Ransomware attacks have become a significant threat for nearly every industry and organization. In the United States, government officials have identified it as one of the nation's greatest threats. In the past year, criminals have attacked schools, shipping companies, healthcare entities, and energy facilities, among others.
Ransomware attacks almost doubled during 2021 over 2020, according to Sophos State of Ransomware 2022 report, affecting 66% of businesses, up from 37%. This represents a 78% year-over-year increase, indicating that adversaries have become far more capable at conducting operations at scale.
They have also become increasingly proficient at encrypting data. In 2021, data encryption was successful in 65% of attacks, an increase from the 54% rate reported in 2020. The average cost of a ransomware attack is $4.54 million US dollars. This cost exceeds the average total cost of a data breach, which is USD $4.35 million.
Given the impact that these assaults can have on all organizations, security professionals must defend their systems, networks, and software in innovative ways. Defending against ransomware necessitates a comprehensive strategy that involves the entire enterprise.
As cloud usage increases, network segmentation becomes increasingly crucial, particularly in multi-cloud and hybrid cloud systems. Criminals typically use compromised credentials to escalate privileges and traverse systems and networks laterally.
To eliminate implicit trust, network segmentation is a crucial element of a Zero Trust strategy. Organizations segment their networks based on the criticality of their systems and data and allow access based on the status of the verified identity - human or machine. Each request for network access is evaluated and inspected based on the requestor's current trust status. This is highly useful for preventing the lateral migration of threats within the network if attackers manage to penetrate it.
Ransomware continues to prey on businesses who fail to install timely patches for known vulnerabilities. Multiple published reports demonstrate that attackers are exploiting not only recently disclosed vulnerabilities, but also vulnerabilities that are several years old. Legacy systems – software that the vendor no longer supports – leave the system open to an attack.
One of the most efficient methods for recovering from a ransomware attack is having reliable backups of vital data.
Recovery from a ransomware attack requires automating the backup process, safeguarding that data, and ensuring that it is not regularly linked to the network. Organizations should ensure that backups are stored offline or out-of-band, so that attackers cannot target them. This last point is crucial because even if businesses apply all the necessary safeguards to secure the backup data, if it is kept directly on the ransomware-infected device or network, it will also be encrypted.
Many cloud providers keep prior versions of files, allowing you to revert to decrypted data, which could mitigate the impact of a ransomware attack. Be sure to routinely test backups for efficacy. Finally, companies should always verify that the backup data they are recovering from is not contaminated.
Unfortunately, sometimes even the best precautions cannot stop a determined adversary prepared to commit the time and effort required to disrupt a business.
Create an incident response plan so that your IT security staff is prepared. The strategy should specify the roles and communications that will be shared during an assault. Having at least one person who will oversee the incident handling process will aid in the coordination of incident response operations. You should also include a list of contacts, including any partners or vendors who must be contacted. Due to the numerous moving pieces involved in an incident, communication is crucial.
Having recovery procedures in place enables businesses to quickly resume full operations, minimizing downtime, financial loss, and brand damage. Enterprises should conduct routine, spontaneous drills on the incident response plan to provide the best possible outcomes in the event of a genuine incident.
Logging is also essential for a business to effectively respond to an incident. Establishing a process is the first step in log management. In the event that an enterprise is breached, logs will be required for incident response in order to pinpoint the origin of an attack and offer evidence for legal proceedings.
Code signing is the procedure for digitally validating software. This verifies the identity of the individual or organization who created the code. This procedure guarantees that the code or program has not been altered after the developer signed it.
Attackers might potentially steal code signing certificates from legitimate developers, granting them the opportunity to release code under a trusted creator's name and enabling them to distribute malware to a greater number of victims.
Abuse of code signing can occur in a variety of different ways.
There are a number of different code signing best practices that can be followed to ensure your code signing process is secured. The National Institute of Science and Technology (NIST) has released several recommendations on certificate and code signing best practices for users to implement. These include:
Venafi CodeSign Protect encrypts code signing secret keys, automates approval workflows, and tracks code signing activity.
The FBI has come out against this tactic consistently. And there are many good reasons for not doing so:
The Verizon Data Breach Investigations Report for 2022 indicates that 85 percent of data breaches involve human engagement.
Employees should receive training upon hire and periodically throughout their employment so that the information remains current and accessible.
Download the Forrester Ransomware Survival Guide for more details on a successful ransomware strategy.