Ransomware: Top 5 best practices for companies

According to the BSI (German Federal Office for Information Security) and ENISA (European Union Agency for Cybersecurity), ransomware is currently the most dangerous cyber threat.

Contrary to the assumption that such attacks mainly target large organizations, experts saw a significant increase in attacks on small and medium-sized enterprises (SMEs) in 2023. André Schindler, General Manager EMEA at NinjaOne, sheds light on the latest trends in ransomware, takes a look at the working methods and motivation of ransomware groups and reveals best practices for backup strategies and defense against ransomware attacks.

The latest trends in ransomware

Ransomware attacks have evolved considerably over the years. Originally, these attacks focused on encrypting data and demanding a ransom for its release. However, recent trends show a shift towards more sophisticated tactics, including data exfiltration and various extortion methods. Ransomware groups are now stealing data prior to encryption and threatening to make it public if the ransom is not paid. This approach, known as double extortion, has increased the pressure on victims to comply with ransom demands, even if backups of sensitive data are available.

If you know the latest trends, you can better protect yourself against the devastating effects of ransomware.

André Schindler, NinjaOne

In addition, ransomware groups have become more professional over time and now operate much like legitimate businesses. These criminal organizations have hierarchical structures, specialized roles and even customer support services to help victims pay the ransom. In addition, the ransomware-as-a-service (RaaS) model has now become established, with developers renting their ransomware tools to partners who carry out the attacks. This has significantly lowered the barrier to entry and led to an increase in the number of attackers and attacks.

The attackers: Well organized and profit-oriented

Ransomware gangs are primarily motivated by financial gain. The prospect of substantial payouts has made ransomware an attractive option for cybercriminals. These gangs plan their operations meticulously and often spend months undetected on a network before launching an attack. They use various techniques such as phishing, exploiting vulnerabilities and brute force attacks to initially gain access. Once they have infiltrated the network, they move laterally through the network, escalating their privileges and deploying their ransomware payload.

The victims: first the big ones, now the small ones

While large organizations continue to be attractive targets because they are able to pay high ransoms, SMEs are also increasingly being targeted by attackers. These smaller organizations often lack the robust security measures of larger companies, making them easier targets. For example, H.E.R.O.S., a manufacturer of helicopter components, faced a serious ransomware attack. The team was able to restore its systems with the help of a professional backup solution. Nevertheless, this case highlights the risks faced by smaller companies and the importance of effective disaster recovery measures.

Practical example H.E.R.O.S

H.E.R.O.S was hit by a devastating ransomware attack that encrypted critical data and significantly disrupted the organization’s operations. The organization used NinhaOne’s backup solution, which enabled the team to restore all data quickly and efficiently, minimizing downtime and preventing further losses. This case demonstrates the importance of a reliable backup system as part of a comprehensive ransomeware defense strategy.

Data exfiltration, double and multiple extortion

Data exfiltration has become an important component of modern ransomware attacks. Attackers steal sensitive data and threaten to release it if the ransom is not paid. Attackers can also monetize stolen data thanks to the increasingly smooth functioning of online marketplaces on the darknet. This makes it easy to compensate financially for refusing to pay the ransom and ransomware groups can easily finance their activities.

This double extortion tactic increases the leverage the attackers have over their victims. In some cases, attackers move to multiple extortion by using additional threats such as DDoS attacks or contacting the victim’s customers and partners to increase the pressure.

Best Practices in defense against ransomeware

#1 Regular backups: Ensure that data is backed up regularly and that backups are stored offline or on a different network segment to prevent them from being encrypted during an attack.

#1 Regular backups: Ensure that data is backed up regularly and that backups are stored offline or on a different network segment to prevent them from being encrypted during an attack.

#2 Patch management: Keep all systems and software up to date to close vulnerabilities that could be exploited by attackers.

#3 Employee training: Conduct regular training sessions, to educate employees about phishing attacks and other social engineering tactics.

#4 Access Controls: Implement strict access controls and use the principle of least privilege to minimize the potential impact of a compromised account.

#5 Endpoint Protection: Use advanced endpoint security solutions that can detect and block ransomware before it is executed.

#6 Incident Response Plan: Develop an incident response plan and update it regularly to ensure a quick and coordinated response in the event of an attack.

Best practices for backup and revovery

#1 Isolate infected systems: Quickly isolate infected systems to prevent the ransomware from spreading to other parts of the network.

#2 Restore from backups: Use clean backups to restore data and systems. Make sure backups are tested regularly to confirm their integrity and usability.

#3 Bring in expertise: Get help from cybersecurity experts or incident response teams to restore your systems and investigate the attack.

#4 Communication plan: Prepare a clear communication plan to inform stakeholders, including employees, customers, and partners, about the attack and the actions taken.

#5 Follow-up: Conduct a thorough review of the incident to determine the root cause and implement measures to prevent future attacks.

Conclusion

Ransomware continues to pose a significant threat to organizations of all sizes. The increasing sophistication of ransomware groups and their evolving tactics make it imperative for organizations to remain vigilant and implement robust security measures. Those who are aware of the latest trends and employ best practices for defense and recovery can better protect themselves against the devastating effects of ransomware.