Following high-profile attacks in the US, ransomware is cyber enemy no. 1 on the world stage, with international law enforcement operations, task forces, and industry cooperations aiming to bring this new industry down. However, while every company has a responsibility to prepare for ransomware attacks, having tunnel vision and forgetting other vectors is a risk in itself.
What is ransomware?
Throughout our series on the main cyber and data security threats of 2022, we’ve been using (and will use) the analogy of a house to help explain how different attacks work. So how does ransomware work?
Imagine someone knocks on your front door, claiming to be a traveling salesman. You let them in and proceed to the kitchen. You realize that they look around carefully while walking through the different rooms of your house. Once in the kitchen, after a few minutes of conversation, they ask to use the lavatory. As soon as they step out of the kitchen, they slam the door and lock you in. The “salesman” then slips a note under the door, asking you to pay them a fee to be released and be able to access the rest of your house again. (Hey, while your kitchen may have windows, the one in this analogy doesn’t.)
However, while you’re locked up and contemplating what to do, the extortionist is going through every inch of your house to find useful data. Bank statements? Check! The key to and address of your safety deposit box? Check! Your social security number? Check! If they feel like it, they may also start to destroy your furniture and trash your house while they’re at it.
Eventually, you decide to pay the ransom. Your attacker lets you out, but your house is still trashed, and now they’re demanding money to not take all the sensitive information they’ve found in your house and sell it to the highest bidder. You cave in and pay the second ransom but don’t realize they’ve photocopied everything and can still use it for whatever they want.
This almost endless cycle of things always getting worse is what makes ransomware attacks so damaging. Attackers will often extort their victims multiple times. Other examples of ransomware delete all files rather than encrypt them. As a result, paying the ransom cannot help you regain access. Finally, in the digital world, there’s no guarantee that the decryption keys the attackers give a victim will actually work. So, after paying a ransom, companies can still face further costs in the need to replace hardware, data protection fines in the case that private data is affected by the breach, and general disruption to their business. Check out this video from the FTC to learn more.
On average, it takes business over 280 days to fully recover from a ransomware incident. This is what makes preventing them so important.
Best practices for defending against ransomware in 2022
Similar to most cyberattack methods, there’s no silver bullet to protect a company from every vulnerability. However, you can take several steps to prevent or mitigate the damage caused by a ransomware attack.
First things first, ransomware is most often delivered through social engineering attacks. In fact, the main reason we started this series with social engineering attacks is that they often serve as the starting point of more complex malicious activities. You can learn more about them and our tips for preventing them from our previous blog. Education is your best bet in keeping unwanted attackers off your network. Clear policies that tell employees what to do in the event of suspicious activities are also vital to ensure a quick response to any threat.
Your firewall and antivirus solutions will be another vital layer of defense. This may be cybersecurity 101, but there is ample proof that some systems don’t get patches in a timely manner. Make sure to have robust solutions deployed on all devices connected to company networks. Keep everything up to date to ensure you are protected against previously discovered and patched vulnerabilities in any tools your team uses. Use device monitoring tools to ensure employees do not install unauthorized software on their computers and centrally force all company devices to restart and install OS updates within a reasonable time frame (24–72 hours).
Such cybersecurity monitoring tools (which are very different from employee surveillance solutions – a privacy discussion for another day…) are also key elements of your next layer of protection. Data suggests that some malicious actors will not deploy ransomware the moment they gain access to an enterprise network. These attackers can spend days snooping around internal networks to identify key targets and file storage locations to attack. With monitoring tools and a robust firewall in place, your security team has a high chance of identifying suspicious network traffic, block access to the compromised account, and purge the attacker from the network before they can do major damage. Others prefer to move quickly and cause general disruption by encrypting everything right away.
Finally, and possibly most importantly, always back up your data. Have multiple backups and save several versions of each file. Beyond local backups, ensure all vital company data, software settings, profiles, etc. are also saved to storage devices not connected to your company network directly. While backups may not stop attackers from stealing data, not all ransomware attacks actively aim to mine data from organizations. But even in cases when they do, a backup can help you and your team get back up and running quickly, limit any potential data loss, ensure your operations remain auditable and help you keep company data safe.
A ransomware attack can be damaging enough in itself. However, if a company is proven to have been unprepared, the reputation loss may be beyond repair.
Where does end-to-end encryption come in?
Interestingly, utilizing end-to-end encrypted storage solutions, such as Tresorit, can help you fight back against ransomware attacks. First, Tresorit can help you block malicious third parties from gaining access and reading sensitive files. As all data stored in Tresorit is always encrypted, attackers will not be able to access remote data, especially if employee roles and access levels are set up on a need-to-know, need-to-access basis. (However, it should be noted that locally stored data may still be at risk.)
The most important element of Tresorit’s ransomware protection tools is version tracking. Tresorit stores multiple previous versions on all files stored on our servers. In the event of a ransomware attack, users can roll back their files to the last unaffected version quickly and get back to work.
Furthermore, the ability to permanently delete files can be controlled on an admin level. This means that even if attackers tried to delete any files stored in Tresorit through the desktop client of an infected device, their attempts could easily be countered by restoring files. Read about how you can use Tresorit to recover from a ransomware attack on our Knowledge Base.
To help companies and individuals alike protect their data and the data they are entrusted with, we launched a series of blogs on Data Protection Day (or Privacy Day for our friends in the US) to discuss the major cybersecurity, and by extension, data security, threats of 2022. Read through our previous article to learn more, and check back over the coming weeks for more info about:
- Back to basics – defining security, privacy, information security, and data protection in 2022;
- social engineering (phishing, smishing) is always becoming more sophisticated;
- supply chain attacks, vulnerabilities in third-party software, and sideloading could affect businesses globally;
- and how DDOS attacks are simple to carry out and extremely damaging;
- man-in-the-middle attacks are now circumventing TLS encryption in certain settings;
We're exploring the tech behind each threat, what companies and individuals alike can do to counter them, and where end-to-end encryption can help. Watch this space.