Understanding and Managing the Evolving Threat of Ransomware

It is one of the worst scenarios a business can imagine: Networks, computers and other digitally connected machines suddenly lock. An anonymous criminal threatens to leave the business’s files encrypted, and sensitive data is at risk of being released to the public unless a large payment is made within just a few days. In the aftermath of this cyberattack, the business’s digital equipment, and even that of its downstream customers, is rendered inoperable unless they pay a ransom.

This typical ransomware attack has reached unprecedented proportions globally, as corporations embrace digital transformation, automation, and new technologies that come with them, such as the cloud and Internet of Things (IoT) equipment.

Globally, the amount lost to ransomware attacks was up 311% in 2020, according to one study, to reach nearly $350 million worth of cryptocurrency. And attacks appear to be intensifying, with cybercriminals demonstrating in 2021 the ease with which they can infiltrate U.S. infrastructure. In early May, executives at Colonial Pipelines paid $4.4 million in ransom to their attackers rather than face the prospect of gas supply interruptions creating chaos and panic across the East Coast.

Attacks on companies with national and international presence garner more headlines, but any organization with a digital presence is a potential target. “Ransomware can afflict companies of any size, in any industry, at any time,” says Tom Scarborough, Senior Director of Extended Security Programs at Fifth Third Bank. “Organizations need to have strategy in place to prevent, detect, and respond to ransomware attacks. That strategy should include a data backup plan, an incident response plan, and a business continuity plan. And they should be tested periodically.”

All three plans are cybersecurity must-haves in a world where every new technology and piece of software adopted by a company provides a new entry point for criminals. Here are some additional planning guidelines for detecting and reacting to ransomware attacks:

1. Know the Methods

Ransomware has historically relied on infected links and downloads initiated by unsuspecting employees through phishing emails or compromised websites.

Smart criminals have refined their social engineering tactics, using coercion and publicly available information to trick unsuspecting targets into thinking they are communicating with a legitimate business, vendor, or partner. Once trust is established, ransomware may be downloaded via a communication that appears normal, or even one that is sent through an authentic account that the criminal has compromised.

However, the most sophisticated and patient criminals use other methods of installing ransomware that are much harder or virtually impossible to detect. Recent high-profile attacks have resulted from:

• Infected software. Also known as supply chain attacks, these are cases where the ransomware arrives through an update of software a company routinely uses. In a July 2021 incident, criminals found a vulnerability in a popular remote management and monitoring product owned by a software developer and loaded it with ransomware. About 50 managed service providers who package this software were compromised, and between 800 and 1,500 of their downstream customers were affected. The criminals demanded $70 million for a universal decryption key, and the company was forced to take down its software.
• Weaknesses in company infrastructure. “Criminals actively explore company networks, seeking out vulnerabilities,” says Scarborough. “The ‘attack surface’ expands with every new digital innovation added to a network, making it increasingly harder to protect.” A salient example of the increasing complexity of networks expanding cyber vulnerability was the Colonial Pipeline ransomware breach, in which criminals exploited an unused password that still provided access to the company’s network.
• Data exfiltration. Criminals aren’t just limiting themselves to network encryption. They are also making copies of the critical data before they encrypt it, which they then threaten to release. They’ve found that locking a network and then adding the threat of selling the stolen data is a powerful one-two blow to victims and increases the likelihood of a ransom being paid.

2. Understand the Trends

The risk of ransomware and other types of cybercrime increases when companies, and criminals alike, make significant operational changes—as we saw in 2020.

• More remote working opportunities have softened the security posture of many companies. “Many companies had to make significant changes to their operations in response the pandemic, including having many of their teams start working remotely. That can lead to relaxed controls or lapses in otherwise sound processes. It can be much harder for a business to effectively monitor devices and employees when the attack surface shifts quickly,” says Scarborough.
• Ransomware players are also expanding, now that the most sophisticated criminal enterprises have launched ransomware-as-a-service business models, where they offer their malware packages on a subscription basis to less skillful bad actors.
• Cybercriminal enterprises include highly sophisticated computer scientists and other professionals who take the time to become experts in the protocols and needs of specific industries.

While no industry is immune to ransomware, some sectors are reporting more damages and remediation related to ransomware than others. According to one 2021 study, these industries had the highest percentage of respondents reporting lost revenue following a ransomware incident:

• Government: 75%
• Retail: 74%
• Financial Services: 73%
• Healthcare: 64%
• Technology: 64%

3. Recognize Your Capabilities

Any organization can mitigate their ransomware risk by adopting an effective combination of security tools and processes. While every company’s needs are unique, the following list can help you visualize the digital surface of your organization and contemplate remediation steps:

• Email verification protocols. Since phishing emails remain a common ransomware delivery method, and social engineering tactics make these fraudulent communications harder to spot, companies can benefit from deploying automated tools that verify emails and their senders. Sender Policy Framework (SPF) puts controls on who can send emails to your company domain and authenticates the messages, which can help detect spoofed emails that may contain ransomware. DomainKeys Identified Mail (DKIM), which can detect evidence of tampering within email content, is often used in tandem with SPF.

Domain-Based Message Authentication, Reporting, and Conformance (DMARC) can provide an extra layer of policies that govern incoming and outgoing email transmissions from a company’s network, which is important since criminals may use a hijacked account to attack your company’s vendors or partners.

• Anti-malware and anti-virus software. Installing this base level security software onto computers companywide can provide basic protections against viruses, malware, and cyberattacks. Anti-virus software typically blocks traditional and more predictable attacks such as trojans and viruses. Anti-malware can provide protection against more modern and advanced tactics, such as phishing and ransomware. Because no one software is a catchall for all cyberattacks, incorporating both is recommended for the most comprehensive protection.
• Browser blocks, spam filters, and endpoint protection and detection tools. These tools are not specifically designed to prevent ransomware, but they can help prevent employees from visiting unsecured websites and block pages or pop-ups that may download malware.
• Vulnerability management programs. Software manufacturers send regular updates, often to address security vulnerabilities. But they are only as good as the regularity with which companies screen and download updates to patch potential entry points for cybercriminals. Companies should also consider using a vulnerability management program, which includes regular patching cadences as well as network penetration testing. Pentesting, as it’s also called, involves stress-testing a network by having a cybersecurity expert simulate the actions of a cybercriminal, to reveal vulnerabilities.
• Partnering with organizations with strong cyber defenses. Banks and other companies that must protect critical account and personal information are often required by regulation to use robust security features around their communications and account access. Companies can leverage these security layers to protect their own accounts payable and receivable by using treasury management services.
• Regular backups of essential files and data. Companies should institute protocols for regularly backing up company data and periodically testing those protocols to ensure that the process is functioning correctly. “It’s also very important that those backups are segmented off and isolated from your primary network,” Scarborough adds. “Otherwise, your backups are at risk of being encrypted by ransomware as well, significantly limiting your options, which will force you to make some very tough decisions.”
• Remediation and forensics. If a company experiences a ransomware attack, it’s critical to identify the source of the intrusion and make sure it’s remediated. According to one study, 68% of companies that suffered one cyber incident experienced a second attempt within 12 months. “Lightning will strike twice if organizations don’t effectively remediate their vulnerabilities,” says Scarborough. “It’s critical to spend the time and expense to determine how the criminals got into the network and quickly address those gaps.”
• Educated, alert employees. Cybercriminals prey on employees making the mistake of clicking on phishing emails. Companies that have successfully reduced these incidents have done so by running simulated phishing exercises against their staff, to help them understand what suspicious and malicious emails can look like.

Ransomware and other cyberattacks are serious risks that can be detrimental to any business, but with the right knowledge and tools in place, they can be sufficiently managed.

For additional information, contact your Relationship Manager, Treasury Management Officer or find a Banker to learn more.