Countering the evolving threat of ransomware


Ask any IT security specialist to name the biggest thing that keeps them awake at night and chances are the answer will be ransomware.

This cyberthreat has the capability to cause massive disruption to business processes and can result in the loss of critical data. In some cases, businesses that fall victim to an attack never recover and have to close their doors.

First recorded back in the late 1980s, ransomware has continued to evolve at a rapid pace. While initial examples focused on encrypting file names, rather than their contents, later versions locked up entire files.

The targets in the sights of cybercriminals have also changed. Initially they were focused on home users however attention is now firmly on the IT infrastructures of organisations. The logic is that, the bigger the organisation, the more likely they are to be able to afford to pay the ransom demands.

Recent targets for attacks have included shipping companies, pipeline operators, transport firms, and healthcare providers. Attackers are buoyed by the fact that their chances of getting caught are relatively slight. Risks are certainly outweighed by potential rewards.

There is also a relatively low barrier to entry for anyone who is keen to mount an attack. Indeed, in recent years, there has been the rise of so-called ransomware-as-a-service. Unsophisticated criminals with little technical expertise can purchase the right to use pre-configured ransomware and attack chosen targets. Criminals find this approach appealing as execution costs are relatively low while the rates of return can be very high.

A five-step defence against attack

There are five key steps that all organisations should undertake to reduce the likelihood of falling victim to an attack and ensure they can recover quickly should one occur.

The five steps are:

  1. Preparation: Ransomware attacks continue to increase in both frequency and seriousness. It’s vital to be prepared as soon as possible as you can never be sure when the next attack will be launched.
  2. Detection: In the event that an attack does occur, you are much more likely to minimise the damage if the attack can be detected early. To do this, ensure that security software is up to date in terms of signatures and threat intelligence data. Continually screen email for malicious links and payloads and act on flags when they appear.
  3. Containment: If an infection is detected, work to contain it as quickly as possible. If files on one device become encrypted, have a plan of action for containment before it spreads further.
  4. Eradication: Following containment, attention then needs to shift to eradication of the malicious code altogether. This may require assistance from an external expert.
  5. Recovery: Once all code has been removed, follow a previously formulated disaster recovery plan to get all affected systems back up and running as swiftly as possible. This will keep impact to business operations as low as possible.

User education

To further strengthen the protection afforded by following these steps, it’s vital that organisations work to ensure all staff are aware of the threats posed by ransomware and their role in preventing an attack.

Sessions should be conducted where the mechanics of how an attack takes place are explained. Emphasis should be placed on the importance of not clicking on unknown email links or opening unexpected attachments.

Humans will always be the weakest link when it comes to cybersecurity and so regular education sessions are critical. This is particularly important with a larger than usual number of people working from home where they may take a more relaxed approach to IT security in general.

Ransomware will continue to evolve and represent a significant threat to organisations of all sizes. Taking time to prepare today may well save considerable disruption and costs in the future.