Why the pandemic has been a catalyst for ransomware attacks and what to do about it

Published: Friday, 16 April 2021 09:13

Ryan Weeks discusses the results of a recent survey looking at ransomware trends and provides some advice to help organizations defend against and respond to such attacks.

As a result of the pandemic and the subsequent shift of workloads to the cloud, we are continuing to witness an increase in the number of ransomware attacks and the damage it is causing to businesses across the globe. A recent survey conducted by Datto confirmed the rise in attacks – with 42 percent of European managed service providers (MSPs) reporting that remote working due to COVID-19 has resulted in more ransomware incidents. The survey also revealed that increased security vulnerabilities are a direct result of fast adoption of cloud applications, as well as the record number of remote workers during the lockdown.

Conducted on an annual basis, Datto’s Global State of the Channel Ransomware Report also exposed the increasing impact that ransomware had on businesses during a time when many organizations were struggling to adapt to the unprecedented uncertainties caused by the pandemic. During the same time period, the average ransom remained approximately the same year-on-year, however the cost of system and business downtime related to ransomware incidents continued to rise – nearly doubling since 2019. On average, this figure is now 50 times greater than the ransom itself – increasing from $46,800 to $274,200 over the past two years – meaning many smaller businesses would struggle to survive a major ransomware attack.

Ransomware remains the leading malware threat

As the most common cyber security threat to SMEs, over 75 percent of the MSPs surveyed reported that their SME clients had been hit by ransomware in the past two years, with 60 percent saying their clients were affected in the first half of 2020. The survey also discovered that SMEs weren’t the only cyber attack targets.

Cyber criminals are increasingly targeting MSPs themselves, and 95 percent of MSPs reported that they believe that their own businesses are more at risk. Most likely due to the increasing sophistication and complexity of ransomware attacks, almost half of MSPs now partner with specialised Managed Security Service Providers for IT security assistance. These partnerships are providing a dual purpose – helping MSPs protect their clients, as well as their own businesses.

As an indication of the growing awareness of ransomware threats, half of the surveyed MSPs said that their clients had increased their IT security budgets in 2020. Although SMEs are spending more on security, ransomware remains a viable threat and is bypassing antivirus solutions such as email-, network- and web-based anti-malware filtering. In addition, many businesses have yet to close basic security gaps that leave their network vulnerable to attackers. Unfortunately, users are typically the weakest link in an organization’s security and continue to be the primary cause of successful ransomware attacks – phishing (54 percent), poor user practices or gullibility (27 percent), lack of end user security training (26 percent), and weak password and access management (21 percent).

Primary attack vectors

The Datto survey also revealed the main ways in which ransomware attacks businesses. As was seen in previous years, phishing emails remain the most common entry point – with more than 50 percent of MSPs reporting that malicious emails are the most successful tactic used to deliver ransomware. Since these emails have become more difficult to recognise, e.g., posing as internal messages, they continue to evade defences. Further, the social engineering tactics used by attackers to deceive victims have become so sophisticated that targeted spear-phishing emails are now virtually indistinguishable from legitimate emails.

In addition, cyber criminals are collecting an abundance of information about their victims from multiple sources such as posts shared on social media, fake market research phone calls, and other data that is readily available. Armed with personal information collected, the attacker can create spear-phishing emails using spoofed single sign-on pages, and mask phishing URLs with Unicode, resulting in a phony email that looks legitimate.

Cloud applications are increasingly attractive targets

The second attack type is ransomware campaigns that target Software-as-a-Service (SaaS) applications. Nearly 25 percent of the surveyed MSPs reported ransomware attacks on their clients’ SaaS applications, with Microsoft 365 hit the hardest (64 percent), followed by attacks on Dropbox (54 percent), and Google Workspace (25 percent). To counter these attacks, businesses need appropriate recovery and continuity plans for their collaboration platforms.

The survey also looked at endpoint systems that are most frequently targeted by ransomware. MSPs reported that the majority of attacks affected Windows PCs (91 percent), followed by Windows Server (76 percent). Although ransomware may enter a network via a phishing email, the malware quickly sweeps across a company network infecting other systems. To minimise business interruption following an attack, companies need a business continuity solution that can recover server workloads locally or in the cloud.

Prepare and take action to reduce risks

With cloud adoption continuing to accelerate and cyber criminals looking for ways to refine their attack methods, it’s expected that the ransomware threat will intensify and evolve further. Confirmed by the Datto survey, 92 percent of MSPs predicted that ransomware attacks will continue at current or worse rates.

Organizations need to prepare and take action to tighten their security controls. As many workers continue to work remotely, companies need to do everything possible to maintain the highest security standards. Strategies include understanding how employees are connecting to the company network, limiting the use of personal devices for business purposes, as well as the use of business devices for personal activities. In addition, suitable defences must be deployed to workstations and VPNs, making it imperative that companies revisit security basics and software patching practices across all endpoints. Also, to remove one of the most common entry points, organizations need to encourage the use of secure password managers or two-factor authentication.

Finally, companies need to enhance employee cyber security training by going beyond identifying the most basic phishing emails. Every employee needs to have a clear understanding of their personal responsibilities in preventing cyber attacks which includes following appropriate password hygiene, not opening suspicious links or attachments, not posting sensitive information on social media, and immediately reporting any signs of malicious activity to the IT department.

Develop a solid business continuity strategy

While security software and training are essential to preventing attacks before they happen, a multi-layered security approach and a solid business continuity strategy is needed should an attack take place. To combat ransomware and resume normal operations as quickly as possible, companies should have business continuity and disaster recovery in place.

This approach was confirmed by the surveyed MSPs, with 91 percent reporting that clients with such solutions in place are less likely to experience prolonged downtime during an attack. In addition, re-imaging a machine from a backup – rather than rebuilding it from scratch – is now the preferred ransomware recovery method of choice, as it is significantly faster.

Whether deliberate or accidental, insider threats are not only likely to continue, but increase. To prevent employees from willingly cooperating with hackers, businesses need to identify staff members who are potentially most vulnerable. If needed they should increase monitoring of users’ endpoints, lower the threshold for triggering security alerts, and carefully monitor shadow IT to understand where data is entering and leaving the environment.

It’s also recommended that companies put controls around any tools accessed by employees, including chat platforms that haven’t been permitted for use. The popularity of collaboration tools also pose a risk because most users will automatically assume that the content they receive and share on these platforms is safe.

The pandemic and its resulting work practice changes has brought a multitude of new challenges. As a first step, every business should have a clear understanding of their cyber security posture, its implications, and the change in threat patterns. With a solid security strategy in place that tightens every layer of defence, organizations will be able to quickly adapt and ultimately minimise damage from ransomware and other cyber threats.

The author

Ryan Weeks is CISO at Datto.