On February 27, the United States Marshals Service suffered a ransomware attack. The incident affected systems containing legal process statements, administrative information, and personal identification of the agency that handles, among other functions, federal prisoners in the U.S. At the beginning of the same month, the FBI also suffered an attack that affected the system used for investigations of images of child sexual exploitation. Also in February, La Segunda Seguros, one of Argentina's largest insurance companies, was the victim of a LockBit ransomware attack. This type of threat is having a growing role and these cases show it with name and surname.
What is ransomware and how does it affect the global market?
Ransomware is a type of cyberattack, one of the most common computer attacks, which blocks access to computer resources -information, systems or networks-, usually to extort money from the affected organization. Occasionally, this resource is used to temporarily interrupt the operation of companies or government agencies such as those mentioned in the previous paragraph, or to affect their public image and credibility.
Typically, it begins with a phishing action in which a user follows a link in an apocryphal email or some security system fails to prevent the action of a virus or other type of intrusion into the system infrastructure of the attacked organization.
Other significant findings point out that solutions such as Nessus, Nexus and Qualys, could not pre-emptively identify 18 risks linked to ransomware. This growth in this type of attack significantly affects the global market, as it cuts commercial flows, exchanges of critical information, production processes with a high impact on supply chains and, finally, forces huge resources to be allocated to prevention, safeguarding and disaster recovery strategies that take up a lot of budget, time and human resources.
Ransomware in international politics
47.4% of ransomware vulnerabilities affect healthcare systems, 31.6% affect energy systems and 21.1% affect critical industrial sectors.These three attack zones, which are not the only ones, have a lot to do with strategic areas that are involved in cyberwar actions such as the one that today directly involves Russia and Ukraine. Undoubtedly, telecommunications networks and computer systems servers are the battlefronts that add to other traditional scenarios.
The current armed conflict affects many economic sectors and opens the doors to countless transactions through informal channels, in the search to overcome the restrictions derived from the political and military actions involved. All this provides the substrate for an intensification of cyberattacks,which also forces strengthening vulnerability management and cybersecurity strategies even in organizations that are not taking part in the conflict. Then, the consequences of the intersection between war and cyberwar end up transcending the conflict to constitute a new level of risk for organizations in general.
According to Recorded Future's analysis, Russia is experiencing a wave of computer brain drain that is likely to decentralize the organized cybercrime threat landscape, directly impacting information security challenges in the coming years.
You may be interested in reading
How to prepare for a growing threat landscape?
Defensive strategies against these threats
To prevent or reduce the impact of attacks, it is essential to deploy a cybersecurity hygiene strategy that includes:
- Backing up data frequently. An adequate disaster recovery strategy that includes backup procedures according to the characteristics and needs of each organization is essential in the event that all of the above is not effective. Even today there are large companies that make backups once a week... imagine an attack that blocks all operational business information. If it is decided not to negotiate with the attackers, not to accept extortion, it will be necessary to manually reconstruct what happened for 5, 6 or 7 days. It's very likely that data will be lost in the process and that errors or inconsistencies will take a lot of time and effort to compensate.
At the same time, being continuously storing large volumes of information can be costly and unproductive, which is why the design must be tailored to each particular scenario. - Keeping systems updated. Systems and equipment (computer and network, as well as others connected to the Internet that use some type of firmware) must always be updated because cyber attackers that appeal to ransomware are skilled enough to use any back door or vulnerability to enter and initiate their harmful intervention.
- Implementing a set of complementary techniques, such as managing an identity and access management policy together with (zero trust) logic, helps to set up a good entry barrier.
- Training and preparing staff in cybersecurity so as not to fall into the traps of phishing or social intelligence applied to attacks, the two main routes for the entry of ransomware. The combination of unawareness and distractions is often fatal in the face of the increasing sophistication of this type of attack.
The old unwanted emails, almost unreadable, so poorly made, usually virus carriers, have been replaced by very elaborate hooks, enriched with social intelligence techniques which put in check even the most experienced user. That is why training must go hand in hand with practice, so that protection is more effective.
Read more
Security and resilience in the cloud, from risks to opportunities
What to do in the face of an effective attack?
When faced with a ransomware attack, there are two paths: negotiate or ‘shut down everything’. The majority consensus, and the recommendation of government agencies, is not to negotiate; however, in the face of desperation, there are those who make payments in cryptocurrencies trusting that they will succeed in restoring access to their information or their systems. Sometimes it happens, but not always.
When there is evidence of an incident, it is necessary to immediately disconnect equipment and networks from the Internet. This can be done by the user, the network administrator or the IT security manager, depending on each case. Depending on the characteristics of the attack, this can reduce the damage surface and mitigate the impact. It is very important that the cybersecurity strategy includes a correctly designed protocol, relayed to all personnel, in which it is clearly stated what must be done and who has each of the required roles.
For both prevention and immediate action after an attack, having the right solutions is one of the fundamental keys to operational continuity and minimising losses.
Industry Solutions
There are several options to prevent and act against the challenge presented by ransomware as a type of malware. Acronis, for example, has Active Protection, a solution that constantly monitors behavior patterns that affect the files of a given system environment, which is a very powerful tool to identify these types of attacks. This is complemented by the backup capabilities offered by the company (Acronis Cyber Backup) that act after interrupting certain processes once effective incidents are detected.
Good practices that Veeam recommends include implementing an automated disaster recovery plan with V12. Then, the tendency to establish which data should remain unchanged, without any modification, is imposed. Encrypted backups are added, and must be checked regularly; Veeam Recovery Orchestrator is an effective complement that allows for proactive action. It should be noted that good security practices in general establish access limitation to backup copies, multiple authentication factors will be implemented and there will be an architecture that adequately segments the organization's networks. Likewise, the software and security protocols will be kept up to date. Here we also find the concept of permanent monitoring, through the implementation of indicators of compromise (IoCs)), that is, markers that indicate risk scenarios. Finally, fine-tune recovery strategies with the support of Veeam Data Platform.
As for Azure, Microsoft's vision is to incorporate a set of native protections for ransomware into its cloud Microsoft Defender for Cloud provides broad-spectrum threat detection and response capabilities, in a scenario also known as extended detection and response (XDR). Azure Active Directory multi-factor authentication, Azure AD Authenticator app, and Windows Hello are essential in identity and access management policy. In addition, the company has created native DDoS attack mitigations, specific firewall functions, and a Web Application Firewall among many other controls.
Did you like this article?Leave a comment below.