Ransomware threat analysis and defense best practices

Ransomware is one of the greatest cyber threats we face these days, and victims are at the risk of losing their files, productivity, reputation, and, eventually, money.

What started as an individual activity has evolved into an industry and is now widely available illegally in the form of Ransomware as a Service (RaaS) applications. This means anyone can get their hands on this malware and carry out attacks.

Since 2020, ransomware attacks have increased by an estimated 435% and have become more prevalent and profitable, with new malware variants appearing and becoming more advanced with time.

According to Palo Alto Networks threat report 2021, the highest ransomware demand increased from $15 million in 2019 to $30 million in 2020. The average ransom paid to attackers nearly tripled, growing from $115,123 in 2019 to $312,493 in 2020.

What exactly is ransomware?

Ransomware is a type of malware that threatens to publish your critical data or blocks access to your information. Encryptors and screen lockers are the two most prevalent types of ransomware. The former encrypts data in the victim's system, making it inaccessible, while the latter simply blocks access to the device with a “lock” screen.

The attacker then demands a ransom to decrypt or access the victim's data. The attackers often give a deadline and if the victim doesn’t pay before that, they will erase the data or increase the ransom.

How do attackers gain initial access?

A majority of ransomware attacks start with a malicious email containing a malware download link. Malvertising, software updates, and drive-by downloads are other methods that attackers use to infect your network. 

Let's look at a recent example. In 2020, hackers broke into SolarWinds, a US information technology provider, and added malicious code into their software. The company unknowingly sent product updates to their customers with the hacked code in them. Their users installed the compromised update, which gave the hackers a backdoor into their systems and enabled them to attack 9 US federal agencies and about 100 private sector companies.

Ransomware not only scans the local device but also any network connected to it. Just one vulnerable machine can also take every other system connected to its network down with it. That means a single employee's mistake can put your entire business at risk.

How to defend your organization from ransomware

There are many ways to prepare your employees and protect your company from ransomware attacks.

First, you need to set up a strong cybersecurity framework and tailor your company policies, guidelines, and procedures accordingly. The same thing goes for incident response frameworks.

Install anti-malware software on all network devices, including smartphones. You should regularly carry out regular system and network scans, identify anomalies, and eliminate them regularly.

Since infection usually starts with a malicious email, start by installing a Secure Email Gateway (SEG) to detect and blocks malicious emails that deliver ransomware.

Your second line of defense is Endpoint Detection and Response (EDR) technology. This provides host-based detection, investigation, and remediation against malware. Use an Intrusion Detection System (IDS) to detect ransomware command-and-control (malware calling out to a control server). An IDS also alerts you of possible incidents.

You should also use security mechanisms like Multi-Factor Authentication (MFA) to defend against attackers logging in to your organization's systems using stolen or weak credentials. MFA uses two or more credentials to authenticate a user's identity, so simply stealing an employee's user ID and password will not be sufficient for attackers to break into your system

Monitor your server, devices, and network and analyze your logs, respond to alerts, and troubleshoot application performance. If an infection is detected, recover your data as quickly as possible. Keeping tabs on your crucial systems can not only reduce the risk of a crashed machine but also keep you alert to any potential attacks.

Install Mobile Device Management (MDM) tools to defend your mobile devices against ransomware. A good MDM tool can analyze device applications and immediately alert users and IT to any applications that might compromise their device.

By implementing data backups and encrypting your data, you can safeguard your company information. Follow the saying "fight fire with fire," and use data encryption to prevent attackers from releasing your data. If your stolen information is encrypted, it will be unrecognizable and unusable. However, this does not prevent attackers from encrypting your encrypted data, which will still prevent you from accessing it.

This is where performing regular data backups can help you. Every organization should frequently back up their data and keep an appropriate recovery process in place. Ransomware operators will target on-site backups, so organizations should ensure that all backups are maintained securely offline.

The increasing number of successful ransomware attacks implies most companies are vulnerable and need to equip themselves with the latest cyber security tools. Zoho offers a broad portfolio of secure business productivity tools to run your business successfully and keep your data out of harm’s way.