28 Nov The critical role of humans in the fight against ransomware
A single mouse click can shut down a whole company. This article discusses the critical role of humans in the fight against ransomware.
Summary:
|
|
75% of all organizations will experience a ransomware attack by 2025. |
|
|
54% of Dutch companies affected by ransomware were double-extorted. |
|
|
On average, Dutch companies pay €96,000 in ransom (Mimecast, 11/2021). |
|
|
Recent examples (2021) include Q-Park, VDL, Mediamarkt, and Ikea. |
Introduction
Ransomware attacks are increasing in number and quality. Because of their high success rate, more and more attack groups are preparing their attacks manually. The more attention an attack receives, the better it will be. According to Gartner, at least 3 out of 4 organizations will have to deal with one or more ransomware attacks by 2025, which means that it can happen to anyone, not just Mediamarkt, VDL, or Q-Park. This article intents to provide more context about ransomware attacks and how organizations can become more resilient to ransomware.
What is ransomware?
Ransomware is malicious software that encrypts digital information with the aim of holding it hostage. Because organizations are no longer able to access the information that enables their operations, ransom is usually demanded in order to obtain the key that makes the data readable again.
There are two types of ransomware: a ‘locker’ and a ‘crypter’. A locker locks the screen of a system, while a ‘crypter’ encrypts the system’s files.
How does infection take place?
Many organizations still think they are not interesting enough for cybercriminals. This underestimation is music to hackers’ ears. Whether you are a distributor, food producer, researcher, bank, or hospital, every organization has critical processes that depend on IT and information. And that’s exactly what criminals are aiming for.
But how do they manage to encrypt this information? Below are the top 5 ways in which companies are infected with ransomware:
|
|
Phishing |
|
|
Insecure code in (web) applications |
|
|
Abuse of vulnerabilities in systems |
|
|
Visiting insecure websites |
|
|
(USB) drive-by |
How big is the problem?
A quantitative analysis:
|
|
In the past 18 months, the number of ransomware samples has risen to 80 million according to Google. |
|
|
Virustotal scans 150,000 ransomware samples daily. Samples are packages or pieces of code that, for example, contain ransomware. |
|
|
Gartner states that by 2025, more than 75% of all companies will have to deal with ransomware. |
|
|
In the Netherlands, 32% of registered companies have been hit by ransomware in the last year. |
|
|
In 54% of cases, Dutch companies were hit by two ransom demands. |
|
|
The accumulated damage and collateral damage can amount to 15 times the ransom demanded to unlock the systems. This includes damage to reputation, loss of customers, research costs, and restoration costs. |
|
|
On October 6, a ‘Chamber Letter’ was sent to the second chamber with the title: “Countermeasures against ransomware attacks.” It advocates European cooperation and (mandatory) basic measures.” |
A qualitative analysis:
|
|
The use of AI (Artificial Intelligence) in ransomware attacks. AI technology makes attacks even more sophisticated and it is becoming increasingly difficult to distinguish fiction from non-fiction. |
|
|
There is an increase in the number of ransomware attacks initiated by humans rather than software. This increases the quality and effectiveness of attacks. Humans are still better at adding human ‘finesse’ that increases the credibility of messages. |
|
|
Ransomware as a service is not new, but it is becoming more professional. Complete hacker groups have equipped themselves as a primary source of income. |
We can say that the problem is big and therefore can no longer be missed in a good information security strategy.
How can organizations arm themselves?
When developing a security strategy, always assume that you have already been hacked. Although many providers make their target audience believe it, there is NO miracle solution. Provide a balanced plan. This means that you should first know what you have in house in technical terms, but equally important in terms of processes and people. In our profession, we speak of the so-called ‘Defense Lifecycle’ that we must continuously monitor and answer important questions in it. Below we mention a selection of questions per phase.
Preparation
In this phase we provide an answer to the following questions:
|
|
Is my organization ready for large-scale cyber incidents? |
|
|
What is the plan in case of a successful ransomware attack? (e.g. Do we pay the ransom?) |
|
|
Does everyone know their role and responsibilities? |
|
|
Are all (critical) assets known and has ownership been assigned? |
|
|
How are backups arranged? (E.g. online versus offline) |
|
|
Is there a recovery plan and is it tested regularly for proper functioning? |
Prevention
Preventing a successful attack is perhaps the most difficult there is, but it can be done. Especially when people, processes, and technology work together.
|
|
Are my employees able to recognize risky situations both online and offline? |
|
|
Are the tools and processes well set up to smoothly handle reports of such situations? |
|
|
Do we simulate the functioning of our processes using penetration testing and social engineering simulations? |
|
|
How is the ‘security hygiene’? Getting the basics right is the minimum requirement. Think of reliable asset management, a well-functioning (risk-based) vulnerability management process, a tight organization and administration of access rights and authentication mechanisms, and finally network segmentation. |
Detection
The goal of detection mechanisms must always be to detect a successful attack as early as possible. But let there be no misunderstanding that the selection of the right solutions is a complex matter. The following questions are at the very least important:
|
|
Do we have all relevant telemetry to make the right detections (Think of EDR, MDR, IPS, and firewall data)? |
|
|
Are we able to recognize and evaluate IOC (indicators of compromise)? |
|
|
Do we have a SOC (internal or external) with the right expertise and skill sets at our disposal? |
|
|
Are my employees able to recognize deviations (think of recognizing risky situations under the prevention heading)? |
Mitigation
Completely removing, so 100% guarantee of 0% successful attacks is a utopia. However, it is important to do everything within your risk profile to prevent it and minimize the chance to an acceptable level. This is where everything comes together and we need to ask ourselves two questions:
|
|
Hebben we voldoende maatregelen over de assen mens, proces en technologie ingeregeld om er alles aan te doen om infecties te voorkomen. |
|
|
Hoe snel zijn we in staat om te reageren na een succesvolle aanval? Denk isoleren, analyseren en mitigeren waarbij alles een andere oplossing behoeft in de vorm van mensen, processen en technieken. |
Maken mensen het verschil?
Uiteindelijk blijft het een samenspel van de vaste drie-eenheid, namelijk: Mens, proces en Technologie. In onze visie is de mens echter de sleutel naar effectiviteit van de overige dimensies waarin maatregelen worden genomen. Sterker nog, wanneer men alleen vertrouwt op technologie verlaagt dit de weerbaarheid en wanneer organisaties haar eigen processen niet blind kan vertrouwen nemen de kansen op negatieve business impact elke seconde toe.
Technologie
Technologie kan niet bestaan zonder de mens. Mensen creëren, implementeren en beheren technologie. Hierin kunnen fouten worden gemaakt en precies van deze fouten maken hackers misbruik. De beste Vulnerability Management oplossing zal niet werken als de mensen eromheen het proces niet volgen, waardoor de patches niet worden uitgerold.
In elk aspect van de organisatie waar mensen en technologie samenwerken is training cruciaal om te zorgen dat die technologie optimaal gebruikt wordt en zodoende zijn mitigerende werking behoudt.
Processen
Mensen bedenken de processen en volgen de processen (als het goed is). Het klopt dat steeds meer processen geautomatiseerd worden, maar feit blijft dat als de mens ergens in dat proces niet doet wat er verwacht wordt in specifieke situaties, dat het proces zijn effectiviteit gaat missen.
Het trainen van medewerkers op het juist en tijdig volgen van processen kunnen het verschil maken bij een ransomware uitbraak. Immers hoe sneller je kunt reageren hoe kleiner de schade zal zijn.
De Mens
Uiteindelijk zal de mens dus een sleutelrol vervullen als het gaat om de effectieve werking van de beschikbare technologie en processen. Het gedrag dat we daarin vertonen is echter alles bepalend. We hebben als security community een zeer belangrijke taak te vervullen op dit vlak. Daarbij is het hebben van de juiste kennis en expertise over de beschikbare processen en technologie al lang niet meer voldoende. Kennis is niets meer dan een randvoorwaarde voor ons gedrag. Daarnaast moeten we als organisaties onze medewerkers goed faciliteren, met andere woorden maak het de medewerkers zo eenvoudig mogelijk om bepaald gedrag te vertonen.
Hoe je de drempels voor gewenst gedrag kunt verlagen en daarmee gewenst veilig gedrag behandelen we in dit artikel.
Kortom
Ransomware is een fenomeen dat niet weg te denken is uit het digitale tijdperk. Het is een verdienmodel en een kostenpost tegelijkertijd. Onlangs verscheen er in de Volkskrant een mooi artikel waarin de hackersgroepring ‘LockBIT’ verantwoordelijk is voor 1 op de 3 ransomware aanvallen in de wereld en daarmee jaarlijks miljoenen buit maakt.
Wees niet naïef en begin zo snel mogelijk met het opstellen van de volgende hypothese voor jouw organisatie: “Alle kritische bedrijfsprocessen zijn platgelegd door een ransomware aanval”.
Kortom, bereid je voor alsof je al gehacked bent!