How to Stop Ransomware?

Should you pay the ransom? The answer to a million dollar question

Some of the most valuable companies today are those that collect, analyze, and sell data. But not just them. Every business processes and stores critical data. Data is the new oil. It is very, very valuable to businesses. Cybercriminals are very aware of that; it’s why they try to get access to it. The most common and profitable cyberattack used to get a hold of your data is ransomware.

Why so? Well, attacking is – from an investment perspective – fairly easy, and defending is very hard. A while ago, I read an interview with a young cybercriminal who said that he earns more than $300.000 a year just by using well-known vulnerabilities, tools, and exploits found on the Internet. On the other hand, you should be doing a lot to defend against these kinds of attempts. You should maintain a good patching hygiene, use detection and incident response tools, processes, and all solutions, while also having best practices in place. That can be overwhelming. And that is why many organizations are not succeeding, while cybercriminals are successfully collecting their ransoms.

3 types of Ransomware Attacks

What is a ransomware attack? Ransomware is a cyberattack in which a cybercriminal extorts the victim to pay ransom. They can be divided into three types:

  1. Encrypt: The first version of ransomware attack was the one where cybercriminals would encrypt the victim’s data and extort the victim in return for the decryption key. However, cybercriminals quickly figured out that companies which invest in security have backup servers. When the data was encrypted, the company just deleted it, restored all the servers, and reverted the data from backups. Basically, they laughed at cybercriminals. Not for long.
  2. Encrypt and exfiltrate: In the second version of ransomware attacks, cybercriminals not only encrypt the data, but they also exfiltrate it. They extort victims not only by denying them access to the data, but also by threatening them. If the ransom is not paid, the victim’s data will be published. To detect such an attack, the security solutions implemented need to be much more sophisticated. This also requires good knowledge of data flows inside an organization.
  3. Steal and publish: Lately, the third version of ransomware attacks has been appearing, where cybercriminals no longer encrypt the data; they only steal it and threaten to publish it. That makes it easier for cybercriminals to remain undetected. When the victim receives the ransom letter, they are usually left with a short period of time to determine if the data was actually stolen. To do that, a detailed analysis of data loss must be performed, therefore special security tools have to be in place prior to the occurrence of the incident. By monitoring these security tools, incident responders can understand if cybercriminals are bluffing or if they have really stolen the data from the victim. Based on this information, the victims can decide whether to pay or not. The change in tactics is probably due to the fact that more and more companies focus on or start with endpoint security, which is easier and cheaper to implement and requires less maintenance than application security. With the use of endpoint detection response (EDR) tools, it is very easy to detect when someone is encrypting large amounts of files; on the other hand, it is much harder to detect data exfiltration. To detect it, security tools that monitor the traffic patterns and perform user and entity behavior analytics (UEBA) are needed, which means that the tools learn how each user behaves and what their normal work operations look like. Such tools are much more expensive, and they also require high maintenance. As statistics show, the main problem in cyber security is a lack of security experts; that is why it is understandable why not all companies are able to implement such sophisticated tools.

How to defend your data against ransomware attacks?

Most organizations correctly and regularly perform backups. By doing so, they are protected against the first version of ransomware attacks.

Defending against the second and third types of ransomware is a bit trickier. Sure, almost all organizations have some kind of security tools and processes implemented, but usually there is some space for improvement.

My first recommendation is therefore the analysis of existing security tools and processes. This will expose your vulnerabilities and show room for improvement. Because there can be quite a lot of improvements to implement, priorities must be set and scheduled in a three-year plan of cyber-security development. After that, they have to be implemented and the cycle has to be repeated on a yearly basis.

However, cybersec is very dynamic. You have to constantly learn to be on top of the latest threats and solutions. This is very difficult, especially since it is very hard to find great cybersecurity professionals on the market. My final recommendation is therefore to outsource security consultants at Managed Security Service Providers (MSSP). It is the fastest and most cost-efficient way to boost your cyber defense capacities. By doing so, you do not have to spend your valuable time and money on educating security practitioners. They can merely ask for professional help when they need it. The same as nursery homes, they also do not employ doctors, but they call one when needed.

NIL as MSSP provider and NIL’S Security Operations Center (SOC)

At Conscia (NIL is part of the Conscia Group), we strive to improve the security of our customers by working with them side-by-side and adjusting to their needs and requirements. We have more than 25 security professionals who not only improve their knowledge by working on diverse projects in Europe, US, and the Middle East, but they also hold many prestigious certificates (GCIH, GMON, GRID, GCFA, OSCP, CISSP, …).

Conscia also offers a 24/7 Security Operations Center (SOC) that can further improve detection capabilities in the customer environment. If you are interested in our work and the capabilities that we offer, you are more than welcome to visit our SOC where our security experts will give you an unforgettable experience. Make sure to knock at our door before the hackers come knocking at yours!

Author: Jakob Premrn, Cyber Security Analyst