For those that are new to Palo Alto Networks Unit42 team, they are one of the most respected global threat intelligence teams. Their mission is to research and document the details of adversaries’ tactics and techniques and quickly share them with systems, people and organisations that can use them to prevent successful cyberattacks.
As expected, Unit 42 publishes various threat data throughout the year and their Ransomware Threat Report caught my eye, as here in the UK, Ransomware is as big of a problem as it has ever been.
I am aware of law firms, marketing companies, software companies and manufacturing companies being hit by Ransomware in recent times, and that is without the unfortunate organisations that became headline news on the BBC, such as University of Northampton in the last few days.
Why is Ransomware so widespread?
The simple answer here is it is profitable. The criminals are making more money than ever, why wouldn’t they continue to attack?
If we look at some of the data around the money involved here:
- The average ransom paid for organisations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase
- The highest ransom paid by an organisation doubled from 2019 to 2020, from $5 million to $10 million
- From 2015 to 2019, the highest ransomware demand was $15 million, in 2020, the highest ransomware demand grew to $30 million
As you can see, organisations appear to be willing to pay more and the criminals are getting more greedy. $30 million in 2020 appears high, reportedly this has been exceeded in 2021 already, with Acer being hit with a $50 million ransomware attack.
This is something I have written about several times and held hundreds of conversations with organisations over the past year.
According to the data from Unit42, at least 16 Ransomware organisations currently operate this double extortion model.
These organisations not only aim to encrypt the data but they will steal your data also, meaning if you can recover quickly from the ransomware encryption, they can still extort you by threatening to release your data.
Therefore it is now imperative your strategy doesn’t just include trying to prevent the encryption, solely relying on end point protection, if this is your strategy, you are substantially increasing your risk.
Steps to reduce your risk
Despite what some vendors suggest, there is no silver bullet, therefore your strategy to reduce the risk should include a number of steps.
Having a successful vulnerability management program will make initial access which is generally required for most ransomware, a much more difficult step for the attackers.
User Awareness Training & Technology for Email Bourne Threats
Organisations should ensure they have a strong user awareness program combined with a technology to reduce the threat associated to email. Automation plays a key role here, for example automatically deleting malicious emails in all mailboxes as soon as it has been identified.
Organisations should ensure they operate a least privileged model for remote access and be able to correlate data to identify patterns of suspicious behaviour.
Implementing DNS security can reduce your risk by utilising behaviour analytics across DNS traffic to identify data exfiltration and domains that are malicious for a short period of time.
Ensure you are utilising sandboxing in all areas of the business to detect unknown threats, in all areas of your network, end point, perimeter, public and private cloud and SaaS environments.
End Point Security
Ensure you have behavioural based detection capabilities on your end point and where possible enhanced telemetry and response capabilities, to detect and efficiently respond to potential threats.
These steps will not remove the risk, but they will substantially reduce your risk.
Ransomware will continue for the foreseeable, ensure your strategy doesn’t rely on a single control method and ensure your strategy covers every part of your network.
Get in contact if you would like to know more or this.