Resources

Cybersecurity experts estimate that there is a ransomware attack every 11 seconds. This makes it a challenge to individuals, businesses, and even governments.

In ransomware attacks, cybercriminals encrypt a victim's network or data, making it inaccessible until a ransom is paid. Despite organizations' efforts to reduce the attacks, cybercriminals also are advancing their attack methods. For instance, an organization may have backups they can use to restore their systems, but the criminals also demand ransom not to publish the sensitive company information they have in their possession.

Ransomware is not a new cybersecurity threat. It is traced back to 1989 when the first ransomware was released through floppy disks and required a victim to send money to a post office box in Panama. As technology has now advanced to allow for always-on connectivity, the prevalence of ransomware has grown tremendously. The use of Bitcoin and other cryptocurrencies as payment makes it more complicated as they are difficult to trace. These attacks, such as the WannaCry, CryptoLocker, etc., have resulted in billions in losses through infrastructure and business outages and millions of dollars being paid to the attackers.

Ransomware has grown so much that organized gangs are offering cybercriminals services for hire. This is made more intricate by the availability of ransomware-as-a-service (RaaS) to provide infrastructure to other cybercriminals to escalate their attacks.

Ransomware has become such a global threat that in a joint advisory made up of CISA, FBI, NSA and International Partners, has called for every government, business, and individual to be aware of this threat and take necessary action to avoid becoming victims.

President Joe Biden also continuously issues warnings to business leaders to strengthen their companies' cyber defenses. The risks of cybersecurity are expected to increase with the ongoing invasion of Ukraine by Russia.

On the other hand, there are efforts to reduce the threat scale by various groups. One such group is the Cyber Threat Intelligence League (CTI-League), made up of cybersecurity experts from different countries. They have helped take down malicious websites, detect vulnerabilities, collect and analyze different phishing messages, and assist law enforcement organizations in creating safer cyberspace.

Protecting Against Ransomware

Before a ransomware attack is fulfilled, there are detectable activities that can aid in mitigating an attack. In any case, the attackers target specific user behavior, unchanged default security configurations and common technology vulnerability. This means that ransomware attacks can be avoided. Some ways to keep safe from ransomware include:

1. Timely patches – ensure to patch operating systems and other software immediately whenever a patch is released. Patching also should apply to cloud environments, including virtual machines, serverless applications, and third-party libraries.
2. Keep backups – it is impossible to fully protect an organization's network as one user action may expose the network to attacks. Regularly backing up data is crucial. However, ensure that cloud backups are encrypted and can't be deleted or altered. Also, always keep a backup version that is not accessible through the cloud to ensure business continuity in case of an attack.
3. User training – users are considered the weakest link in the line of defense against cybersecurity. An attack can start with a seemingly legit email containing a link or an attachment that downloads malware to a device once clicked. Therefore, continuous user training and phishing exercises will help reinforce user responses to suspicious emails.
4. Secure and monitor RDP – as more people adopt remote working, they rely on the remote desktop protocol to connect to office computers or colleagues. This has made RDP one of the most commonly used methods for attackers to gain access to a network. Therefore, businesses should use Network Level Authentication (NLA) and use unique and complex passwords for users to authenticate themselves before making a remote connection. Other ways include multifactor authentication, setting time limits to disconnect inactive RDP sessions automatically, and limiting login attempts.
5. Use up-to-date antivirus software – this should be used to regularly scan the systems and scan files downloaded from the internet before they are opened.
6. Network monitoring – use network monitoring tools and intrusion detection systems to look out for any suspicious activity.

The CISA, FBI, NSA, and International Partners joint advisory discourages paying ransom to cybercriminals and recommends following the CISA ransom response checklist and reporting to cybersecurity authorities such as the FBI, CISA, or the U.S. Secret Service. System administrators should also follow incident response best practices that can aid in handling malicious activity.