Ransomware Risk: How to Protect Your Business Against Becoming a Digital Hostage
What Is Ransomware?
The term refers to malware that intruders use to gain access to third-party computer systems and the data contained on them. The data on the target computer is encrypted and, in the worst-case scenario, the entire computer system is locked. Owners can no longer access the data in their systems. The criminals demand a ransom for the decryption or release of the data – typically the ransom message is displayed on the victim’s screen. If the ransom is paid, the cybercriminals unlock the system again or send the victims a code that can be used to decode the encrypted files.
Ransomware: Facts and Figures
In August 2022, the US magazine Cybersecurity Ventures published the “Boardroom Cybersecurity Report”, which not only summarises the current “trends” in the field of cybercrime, but also provides an outlook on what companies can expect in the future. The numbers in it are frightening:
- In 2021, there was a ransomware attack on companies or organisations every 11 seconds. By 2031, this number is expected to increase to every 2 seconds.
- In 2022, global damage from cybercrime is expected to amount to around 7 billion US dollars (equivalent to around 7 trillion euros). It is expected to increase to 10.5 billion US dollars by 2025.
The Federal Criminal Police Office (BKA) in Germany also classifies ransomware as a top threat in the field of cybercrime. The reason for this is that a successful attack with malware can paralyse entire supply chains and business processes, including production facilities, for example. We sum up some further facts and figures on cybercrime and ransomware for you in this article: IT Risks: Lessons Learned and Precautions For Your Business
Ransomware As a Business Risk
Anyone who thinks that cyber criminals primarily focus on large companies is wrong. Because more and more small and medium-sized companies are actually being attacked. But that’s not all. The WatchGuard Internet Security Report registered twice as many attacks in the first quarter of 2022 than in ENTIRE 2021 year!
One reason for this frequency, in addition to the Russia-Ukraine war, was the Log4Shell security hole in the Java code library. The issue appeared for the first time in December 2021 and is not only easy to exploit, but can also be executed using various system codes. Since Java is used in many programs and applications, the risk of an attack is significantly increased. This example also demonstrates very well that even the best preparation and internal IT security can be useless if the attack occurs via a vulnerability in a system or program.
You can find out more about security gaps in operating systems and programs in our article How you Can Protect your Business against Critical Vulnerabilities in Operating Systems or Software.
Ransomware Attacks: They’re Not Just Focused On Companies
The cyber attack on the Anhalt-Bitterfeld district administration in July 2021 shows that it is not “just” companies that are affected by ransomware attacks. A cyber disaster case was declared for the first time in Germany in this case. They cybercriminals used a vulnerability in an operating system here – in this case it was in the printer system for Windows 7 to 10 – and paralysed the entire IT system at all locations of the district administration. It took several weeks for the damage to be repaired.
It is not a new phenomenon that communities, municipalities and even hospitals, universities and organisations are being targeted by cybercriminals. As early as 2019, the US city of Baltimore was repeatedly attacked by cybercriminals over a period of several years. Various IT systems in the city did not work properly. In some instances, the emergency services couldn’t be reached and documents couldn’t be issued. The resulting damages came to around 16 million euros.
Ransomware Protection: Is That Possible?
Here’s the bad news first: There is no such thing as 100 percent protection against ransomware or other cyber attacks. HOWEVER: You can at least minimise the risk by first introducing effective security standards in your business. Here are some tips on how to protect your business:
1. Strengthen Your IT Infrastructure
Invest in good hardware, trained IT security staff and good anti-virus software. Even if you have to pay a lot of money for this, it pays off in the long run and prevents expensive costs later on.
2. Create Backups
The most important protective measure you can use to get your data back and resume operations in the event of a ransomware attack is a backup. That’s why it’s crucial to have a data backup concept that defines where backups are stored (e.g. in a cloud, with NAS) and also which data is backed up. For example, it can make sense to only back up data on servers and network drives and set up clients again in the event of an infection.
Attackers who have obtained administration rights often specifically search for backups in the case of malware infections in order to encrypt them as well. So at least one copy should be backed up offline. This can be done, for example, via separate tapes or systems that behave like a tape (e.g. an RDX storage medium) in a separate archive with physical access, or via cloud storage that is completely separate from the network.
3. Keep Your Software Up-To-Date
Make sure you are always using the latest version of your software, regardless of whether it is the operating system, anti-virus software or other programs. Outdated versions are a potential gateway for attackers. These updates and patches are necessary in order to be able to react to current malware.
4. Disable remote Assistance
With remote assistance, ransomware can infect not just individual computers, but entire networks. You should therefore switch off the Remote Desktop Protocol (RDP) in your system settings. Remote assistance is intended to enable remote access to a Windows PC while on the move.
5. Beware of Dangerous Emails
A popular gateway for ransomware is email. Seemingly trustworthy emails contain file attachments or a link that the recipient is supposed open or click. This can infect your system with malware. That’s why you should never open emails from unknown senders. And never click on links or open files unless you are absolutely certain that the sender is trustworthy. If in doubt, only open the email in a protected environment, for example in a so-called “sandbox”. This is an area isolated from the rest of the system environment. The events there have no effect on the external environment. A less technical option is to contact the sender by phone and get confirmation that the link or file is really necessary and safe. You should be particularly careful if an email contains files with the following extensions:
- .exe
- .mov
- .avi
- .mpg
- .zip
- .doc
With Windows, it is sometimes the case that known file extensions are automatically hidden. Meaning it could be you that you receive a file called “Holiday snap.JPEG”, but which is actually called “Holiday snap.JPEG.exe”. This means it would not be an image file but an executable application that could cause damage. In Windows Explorer options, you can deactivate “Hide extensions for known file types”. Full file extensions will then be displayed and you will avoid mix-ups.
What Is a Drive-By Attack?
In a drive-by attack, the visitor to a website catches malware which is automatically downloaded when the page is accessed without the visitor being aware. Cyber criminals use security gaps in ordinary websites to hide dangerous code. Often, the operators of the site aren’t even aware that their website is being used to spread malware. To protect yourself against a drive-by attack, you should always keep your browser and all your programs up-to-date.
6. Train Employees
In companies where there is a lot of email traffic and many employees are on the internet, it is particularly important that they are aware of cybercrime risks. You should therefore train your employees in cybercrime risks and give them recommendations on how to recognise attacks and how to react correctly in each situation.
Ransomware: Measures For Emergencies
As pointed out above, unfortunately, there is no absolute protection against cyber attacks. A residual risk always remains. So it’s important to prepare as extensively as possible for a successful ransomware attack, which includes, above all, going through the worst case scenario. What should be done if an incident occurs? To do this, you and all the employees involved (IT department, service providers, managers) should know what processes are in place and what policies need to be followed. Part of this preparation is answering the following questions:
- Which business processes are critical for your business? Which systems are crucial for
- business operations, and how would you recover if they were compromised?
- Is all the data required for business operations stored up-to-date and offline, and can it be restored relatively quickly to new hardware and used promptly after an emergency?
- What are the processes and sequences for restoring servers and data from the backup solutions? Is there a concrete and up-to-date business continuity plan that everyone involved knows about?
- How much time does it take to restore and reconfigure essential hardware and software?
- Is there a list of service providers for such an emergency who are responsible for the recovery or forensic analysis of your IT systems? Is there an agreement (e.g. in the form of a service level agreement) on how quickly they have to react in an emergency?
- Do you have Cyber Insurance? In this case, you should report the incident to the insurer immediately so they can support you with further measures, including paying the ransom.
- In the worst case, how should you respond to blackmail, and what are the risks if company data is published by cybercriminals?
- How should an incident be communicated internally and externally? It is important that the right information reaches the right stakeholders in a timely manner. Statutory reporting obligations, for example to the responsible data protection authority and the affected customers and stakeholders, must also be observed.
- Note that supervisory authorities may consider an immediate audit to check the technical and organizational measures in place. Prepare for this and make sure that all documents are available in printed form and that the employees who are familiar with data protection issues are available as contact persons.
Ransomware Ransom Notes: To Pay Or Not To Pay?
Victims who are confronted with a ransom note often do not know whether to pay or not to pay. There is no clear answer to this question, as it always depends on the individual case. Depending on how important the data concerned is (e.g. health data from patients in a hospital), the institution concerned may not have time to wait until the encryption Trojan has been eliminated. In this case, the ransom is often paid in the hope that the horror will soon be over.
But this is exactly the problem. No-one can guarantee that the data will actually be released again after the ransom has been paid. The common opinion among experts, therefore, is not to pay the ransom. Instead, those affected should photograph the screen, including the blackmail text, and report it.
The moral aspect also plays a role. After all, cyber criminals want to make money out of a ransomware attack. If the ransom is paid in most cases, then the business model works and will continue. The money is used to finance further malware and the demands are getting higher and higher as criminals are noticing that victims are willing to pay.
The Best Backup: Cyber Insurance Via exali
More and more companies – regardless of their size – are being targeted by cybercriminals, and even if you implement all of our tips, there is still a significant residual risk. Taking out appropriate insurance is part of optimal risk management these days to ensure you are protected. In addition to Professional Indemnity Insurance via exali, you can book the optional First-party Cyber and Data Risks Insurance (FPC) add on. Among others, the following damage is insured:
- Hacker damage to your own IT systems
- First-party data rights claim (in particular spying on personal data)
- Expenses for an (imminent) interruption in business (additional cost coverage)
- Breach of trust damage (intentional damage to own IT by employees)
In the event of a successful ransomware attack, the insurer will cover, among other things, the costs for computer forensics experts, legal assistance, PR and crisis management as well as reimbursement in the event of blackmail.
Any questions? Our customer service staff will be happy to advise you by phone (on +49 (0)821 80 99 46-0, Monday to Friday 9:00 a.m. to 6:00 p.m.) or by e-mail via our contact form.