Sean Connery, Orbis Solutions’ CSO, recently appeared on The Wolfe Den Show to discuss the threat of ransomware and what businesses can do to stay protected.
Key points in this article:
“Nowadays, these groups are full-blown companies because it’s all about money,” says Sean. “They are fully equipped and good to go.”
The fact is that cybercriminals are no longer just lone wolves using computers in dark basements—they’re organized, structured, and well-funded. It’s big business, which means cybercriminals have more resources to work with. This has led to more and more advanced attack vectors, especially ransomware.
A few years ago, ransomware wasn’t a big concern. While high-profile incidents like the WannaCry attack on the NHS were concerning, they were far and few between. If you had a recent backup of your data, you could rely on that to replace your data if it was encrypted by ransomware.
Ransomware is malware that encrypts the target's data (making it unreadable and inaccessible) and holds it for ransom. It targets all data on the target's systems, making it impossible for them to ignore until they pay the ransom or restore the data from backup.
Typically, an unsuspecting employee clicks on an emailed attachment that appears to be a bill or other official document. The attachment installs a malicious software program (malware) onto the computer system.
There are several ways that hackers can trick targets into downloading ransomware:
Phishing is a social engineering technique that "fishes" for victims by sending them deceptive emails. Phishing attacks are often mass emails that include ransomware as an attachment.
Hackers have found vulnerabilities in many popular, modern browsers like Google Chrome and Mozilla Firefox. They spam users with official-looking pop-ups informing them of an “infection” or “security alert,” prompting them to download a file or click a link.
Out Of Date Hardware
Many of the most common malware and viruses used by cybercriminals today are based on exploiting those programming flaws; to address this, developers regularly release software patches and updates to fix and protect the users.
However, the way cybercriminals use ransomware has evolved in the past few years. They have improved their tactics and capabilities, allowing them to do much more damage, and demand much more money. Characteristics of modern ransomware attacks include:
Sophisticated attackers sneak ransomware into a breached network and then lay dormant for weeks or months, ensuring their entry method isn’t discovered immediately. This gives them time to embed themselves, steal data, and more, all before they activate the ransomware and infect the systems.
Without undertaking extensive forensic processes, an infected business won’t know how far back they need to go to back up their systems. Or, even worse, it will be so far back that they’ve already expunged those backups to make room for more recent versions.
Modern forms of ransomware can even target and infect backup hard drives and cloud-based data if the connections are left unsecured. That’s why cybersecurity professionals are now recommending digitally-air-gapped backups as well.
Given the effectiveness of modern ransomware attacks, defensive methods and best practices from just a few years ago are already losing feasibility. All of this is to say that you can’t assume you won’t be infected at some point.
Talking about cybersecurity with users unfamiliar with conventional network infrastructure can be a little complicated. To simplify it, Sean proposed a metaphor—what if you thought about your network like your house?
You employ a range of security measures for your home, which lines up directly with recommended network security measures:
Despite how obvious these measures are regarding home security, we often meet business owners and managers who have essentially left their doors unlocked, turned off their alarm system, and gone to sleep for the night.
An especially important and often overlooked aspect is detection…
You cannot just passively protect your IT assets and expect to stay safe. Effective cybersecurity also requires active monitoring for incoming threats.
Key components of your detection capabilities include:
Antivirus software is used with a firewall to defend against malware, adware, and spyware. Each of these cybercriminal tactics has the potential to do immense damage to internal processes and a company’s reputation.
The job of antivirus software is to spot, block, and isolate intrusive, malicious applications so they can’t damage your data and legitimate software.
Antivirus, known as endpoint protection, is installed to protect at the user level. It is designed to detect and block a virus or malware from taking root on a user's computer or accessing a network to which the user is connected.
These types of solutions should be used in combination with antivirus software to defend against common malware threats.
This is the practice of monitoring IT systems (through both automated tools and manual oversight) to identify potentially dangerous events and address them before they become serious threats.
Intrusion Detection & Prevention
These systems can further improve event monitoring efficacy by scanning for known security events and raising the alarm when they are identified.
Threat monitoring is the practice of staying up to date on the latest cybercrime attack vectors. This is a key part of Cybersecurity Awareness Training and ensures your staff actively contributes to organization-wide detection processes.
When we talk about perimeter security, we’re referring to that “Prevent” level from above. In network security, this means a simple firewall and antivirus. This is where many small businesses stop with their cybersecurity initiatives.
Unfortunately, this is simply not enough to defend against modern threats. Case in point: the zero-day attack.
Some of the worst data breaches are based on "zero-day exploits", which are based on exploits found by hackers but not by the developers, leading to severe security risks and an immediate need for patching.
A recent example of this type of attack is the Kaseya Ransomware attack. On July 2, 2021, a number of Kaseya VSA servers were used to deploy ransomware.
Kaseya VSA software is a remote monitoring and management tool used by IT managed service providers to provide services to their clients. By design, these tools have administrative access to all systems they manage, making this breach particularly dangerous and damaging.
The Dutch Institute for Vulnerability Disclosure (DIVD) revealed it had alerted Kaseya to several zero-day vulnerabilities in its VSA software (CVE-2021-30116) that it said were being exploited as a conduit to deploy ransomware. The nonprofit entity said the company was resolving the issues as part of a coordinated vulnerability disclosure when the July 2 attacks took place.
Long-term consequences for affected businesses will likely include extensive data loss, long-lasting downtime, and high costs for recovery. For example, a grocery store chain affected by the attack had to close down 800 stores while they dealt with the infection.
In addition to zero-day exploits, users can also render perimeter defenses meaningless. Did you know that over 90% of cybersecurity incidents can be traced back to human error?
What your employees know about cybersecurity and how securely they use IT can directly affect the future of your business. If you’re breached, the best case scenario is thousands, if not millions of dollars in damage.
You can’t expect a firewall and antivirus solution to keep you 100% secure. Cybercriminals know that the user is the gap in a business’ cyber armor—that’s where they aim.
That’s why cybersecurity awareness training is such a worthwhile investment. It turns your most dangerous weakness into a key strength.
The fact is that what you (and your staff) don’t know could hurt you. If your staff isn’t up to date on the latest cybercrime scams, then they’re putting your data at risk.
Due to their level of access, an unaware or malicious employee can do a lot of damage:
Beyond protection and detection, you must also consider how you’ll respond to an attack…
If you think you may have been the victim of ransomware, phishing, or cybercrime, your first step is to get in touch with your IT support immediately.
Don't hesitate to hire professional cybersecurity experts if you haven't already. Hardening your systems against attacks and thereby making yourself a harder target for cybercriminals is critical.
Beyond that, make sure to follow these three steps:
Isolate The Damage
Your first move when an attack occurs is to isolate the computer from the network to prevent further access.
Remove the network cable from the tower or laptop and turn off your networking functions (the Wi-Fi settings). Do this manually even if you have security software that claims to shut down the connection for you.
You also need to shut down your computer to prevent damage to your hard drive. Ideally, your anti-virus and anti-spyware will prevent the attacker from getting that far, but you still need to remove it from the computer to protect it fully.
Resetting your passwords is also critical. You should be sure to create entirely new passwords and avoid re-using them at any point. Don’t forget to check any accounts linked to your computer, including social media profiles, email accounts, online banking, and any other potential targets.
The incident response plan should carefully detail procedures on incident response engagement and how the incident response team will communicate with the rest of the organization, other organizations, and law enforcement and provide guidance on federal and local reporting notification processes.
This plan is necessary to clarify the roles and responsibilities of your employees so you can quickly mitigate risks, reduce the organization’s attack surface, contain and remediate an attack, and minimize overall potential losses.
A key consideration you may have already thought of is cybersecurity insurance. Have you managed to qualify for coverage yet?
“Think back to a few years ago, and carriers would only ask you a couple of questions,” says Sean. “Unfortunately, attacks are more vicious and frequent, so insurance companies are looking to analyze the risk of having a customer.”
Cybersecurity insurance is a relatively new type of protection designed to help cover the potentially massive expenses associated with an unavoidable data breach. It can be a worthwhile investment, so long as you know how it works.
The somewhat inevitable nature of modern cybercrime has led businesses to consider cybersecurity insurance as a final layer of reassuring protection. It’s becoming more and more necessary, as many insurance providers have begun drawing a clear line between normally covered losses and those incurred by cybercrime-related events.
That means that if your cybersecurity doesn’t meet the standards of your insurance provider, you may not be as well covered as you think.
A common misconception is that a cybersecurity insurance policy is a catch-all safety net, but that’s simply not the reality. Without a comprehensive cybersecurity strategy in place, a business may not qualify for a policy in the first place.
All this shows why business owners need to look carefully at the fine print of their cybersecurity insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in a cybercrime attack—after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.
The best way for you and your team to determine the best coverage for your organization is to understand your IT infrastructure.
By evaluating your systems from top to bottom, you’ll have a clear idea of all the different access points that could leave your network vulnerable to threats.
Don’t forget to consider how investing in cybersecurity could save you money on premiums. Open up a dialogue about it with your potential Cybersecurity Insurance provider and see what they suggest.
Next, it’s best practice to conduct a risk assessment and an impact analysis. Carefully review all your organizational assets—including financial data, customer information, and intellectual property.
Categorize assets according to the risk and consider the potential impacts a data security event could have on all aspects of your business.
In summary, there will never be a way to be 100% protected from an attack or an actual breach. However, by implementing the proper security measures, training, and constant re-evaluation of these security measures, the risk of being breached (or suffering extensive damages in the aftermath of a breach) can be dramatically reduced.
Get in touch with the Orbis Solutions team to discover more about developing a proper cybersecurity defense.
Orbis Solutions, Inc., in Las Vegas, Henderson, Summerlin and throughout Nevada, has developed creative, strategic and cost-effective technical solutions for a wide variety of clients. Offering a diverse range of products and services, Orbis provides IT solutions to promote your company’s productivity and profitability, and help you sort through the latest-hyped technology, so you can select the best hardware, software or service for your business needs.