Know When and How to Stop Ransomware Attacks
Ransomware attacks are on the rise and small businesses are on the menu. The 2023 State of Ransomware report from Malwarebytes Labs finds that the United States saw 1,462 attacks between July 1, 2022, and June 31, 2023. This accounted for 43% of all ransomware attacks around the world, with these attacks doubling in frequency between January and June 2023, compared with the previous 6-month period.
While the Vacant Land Scam and Business Email Compromise may be — and should be — top of mind for most small-business owners and employees, ransomware must also be on the threat radar. School districts were among the top ransomware targets in August 2023, in part because criminals have shifted their focus away from large corporations with strong protections and toward public and private organizations with heavy third-party dependencies and softer cyber security.
When Are You Most Vulnerable to Ransomware Attacks?
Note that the question is not, “Who is most vulnerable,” because criminals are actively looking for the softest targets available. It does not matter what you do or in what sector. If you have user data or online systems that are critical to the operation of your organization, ransomware hackers have their eyes on you. You are particularly vulnerable if criminals believe you will pay their ransom to get your systems back online quickly, or if they believe you will not contact law enforcement out of a fear of reputational harm. Couple one or both of those realities with a lot of external vendors, off-the-shelf software and poor password protections and you can expect hackers to come after you.
Ransomware attacks begin with a hacker gaining enough access to your systems to install software. There are a few methods criminals use to achieve this:
- Zero-Day Exploits: These attacks target vulnerabilities in software or communications between devices that allow criminals to install a ransomware package. Any time you change software vendors or hosting services, install new software or update software, you are potentially vulnerable to attack. Cheap thumb drives may also come with malware, making new drives a threat the first time you use them.
- Phishing: Criminals will use a variety of phishing techniques to attempt to steal login credentials. These can include emails directing employees to sites that download malware, phony client emails or pretexting attacks where criminals claim to be a coworker or supervisor. You are most vulnerable when new employees gain access to your systems, which makes it essential to include cyber security education during every employee’s first day on the job.
- Code Injections: Criminals may attempt to load malicious code via vulnerabilities on your website or during communications between your devices and a third party. You are most vulnerable if you do not keep up with security updates and patches, and if you do not employ encrypted communications with all third parties.
Determined hackers may also use less-sophisticated methods to gain access to your systems if they know where to look. Credential Stuffing, where hackers attempt to use passwords stolen in other online breaches; Credential Spray, which involves matching known usernames with a variety of common passwords, and Brute Force, where criminals use automated systems to flood a site with username and password combinations, are among the techniques hackers may attempt.
Ransomware Attacks Are Rarely Immediate
One key aspect of ransomware attacks has changed: hackers seldom install their malware right away. Instead, hackers will loiter in your compromised systems for a period of time. They may attempt to gain access to other systems, or they may make small changes to see if you are paying attention. In some cases, hackers will wait until a period when you are particularly vulnerable, such as the start of a new school year or an active business cycle, so that their attack causes the greatest disruption possible.
The period between criminal access and ransomware deployment is your opportunity to stop the attack, but this will only happen if you are vigilant and have the right monitoring systems in place.
- Review login data. Keep track of any new devices that log on to your network. If a login looks unusual, reach out directly to the user to see if they logged in from a new device or location.
- Look for unusual data-transfer activity. Ransomware packages must be deployed and installed on at least one device in your organization. Hackers may also exfiltrate significant amounts of your data before they launch a ransomware attack if they plan to blackmail you by posting it on the Dark Web, or if they plan to sell it to other hackers. These data transfers leave a digital trail that you may be able to spot. Large volumes of data moving at an unusual time or to an unexpected location should be a red flag that triggers immediate response.
- Scan for software installs or changes to critical system files. Hackers may upload a small, innocuous file or make a small update to a core system file before they deploy malware. This is a test designed to see if your systems can detect their activity.
You can stop ransomware attempts in their tracks if you have the right monitors in place, and if someone is watching them. Your systems should be set up to send automatic alerts when they detect anything unusual, and you should have protocols in place to follow up on these alerts.
How to Mitigate and Respond to Ransomware Attacks
Sophos reports the average ransomware payment in 2023 as $1.54 million. The mean recovery cost was $1.6 million if the ransom was not paid. Every employee and organizational leader should be aware of these numbers. The days of swatting away hackers with a few thousand dollars in Bitcoin are over. Ransomware is a big-money business for criminals, which is why attacks continue to rise.
There are a few things you can do before and during a ransomware attack to protect your data, your systems and your business:
- Make two-factor authentication mandatory. This stops all but the most determined ransomware hackers.
- Train employees to never share login codes. Under no circumstances should a two-factor code be shared with anyone. From their first moments at work, employees need to understand that cyber security is part of their job and failure to follow protocols comes with consequences.
- Create backups of your data and your systems on a regular basis. These should be stored on devices that are not connected to your networks, and you should plan to keep backups for 120 days. In the event of a ransomware attack, you can use these backups to restore a clean version of your systems and lock the criminals out.
- Contact law enforcement. Criminals rely on compliant victims. You may believe that paying the ransom and moving on is the best course of action, but this is precisely what hackers want. By reporting the attack, you achieve two goals: First, you may be able to recover some or all of the stolen funds in the event that you must pay a ransom. Second, you raise awareness of criminal activity that law enforcement can use to stop future attacks and identify criminals. Be aware that ransomware attacks remain a very high priority for state and Federal law-enforcement agencies. If you have been discouraged from reporting cyber crimes by lax response in the past, you will be pleasantly surprised by the support you receive following a ransomware attack.
As always, the best protection is prevention, and the key to prevention is cyber security employee training alongside strong cyber security practices and protocols. Protect Now can help your small business prevent and mitigate attacks. To learn more, contact us online or call us at 1-800-658-8311.