Ryan Weeks, CISO of IT managed service tech firm Datto, pictured, describes how the Covid-19 pandemic is affecting ransomware threats.
Without a doubt, the pandemic has had an effect on the IT security posture of businesses. In part, companies were racing to shift workloads to the cloud, which resulted in an increase in the number of ransomware attacks. According to a recent survey by Datto, 42pc of European managed service providers (MSPs) agreed that remote working was the primary reason for more ransomware incidents. Further, the surveyed MSPs reported that the fast adoption of cloud applications, and working from home during the lockdown, increased security vulnerabilities.
Datto’s annual study, the Global State of the Channel Ransomware Report, also revealed that when many organisations were struggling to adapt to the uncertainties caused by the pandemic, ransomware had an increased impact on businesses. Although the average ransom demanded has remained pretty much consistent year-on-year, the cost of system and business downtime related to ransomware incidents has nearly doubled since 2019. On average, this figure is now a staggering 50 times greater than the ransom itself, increasing from $46,800 to $274,200 over the past two years. And for small businesses, this means that they would struggle to survive if a major ransomware attack took place.
As the Datto report highlights, ransomware remains the most common cyber security threat to SMEs. This is highlighted by more than 75pc of the MSP respondents saying that their SME clients had been hit by ransomware in the past two years, with 60pc saying their clients were affected in the first half of 2020 alone.
During the same timeframe, cyber criminals increasingly targeted MSPs themselves, with 95pc of MSPs reporting that their own businesses are now more at risk. Increasingly MSPs are partnering with specialised Managed Security Service Providers for IT security assistance, and the most likely reason is because of the increasing sophistication and complexity of ransomware attacks. These partnerships are helping to protect both their clients and their own businesses.
Perhaps indicating that awareness of the ransomware threat is growing, half of the surveyed MSPs said that their clients had increased their IT security budgets in 2020. Although organisations are now spending more on security, ransomware continues to bypass antivirus solutions such as email, network and web-based anti-malware filtering. Further, MSPs have said that many businesses have yet to close basic security gaps that continue to leave their network open to attackers. It’s a known fact that users remain the weakest link in an organisation’s security posture. Results from the survey uncovered – phishing (54pc), poor user practices or gullibility (27pc), lack of end user security training (26pc) and weak password and access management (21pc) continue to be the primary causes of successful ransomware attacks.
The attack vectors
The Datto survey also uncovered the top three ways ransomware attacks businesses. Similar to previous years, phishing emails remain the most common entry point. As reported by more than half of surveyed MSPs, malicious emails is the most successful tactic used to deliver ransomware. These emails continue to evade defences because they have become harder to recognise, for example, posing as internal messages. In addition, the social engineering tactics used by attackers have become so sophisticated that targeted spear-phishing emails can be virtually indistinguishable from legitimate emails.
Cyber criminals use a variety of methods to gather information about their victims such as social media posts, fake market research phone calls, as well as other easily available data outlets. Once they obtain the personal information, they custom build spear-phishing emails using spoofed single sign-on pages, and mask phishing URLs with Unicode to make their fake email look legitimate.
Cloud applications
Next on the list of common attack types are ransomware campaigns that target Software-as-a-Service (SaaS) applications. Of the surveyed MSPs, nearly one in four reported ransomware attacks on their clients’ SaaS applications, with Microsoft 365 hit the hardest (64pc), followed by attacks on Dropbox (54pc) and Google Workspace (25pc). To counter attacks on these collaboration platforms, businesses need to implement appropriate recovery and continuity plans.
And finally, with respect to the endpoint systems most targeted by ransomware, the majority of attacks seen by MSPs affected Windows PCs (91pc), followed by Windows Server (76pc). While ransomware may enter a network via a phishing email, malware can quickly spread across a company network, infecting other systems. To minimise business interruption following an attack, businesses require a continuity solution that can recover server workloads locally or in the cloud.
Actions to reduce risks
As cloud adoption continues to accelerate, cyber criminals will refine their methods, meaning that the ransomware threat will only grow and evolve further. The ongoing ransomware threat was substantiated by the surveyed MSPs that predicted (92pc) that the attacks will continue at current, or worse rates over the next few months.
Countering these threats requires IT professionals to tighten security controls. With many businesses still working remotely, it’s imperative that organisations do everything possible to maintain the highest levels of security standards. This includes understanding how employees are connecting to the company network and limiting the use of personal devices, as well as the use of business devices for personal activities. In addition, companies need to revisit security basics and software patching practices across all endpoints to ensure that adequate defences are deployed to all workstations and VPNs. Additionally, to remove one of the most common entry points, IT should encourage the use of secure password managers or two-factor authentication.
Every employee should understand their responsibilities in preventing cyber attacks – including following good password hygiene at all times, not opening suspicious links or attachments, refraining from posting sensitive information on social media, and reporting any signs of malicious activity to the IT department.
A strategic approach
While security software and training are essential to prevent attacks before they happen, a multi-layered security approach must include a business continuity strategy for when other security measures fail. For organisations to quickly resume operations, a business continuity and disaster recovery (BCDR) solution is essential.
MSPs agree that BCDR remains the tool of choice for combating ransomware, with 91% of MSPs reporting that clients with such solutions in place are less likely to experience prolonged downtime during an attack. In addition, over the past year, restoring from backups has become more prevalent. To quickly recover after an attack, the majority of MSPs are now re-imaging a machine from a backup – rather than rebuilding it from scratch.
Finally, we expect to see an increase of insider threats – whether deliberate or accidental. To prevent employees from willingly cooperating with hackers, organisations need to take steps to identify the most vulnerable staff members. If needed, companies should increase monitoring of users’ endpoints, lower the threshold for triggering security alerts, and carefully monitor shadow IT to understand where data is entering and leaving the environment.
It is also recommended that organisations put controls around any tools that are accessed by employees, such as chat platforms that haven’t been permitted for use. With the surge in popularity, collaboration tools now pose a new risk because most users will assume that content received and shared on these platforms is safe.
The pandemic has resulted in a multitude of work practice changes, making it even more critical for businesses to understand the possible implications for their own cyber security posture and the change in threat patterns. With a solid security strategy that tightens all layers of defence, organisations can ultimately minimise damage from ransomware and other threats.
