A spike in ransomware attacks is predicted for 2022 – what to do right now
Published date: |
|
Modified date: |
|
Are we about to see a further spike in ransomware attacks?
A recent PwC study found that a majority (61%) of business and technology executives believe there will be an increase in this type of malicious cyberattack in 2022. Two thirds of all survey respondents said they anticipate an increase in all forms of cybersecurity threat this year.
Increasing levels of risk - and cost
The rapid transition to digitisation triggered by hybrid working during the pandemic has left vulnerabilities that criminals are poised to exploit. The survey found that 86% of respondents believe their organisation is facing ‘concerning’ levels of risk, including vulnerability to ransomware attacks. Almost two thirds (63%) of UK businesses are increasing cybersecurity budgets for 2022.
2021 saw the average cost of a ransomware attack almost double, reaching $1.85million (£1.36 million) compared to $761,196 (£561,090) in 2020. The average ransom paid was $170,404 (£125,607), with a highest payment of $3.2 million (£2.35 million). However, the most common payment demand was $10,000 (£7,370).
What should you do to manage ransomware risk?
The current government advice is that organisations should not pay any ransom demands as this funds crypto criminality and incentivises this form of crime by making it profitable. The best approach is to minimise your risk of being subjected to a ransomware attack in the first place.
It should be noted that there is no one size fits all model to a ransomware response. It depends on the size of the organisation, the technical complexity of the infrastructure, the experience and skill levels of team members, and the maturity of developed incident response policies and procedures.
BSI recommends that clients should be prepared for the eventuality of an attack and ensure they have completed a tabletop exercise which documents a playbook of response activities. This involves assigning responsibilities to various organisational roles and establishing an arrangement with an appropriate cyber security organisation that can be called upon in a crisis.
The three phases of ransomware response
Typically, the ransomware response playbook would incorporate three core phased activities with multiple sub-actions within each phase. The timeframe for completing these phases can range from several days to several months. The phases are:
1. Containment
2. Eradication
3. Recovery
Containment Phase:
This initial phase can be stressful as systems become impacted, demands are made and stakeholders (including relevant authorities) are informed. Several technical steps can be taken to limit or contain the expansion of the malware, and these include, but are not limited to:
- Disconnection of infected devices from all network connections, turning off wireless networks, disabling core network connections, and disconnecting from the internet if necessary
- Setting up firewall group policy settings in a Windows environment that restricts endpoint communications on common ports up to and including blocking all connections if necessary
- Consider disabling the default administrative or hidden shares from being accessible on endpoints using group policy combined with disabling the Windows Remote Management service
- Restricting the use of local administrative accounts on endpoints and ensuring that at least one domain controller is segmented away from the network, with up-to-date offline backups being available
Eradication Phase:
Once the infection is contained, organisations will need to cleanse the infected entities to ensure that they can be identified as being reusable or potentially need to be replaced.
- Identify and remediate the root cause of the infection
- Reset credentials and passwords with specific emphasis on administrator and system accounts
- Wipe identified infected devices and ensure hardware and BIOS checks are completed as well. Where this is not feasible, it may be necessary to replace hardware
- Validate the cleanliness of the organisation’s network, devices, and data backups with scans, log analysis, etc.
- Verify the validity of data backups, ensuring that they have not been contaminated or modified and that they are accessible and recoverable
Recovery Phase:
At this stage, organisations are now preparing to bring their systems back online.
- Download, install and update the restored or new devices to the latest versions of the operating system, required business software and antivirus security software running complete security before proceeding
- Connect the devices to a provisioned clean network
- Reconnect to the production network and monitor network traffic with ongoing security scans, network, and log analysis
- Restore data, applications, and systems on a sequential prioritised basis dependent on business requirements
- Be prepared to run your business on a reduced capacity basis as systems are phased back into production and communicate this as necessary to set stakeholder expectations
- Conduct a ‘lessons learned’ exercise and use that as an input to improve the organisation’s security position in order to minimise both the possibility of a re-occurrence and the impact of a similar event in future
Ransomware is a here-and-now threat. No organisation is exempt from these attacks. However, with careful planning and preparation, you can minimise the impact of an attack and recover successfully.
If you need to secure your organisation against cyber threats like ransomware, BSI Digital Trust can safely manage and secure your customers’ information, strengthen your information governance and safeguard your critical infrastructure.
You’ll find a comprehensive list of standards for IT and cyber security here.
Read more about ransomware and how to minimise risks:
Five ways your business could be held to ransom in 2022.
Click here to provide feedback
