Ransomware – When and How? And How to Protect Your Business

Ransomware – When, How? And How to Protect Your Business

cybersecurity-2022-blocking

Ransomware – When, How? And How to Protect Your Business

(By Taslim Khan. This article was originally posted in the This is Queensborough – July 2023 Edition and has been slightly amended for this format)

Ransomware is not a question of IF, rather When. It is not our intention to create unrest or panic among
businesses and the readers; rather to prepare you – Ransomware attacks are a reality today. Businesses of all sizes are targets. A small firm with 5 employees is just as much a target as the large multi-billion-dollar companies such as Target, Sony, T Mobile, YUM Brand (KFC, Taco Bell, Pizza Hut). 60% of the Small to Medium Businesses (SMB) have experienced a data breach. However, be assured that all businesses are under attacks of ransomware. Even municipalities and city governments had to pay large ransoms to free their network. The list, very unfortunately, is long and only growing. To the threat actors – dollar is green – from every source – large and small – private, government, for profit, non-profit – Ransomware is an equal opportunity offender.

HOW & WHEN?Ransom ware, Cyber attack concept. Warning message on a computer screen. Woman working with a laptop. Office business wood table background.

So, let’s take a look at how Ransomware works. In almost every case, there was a sleeper agent that got into a network, typically 6-12 months before the actual attack was initiated. This agent/malware monitors all the traffic and analyzes data. The Threat Actors – the bad guys – gather all the critical business and financial data – including daily financial transactions, deposits, bank balance etc. Once enough information is gathered and a plan of attack is solidified – the attack takes place.

90% of the Ransomware attack gets initiated through an email. Typically, an email is sent to many users on the network. The email is spoofed and made to look like it was sent from a reliable/trusted source. It could be made to look like it is coming from the CEO or the CFO of the company with their name on the email address. With an embedded link and instructions – such as “Hey Joe, yes this invoice is approved – please remit payment” Once that link is clicked – BOOM. The network and the server(s) are completely locked down. A message will appear on the user’s screen with instructions to make ransom payment. Unless that payment is made – the network stays locked, and your business comes to a screeching halt.

Also: Qualifying for cyber security insurance – Part 2: Going Down The Checklist


Chess board towerHow to protect your business?

To secure your network & protect your business, a multi prong approach is required.
First, you must consider Managed IT infrastructure/service from an MSP (Managed Service Provider)
& Disaster Recovery as a Service (DRaaS) + Backup as a Service (BaaS) from an MSSP (Managed
Security Service Provider). Both these companies must maintain geo-diverse multilocational SOC or Security Operations Center, preferably with global locations.

Extra man power

These MSPs and MSSPs are manned by 40-50 security engineers & specialists per location. They monitor all traffic and the end points that are deployed and in production – in real time – 24/7/365. Eyes on the glass round the clock – all threats are dealt with and mitigated in real time before they reach your network. Your business infrastructure is always monitored and protected and the guys & gals protecting it are nerver closed – not on Christmas and not on New Years Eve.

This is the maximum protection your dollars can buy to secure your assets and protect your business. The security fortress can be quite elaborate and multi-layered. However, there are some absolute basic necessary measures that must be implemented.
They are as follows:

For your network:

  1. Next Generation Managed Firewall – for your entire network infrastructure,
  2. End Point Detection & Response – for all your server, desktop & laptops,
  3. Threat Intelligence Management Service – this will block all known threats before they can infiltrate your network/firewall.

For Back-up and Disaster Recovery:

  1. Backup as a Service (BaaS) & Disaster Recovery as a Service (DRaaS) – for your server,
    Backup as a Service (BaaS) – for your emails.

Again, network security is like Swiss cheese. There are lots of holes in it. There needs to be multiple layers of services from multiple different vendors to secure your network. How deep you want to go is up to your threat and risk tolerance.

Implementing the above services will significantly improve your security posture and protect your network. However, if you have been mandated to implement stricter security measures or cyber security insurance, then you may have to implement further network security measures. Please consult a Cyber Security Specialist to discuss your options.

An aerial shot of the Eltz Castle surrounded by trees in Wierschem, Germany

 

How to establish if you are affected by a data breach – and what to do next

How to establish if you have been affected by a data breach & what to do next


partial view of woman typing on laptopThink you’ve been involved in a data breach? 
This post can support you in finding out where and when, and it lists a suggested course of action to take.
THE SOURCES AND COMPONENTS OF A BREACH
Generally speaking, there are 3 types of data breaches : A) A physical breach. This involves the physical theft of documents or equipment such as PCs, POS systems and bank cardholder receipts. B) An electronic breach, where a LAN is purposefully attacked.  C) Skimming, where data on the magnetic strip of POS systems are captured and recorded.

Which type of breach happens most frequently? If we can know, then we can take action. Upon investigating we found that according to DarkReading, a leading online source of Cyber Security Information, the 3 most common sources of data breaches in 2021 were:

1) Phishing or stolen credentials as a result of a cyber-attack (87%)

2) A mistake, such as lost devices or incorrect configuration a system (10%)

3) A physical attack, such as a skimmer at a gas station pump that steals payment card data (3%).  Over a third (38%) of data breaches did not reveal the root cause of a compromise (not specified, unknown, or not available), a 190% increase since 2020.  (DarkReading 02/04/2022)

This means that 97% of attacks are theoretically speaking mostly preventable as much can be done to prevent attacks and human error.

metal-knight-helmet-lies-at-the-feetTHE IMPACT OF A BREACH
Depending upon the type of data involved, a breach can result in:
  1. Destruction or corruption of databases,
  2. The exposure of sensitive and confidential information,
  3. And theft of intellectual property.

Regulatory requirements to notify and possibly compensate those affected. Consumers want to conduct business at companies that they deem safe so known cyber incidents will impact the reputation of a business leading to loss of clientele.

This culminates in statistics which are hard to digest: 60% of small businesses will shut down within six months of an attack and larger companies report an average loss of $4.24 million in revenue as a loss of business as a result of an attack.

Moreover, what makes attacks difficult to deal with is not only the loss of data, money and trust but also the psychological impact of the incident itself, heaving the executive team feeling they have been robbed or an equivalent thereof.


 
YOU ARE NOT ALONEMobile-phone-in-female-hands

According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021. This was a 68% increase as compared 2020. Unfortunately, the previous record of 1,506 set in 2017 was shattered that year. The reason for this increase according to PBS, is that more companies are choosing to pay the ransom to get their data back, and cyber criminals feel encouraged as a result.

Statistics are showing that the majority of cyber attacks in Q4 of 2021 took place in the Finance Industry (17%), closely followed by the Healthcare (14%), Professional (13%), Public Administration (12%), Information (11%) and Manufacturing Industries (9%).

HOW TO FIND OUT IF YOU WERE BREACHEDSiege Tower

Some telltale signs that you might be under attack are the following:

  • Notices of Failed Login Attempts – this would be a sign of malware being present.
  • Unauthorized downloads where you do not remember downloading an application and one suddenly appears.
  • The cursor moves by itself.
  • Your antivirus software is disabled.
  • Your contacts are starting to receive strange messages from you.

If you use a password manager service, such as LastPass or Dashlane you could take a look at the security dashboard offered. It is also possible they may notify you.

A free online resource available to you is a website called HaveIBeenPwned.com. It was founded by Microsoft Regional Director Troy Hunt and contains a database which lets you check if one of your email addresses or passwords has been compromised.

If you suspect a breach, we recommend you visit the site and enter all of your work and personal email addresses to verify if you have been compromised. The site will let you know their findings.


 
If you think you have been hacked, take the following steps in order of importance:Lightning strikes a knight
  1. Secure your operation (Source: Data Breach Response: A guide for Business):
    • Secure physical areas suspected to be related to the breach. Unfortunately, a breach can also come from inside.
    • Mobilize your response team.
    • Assemble a team of experts to conduct a comprehensive breach response: Identify a data forensics team. Consult with legal council. Do not destroy evidence.
    • Stop additional data loss  by monitoring in and outbound traffic.
    •  Change all of your passwords as soon as possible and make sure those passwords are very strong. This might prevent certain damage from happening.
    • Remove improperly posted information from the web.
    • Interview people who discovered the breach.
  2. Notify employees. The attack may still be underway.
    • What happened
    • How you are fixing the issue
    • Steps they must take to protect themselves
  3. Notify your Cloud Provider and MSP or IT vendor so they can assist you. Make sure the best trained IT personnel is handling your case. This is the equivalent of your house being on fire in the virtual world.
  4. Never pay a ransom. Contact local law enforcement instead and file a police report as soon as you can after the breach has been contained.
  5. Assess and contain the damage. Ensure your damage control team activates your disaster recovery or business continuity plan.
    • Use your checklist:
      • Is the breach contained?
      • What has been damaged?
      • What steps are we taking next?
      • Who needs to know – if confidential data was exposed take steps to notify those who are potentially impacted as well as the appropriate government agencies.
  6. Take data restoration steps. This is different for every company.
    • Take systems offline until security updates can be applied.
    • Restore files from back-up.
    • Enable multi-factor authentication.
    • Ensure all password are changed on all end points.
  7. Notify customers and consumers. If you post on social media notify followers, friends and family members.

While this does might feel counterproductive, communicating with the outer world disempowers hackers. The reason is that most hackers attempt to extort funds by leveraging their power and the way they go about is by scamming or blackmailing you or your customers through social engineering, creating a chain of victims where one friend chained to the next gets effected. Second, hackers might post sensitive content on your own profile. If you are an employee or have important positions this might impact your reputation. Write a short note explaining you have been hacked. Asked your contacts to let you know as soon as they see suspicious activity while you are mitigating the incident.   


 
AFTER THE FIRE HAS BEEN PUT OUT – WHAT TO DO TO PREVENT FUTURE BREACHEScastle ksiaz in Swiebodzice Poland

After the attack, take the following steps:

  1. Full understand your risk profile – every industry has particular attack vectors and carry certain information valuable to the organization. Identify and classify different cyber attach scenarios.
  2. Enforce policy and train staff.
  3. Make sure to back-up critical information offline.
  4. Invest intelligently in security solutions.

To read more, please see this brief from the CISA, listing the steps to take to prevent ransomware attacks.


(more…)
Scroll to top
Cloud 9 - Delivered!

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Cloud 9 - Delivered! will use the information you provide on this form to be in touch with you and to provide updates and marketing.