Ransomware attacks on businesses to become more common and more devastating, says report

clock
Ransomware attacks on businesses to become more common and more devastating, says report

PRESENTED BY LOGRHYTHM: Criminals have learned that targeted attacks on deep-pocketed organisations can net bigger ransoms, but there are five steps resellers can take to make sure their end customers are not hit, says LogRhythm

Ransomware attacks against businesses will become more common, more damaging and more expensive, security vendor LogRhythm has warned.

Cybercriminals have traditionally used mass distribution ransomware to sting individuals or small businesses for a few hundred dollars' worth of Bitcoins here or there.

But now they have set their sights on larger organisations that have bigger budgets to pay bigger ransom demands, LogRhythm said, citing a spate of attacks to hit hospitals and other healthcare operators in the US in Q1.

The Hollywood Presbyterian Medical Center, which was by one estimate thought to be losing $100,000 (£75,000) a day just on its inability to perform patient CT scans, paid its attackers $17,000 to unlock its files following a ransomware attacRyan Sommers at LogRhythmk in February.

"We are seeing criminals shift their tactics to targeted ransomware attacks," said Ryan Sommers (pictured), manager of incident response at LogRhythm in a recent report.

"They scope out a specific organisation that has deep pockets and is more likely to pay a hefty ransom request in order to minimise the downtime."

Because these attacks are so lucrative, they are sure to become more common, LogRhythm added, highlighting figures from the FBI which estimate that $1bn will be paid out to cybercriminals using ransomware this year.

Larger organisations served by the channel not only have bigger budgets to pay bigger ransoms, but also have more important files and computer systems critical to their daily operations, the vendor pointed out.

Some 72 per cent of companies hit by a ransomware attack cannot access their data for at least two days following the outbreak, according to research from Intermedia cited by LogRhythm, with 32 per cent losing access for five days or more. In 47 per cent of cases, the attacks spread to more than 20 staff.

Whereas the timeline of a mass distribution attack is often as little as 15 minutes, the new style of targeted attacks coming into vogue act more like APTs, LogRhythm said, with cybercriminals looking to inflict as much damage as possible by infecting the entire business in order to bring in a higher ransom.

"Given that targeted attacks are usually operated by a person as opposed to an automated system, the response timeline can be a little less critical than for mass distribution ransomware. Unfortunately, this also means the attack can be more difficult to detect," LogRhythm said.

Five steps to stopping ransomware

However, there is no reason why the channel cannot help detect and snuff out even targeted attacks before they have taken hold, LogRhythm said.

The five key steps of defence are preparation, detection, containment, eradication and recovery, the vendor said.

The preparation step involves patching aggressively, creating and protecting backups and preparing a response plan in the event of an attack. Assigning least privileges, connecting with intelligence sources and protecting end-points were also recommended by the vendor, alongside investing in a cyberinsurance policy that explicitly covers losses due to ransomware.

"The cost of a ransomware attack can be quite high – not just the cost of the ransom itself, but also the loss of business during the time that files and documents are unavailable," LogRhythm said. "For example, when Hollywood Presbyterian Medical Centre experienced its ransomware attack Ransomware on screenin February 2016, the hospital was crippled. The Radiation Oncology department was shut down, and CT scans and lab work were unavailable. Affected patients were transferred to other facilities or simply turned away. The inability of the hospital to provide its normal business services for more than a week was financially devastating."

The second step – detection – can minimise the damage in the event of an attack, LogRhythm said. To this end, firms should be priming their defence devices, screening email for malicious links and payloads, using rule blocks for executables and looking for signs of encryption.

The next step is that of containment, the vendor added. Once the ransomware has done its dirty work on one device, steps can be taken to contain it locally so that network files are not affected. This includes killing the running processes and isolating the afflicted end-point.

Step four – eradication – involves replacing, rebuilding or cleaning machines and step five – recovery – primarily involves restoring from backup and looking for the infection vector, as well as notifying the relevant law enforcement agency.

"Because these attacks are so lucrative for the perpetrators, they are certain to become more common, more damaging, and more expensive. What's more, almost every organisation – large or small – is vulnerable to a ransomware attack," LogRhythm said.

"Your organisation's success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems and to detect, shut down and contain suspicious activity."

More on Reseller

'We've been preparing for this for the last 18 months' - Logicalis UK&I boss on Q Associates acquisition

'We've been preparing for this for the last 18 months' - Logicalis UK&I boss on Q Associates acquisition

Alex Louth tells CRN how restructuring the business last year made it possible for the UK and Ireland arm of the business to make its first acquisition since 2016

Josh Budd
clock 09 August 2022 • 4 min read
'The UK is a big focus going forward' - Presidio European boss lays out ambitions

'The UK is a big focus going forward' - Presidio European boss lays out ambitions

Brid Graham talks to CRN about the scale of the Presidio business in Europe following its acquisition of Arkphire, and how the firm plans to expand into the UK market

Josh Budd
clock 08 August 2022 • 3 min read
Insight EMEA earnings slip despite record results in second quarter

Insight EMEA earnings slip despite record results in second quarter

Services sales fall in EMEA but reseller posts strong overall results

Dan Bennett
clock 04 August 2022 • 2 min read

Highlights

Staff & Salaries 2022

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

Dan Bennett
clock 08 March 2022 • 3 min read