To go straight to the PRE-Ransomware Checklist, click here.
There’s good news and bad news when it comes to ransomware attacks.
First, the bad news. 72% of businesses were hit by ransomware last year and the problem is getting worse. The number of attacks increased by 68% in 2023, setting yet another record. Cybercriminals have new—and cheaper—tools. The use of free or low-cost AI platforms has accelerated volume while Ransomware-as-a-Service lets hackers rent the tools they need to launch attacks, often for as little as $40.
Demands are up, too. Median demands in a ransomware attack are now at $600,000 although larger organizations are more likely to see ransomware demands topping $1 million per incident. The FBI catalogs ransomware attacks and reports that total losses in the U.S. in 2023 topped $59 million—a 74% increase from the previous year. Globally, organizations paid in excess of $1 billion in ransom demands.
The Center for Strategic & International Studies (CSIS) tracks significant cyber incidents where losses exceed a million dollars. In the past year, they’ve listed a dozen successful attacks with significant losses.
If you’ve managed to avoid such an attack so far, congratulations. For most organizations, however, it’s just a matter of time before you’re targeted.
The good news? Early detection and proactive measures can reduce the cost potential costs of cyber-attacks by up to a thousandfold. That starts with securing your infrastructure and planning for rapid recovery when an attack occurs.
The Most Common Entry Points for Ransomware
Despite awareness of cyber threats and years of training, employees continue to be vulnerable to phishing attacks—still the number one way data breaches start. Ransomware operators often use social engineering tactics, such as sending emails with malicious attachments or links that infect the victim’s system with ransomware or harvest credentials.
Other common attack vectors for ransomware include:
- Exploit kits: Exploit kits are software packages that scan for and exploit vulnerabilities in outdated or unpatched software, allowing the delivery of ransomware payloads.
- Remote Desktop Protocol (RDP) attacks: RDP is a proprietary protocol that allows remote access to a computer or server. Attackers can use brute-force attacks or stolen credentials to gain unauthorized access and deploy ransomware.
- Software vulnerabilities: Ransomware can exploit vulnerabilities in widely used software, such as operating systems, web browsers and applications, to gain a foothold and spread within a network.
- Removable media: Ransomware can also be delivered through infected USB drives, external hard drives or other removable media when connected to a computer.
- Malicious ads: Also known as malvertising, these malicious ads redirect users to websites that deliver ransomware or steal access credentials when visited.
- Drive-by downloads: Drive-by downloads occur when a user visits a compromised website that automatically downloads and installs ransomware without the user’s knowledge or consent.
Once criminals get inside your system, malware can replicate itself throughout the network, steal private or proprietary data and encrypt everything it can access.
Zero-Day Exploits
Vulnerabilities in software or systems that have yet to be discovered by suppliers are also on the rise. Threat actors exploit these zero-day security flaws before companies can apply patches or updates. Cybercriminals are increasingly probing systems to search for zero-day vulnerabilities to gain unauthorized access and deliver malicious payloads, such as ransomware.
Google researchers note a 50% increase in zero-day attacks in enterprise technology, many of which are state-sponsored cyber groups.
Third-Party Breaches
Another growing area of concern is third-party data breaches. 29% of breaches recorded have been attributed to connections with a third-party supplier. These attacks have become especially popular with cybercriminals, targeting SaaS companies, managed service providers, cloud services providers and other suppliers that work with large numbers of clients.
These attacks on organizations’ supply chains extend the blast radius. If they’re successful at infiltrating the third-party network, they may gain access to more down-the-line networks.
Take Proactive Measures to Mitigate the Damage from Ransomware
Before you fall victim to ransomware, you need to take proactive measures to protect your data and your organization.
According to the Cybersecurity & Infrastructure Security Agency (CISA), organizations should take action to protect themselves and prepare in case of a ransomware attack.
Encrypted Data Backups
Maintaining offline, encrypted backups of critical data and regularly testing their availability is crucial for ransomware preparedness. Organizations should maintain preconfigured system images and templates using infrastructure as code and storing backups offline for quick redeployment.
Downtime from a ransomware attack generally lasts more than 20 days. A regimented and strategic backup strategy is crucial to get back up and running.
Incident Response Planning
Creating an incident response plan for ransomware attacks is essential. The plan should include documented data breach notification procedures and assignments for key personnel. When an attack occurs, you must be ready to go and have a plan already in place to mitigate the damage.
Layered Defenses
Layered cybersecurity defense includes:
- Perimeter security
- Network security
- Endpoint security
- Application security
- Data security
Implementing least-privilege access controls and deploying a zero-trust strategy are crucial steps.
Keep Software Up-to-Date
Keeping software patched and updated is crucial. While it sounds simplistic, a Ponemon Institute report noted that 60% of data breaches involved an unpatched vulnerability, typically a known problem that had gone unaddressed. Many of the known attacks from the past two years date back to known vulnerabilities from as far back as 2010. Public patches had been released, yet never deployed.
One of the most famous ransomware attacks, WannaCry, targeted Windows computers using a legacy version of the Server Message Block (SMB) protocol — even though Microsoft had already issued a patch.
Create a Detailed Action Plan with our PRE-Ransomware Checklist
We’ve put together a PRE-Ransomware Checklist here to help you be better prepared and make recovery faster and easier. In this guide, you will learn key steps to strengthening your resiliency. The checklist includes actionable recommendations for immediate, short-term, and long-term steps regarding:
- Backup architecture
- Data protection
- Operational impact
Don’t become yet another victim of ransomware. Download our PRE-Ransomware Checklist today to get started.
Contact Threadfin directly here.