solutions on servers and endpoints as these can identify common and new attacks as well as monitoring and alerting systems of any potential attempts and actual breaches. Strong endpoint configuration also limits the privileges of users, restricts the execution of unknown and untrusted applications and reduces the attack surface by reducing any unnecessary functionality (such as Command Prompts, Powershell, default bundled software etc).

Use cloud-based protection to protect against known and new attacks, for example Microsoft Onedrive and Sharepoint have a level of ransomware protection via the Versioning feature. But a word of caution when it comes to cloud – don’t make the mistake of thinking you’re automatically protected because you have these at your disposal. They might not have been enabled or an attacker could have gained administrative privileges and have disabled them. 

Remain vigilant

Keep things fresh through regular security reviews of device endpoints and data storage and applications to test their resilience to ransomware attacks. This should include looking at the data held in cloud services and establishing whether data can be recovered in the event that it is deleted or encrypted. For example, is data being versioned, snapshotted or backed up to another solution? How frequently is this happening? When was the last time a simulated loss and restore was tested?

Finally, there’s no such thing as a completely secure system so, if the worst happens, you’ll want to ensure you have an effective incident response plan in place and to have conducted Simulated Breach exercises to ensure that the security teams know how to handle breaches quickly and effectively. You may not be able to completely eliminate the risk of ransomware, but you can reduce the odds of becoming its next victim.