Adarma recently hosted a RANT Forum in partnership with Crowdstrike in London. Held under Chatham House rules, the topic of this event focused on the growing threat of ransomware and how to protect against it. Below is an executive summary of what was discussed over the course of the event.
Ransomware has hit ‘epidemic’ levels in the UK, leaving organisations facing a raft of difficult decisions – how do you prepare, can you counter the threat, and – if you are hit – do you pay?
Understanding that the problem is not going to go away, and acknowledging that organisations will probably, at some point, be targeted – is an important starting point.
Figures from Crowdstrike’s 2022 Cyber Threat Report showed that ransomware accounted for 49% of interactive intrusions – with the average breakout time just one hour 38 minutes.
And then there is the cost. The average ransomware payload last year hit a massive $6.1 million – so not only are the consequences high, you don’t have much time to stop the attackers stealing and mangling your data.
Equally, Adarma’s ransomware readiness poll highlighted the sheer number of enterprises suffering ransomware attacks – and the high proportion of them that proceeded to pay the ransom.
Not only is this not a sustainable business model – as insurance premiums have rocketed – but there is no guarantee that, even if you pay, you’re going to get your data back.
Additionally, there are all sorts of issues if governments start sanctioning payment to e-crime groups.
And that’s the thing with ransomware – it’s not just about the technical side of the problem, there’s reputational risk, policy risk and legal risk.
Further complicating factors – such as the crossover space between organised crime and nation states, and fears over whether cyber insurance or data privacy regulations (like the GDPR) are incentivising ransomware – are growing concerns.
And there are legitimate private enterprise arguments about whether ransomware is a business decision or a technical issue – or a balance between the two.
In a world where a board’s bottom line is protecting their profit margin – and where cyber concerns may seem a bit nebulous – the best approach may be to frame tackling ransomware as a business decision but asking them to fund a technical solution.
As the cyber community knows, there is no one silver bullet.
But amidst all the complexities, there are, thankfully, some measures that CAN be taken to prevent the troubling scenario of organisations being overconfident and underprepared when it comes to ransomware:
Understanding your enemy – and leveraging threat intelligence to reduce cyber risk.
If the primary risk you’re carrying is ransomware, you may not care too much about what China is doing – but China is the world leader in exploiting vulnerabilities before e-crime adversaries.
So, understanding what nation states are up to can buy you time over your adversary, and prevent you from being caught in the spill over.
Knowing your enemy – their methods and motivation – gives you the advantage. So, if e-criminals are coming at you, patch. But how do you prioritise patching?
It comes down to knowing your adversary.
Understand that behind every cyber attack is a human.
There are two factors in threat intelligence: the adversary and you – because you are part of the issue as well.
So, you need to know your own networks too. It comes back to people, processes and technology.
Remember that your adversaries are human – they’re going to repeat methods and have favourite ways of operating. Look at what’s hitting a geographic area – or your industry – and leverage that.
Persuade your board to prepare for an attack.
Businesses are starting to reap the benefits of digital platforms – but they need to realise that there’s a cost of operating here – and that’s cyber risk.
For your board, it boils down to one thing: can your business afford to lose its data?
Because there’s only one thing you can be sure of with ransomware – you may never get it back.
You can talk about ‘risk’ not ‘cost’ – and show all the ‘James Bond’ stuff – because that’s what’s going to get the non-technical people interested, more than talking about needing money for an endpoint solution.
Board’s need to recognise this is an unusual type of risk – with a human actor who is highly motivated and using the same tooling as they do.
Planning and Prevention is absolutely key.
With the speed of intrusion so fast, speed of decision-making is an issue in itself. So, you need to run a crisis-management exercise with the board – with ransomware as a scenario.
If there is one lesson to take away, please rehearse – do not do this for the first time in the heat of the battle.
Work out what your choke points are – can you live without DNS, for example, or without certain back-ups. Have you pen-tested your back-up system?
The way out of ransomware is preparation – make sure you’re red-teaming, blue-teaming, that you’ve carried out mandatory user-training. Because the only way you can stop a wiper from wiping your data, is not having a wiper on your network.
Make sure you’ve got good relationships – and that you can be agile with your plan if an intrusion occurs. Remember good communication – internal and external – and look after your people.
Have the conversation about back-ups.
The first thing an attacker will do is delete your back-ups. One option is investing in an off-site back-up solution, which can be expensive.
So have the conversation about what is an acceptable loss of data, and how far back do you go.
Make your organisation more difficult to target.
Remember, most of the time they’re not specifically targeting you. So if your data’s more difficult to get into, they may move on.
If your business hasn’t run a ransomware crisis scenario – and your IT team could turn around and say: ‘we couldn’t handle ransomware, we couldn’t respond’ – then you are overconfident and underprepared.
So please don’t let this be you. Let’s take the fight to these adversaries by pre-planning, pre-investing and preparing.
To find out more about Adarma and how we can help prepare and protect your organisation against ransomware attacks, please Contact us.
Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.