Safeguarding Your Business in the New Era of Ransomware Attacks

The May 7th Colonial Pipeline attack made headlines for being the largest cyberattack on a piece of critical U.S. infrastructure in history. In response, the Colonial Pipeline Company shut down operations, affecting the gas supply to approximately 45 percent of the Eastern United States. Fuel shortages drove up gas prices, airline flights were delayed, and governors and the White House issued “State of Emergency” declarations. Regulators in the U.S. and abroad are calling for stricter cybersecurity measures for the oil pipeline industry. — measures which undoubtedly cost its business money. And even after Colonial Pipeline paid the requested ransom, it’s taken them more than a week to resume full operations without issue.

In recent days, some politicians and pundits have focused on the origin of the attack, widely believed to be a Russia-based cybercrime collective known as DarkSide. While DarkSide claims to be apolitical, the U.S. European nations and other actors are rightly concerned about the geopolitical implications of this attack. However, by focusing on the politics, governments and businesses alike risk missing the bigger, more important picture.

The unfortunate reality is that ransomware attacks are a new reality of the world we live in. No government, business, or nonprofit is safe from attempted attacks. And they are on the rise. As per the FBI, companies reported 2,474 ransomware incidents to authorities, up from 2,047 a year prior. Other cybercrimes aimed at businesses are on the rise as well. In the 2020 Internet Crime Complaint Center (IC3)’s Internet Crimes Report, IC3 received 791,790 reports of cybercrime and a resulting $4.1 billion in losses. The prior year’s report notes just 467,361, with losses exceeding $3.5 billion. These numbers are likely underestimated. Not every victim reports they have been attacked. Even when they report the attack to a law enforcement agency, many victims do not fully account for their losses nor disclose any ransom they may have paid.

The pandemic has emboldened criminals. Remote work has created new vulnerabilities. Governments are transferring assets to individuals and businesses in the form of unemployment checks and business and individual stimulus funding. Properly executed, ransomware and other cyberattacks can exploit existing vulnerabilities with relatively little effort and yield huge dividends.

What Are Ransomware Attacks?

Though the target was significant, the Colonial Pipeline attack methodology was fairly conventional. DarkSide tricked one or more employees into downloading malware onto its network by spearphishing. Spearphishing involves sending fake emails from what appears to be a trusted source to a targeted organization to get recipients to reveal confidential information or take a specific action.

In this case, DarkSide got one or more Colonial Pipeline employees to click on a link that allowed them to download the malware, which, once on Colonial Pipeline’s network, proceeded to encrypt key operational assets. DarkSide also stole 100 gigabytes of sensitive data they threatened to publish if Colonial Pipeline did not pay a ransom of 75 bitcoin (roughly $5 million). The company later acknowledged they paid the ransom.

What happened to Colonial Pipeline is similar to many other ransomware attacks. However, in a ransomware attack, the means through which attackers gain access to business IT networks is not limited to spearphishing. In some cases, cybercriminals take advantage of security weaknesses in software programs to deploy ransomware. In other cases, they’ve been able to gain access through vulnerabilities in Microsoft’s proprietary Remote Desktop Protocol (RDP): a protocol that allows a remote desktop to connect with a private network. They may purchase a business’ RDP access credentials if available on the dark web. Or they may engage in brute force attacks: using sophisticated computer algorithms to submit multiple passwords repeatedly until they find the right one to gain RDP access.

Once ransomware is deployed, the attackers usually contact the victim demanding a ransom, or else the files will remain encrypted, impairing the business’ ability to operate. Cybercriminals also often threaten to release sensitive information to which they’ve gained access, which may include intellectual property, the financial information of clients or employees, or emails and files that may damage a firm’s reputation. Victims may be tempted to pay, given the potential consequences. However, it’s important to understand that paying the ransom is no guarantee that the attacker will, in fact, decrypt the files or destroy any confidential information gained. Further, in many cases, the ransomware may remain even after the files have been decrypted. And because many of these criminals are based overseas, recovering the ransom that was paid.

Businesses, especially small ones, often only prioritize security after being attacked. Understandably, some may believe that because they’re a small business without huge revenues that they aren’t an attractive target. Yet this thinking often is coupled with low investment in and poor planning of cybersecurity measures. These businesses are vulnerable, which makes them enticing. Moreover, with attacks rising in the U.S. and around the globe, businesses of any size (as well as government agencies and nonprofits) are at risk. The best way to deal with ransomware is to prevent it from occurring.

How to Prevent Ransomware Attacks

You can take many measures to safeguard your business from the threat of ransomware, many of which require no upfront expenses or pricey new software application. Prevention begins with awareness. Employees must receive regular training about cybersecurity vulnerabilities and the threats they pose — threats that could not only compromise your network but, in the case of remote employees, their personal financial information as well.

Businesses must also ensure that their organizational emergency response plan contains contingencies for cyberattacks. Their plan must include appropriate corporate responses to a broad range of possible cyber incidents, delineate a clear decision-making protocol, be in writing, and disseminated widely to staff to maximize response efficiency. This plan should be paired with a data backup and recovery plan for key information so that the businesses can resume operations as quickly and efficiently as possible in the event of an attack.

Your IT department must be empowered to lead your cybersecurity efforts. They must:

  • Ensure your network environment is secure.
  • Keep your network’s security protocols up-to-date with the latest patches.
  • Ensure your anti-virus software is always up-to-date.
  • Manage access permissions to key systems appropriately.
  • Prevent employees from downloading and installing unwanted software.
  • Detect and remove emails containing suspicious macros.
  • Develop a robust backup and recovery system.
  • Train employees to ensure they aren’t duped by fraudulent efforts to gain network access.
  • Keep abreast of all current cybersecurity and cybercrime trends, make relevant recommendations, and implement them as needed.

However, often IT staff have gaps in their cybersecurity knowledge or may be tasked with other critical priorities. In these cases, businesses should transition to a managed IT services provider to give them the IT resources they need in a safe and secure environment. Orion Network Solutions provides the services you need to operate your business, freeing your IT staff to engage in strategic and revenue-driving activities. Our expert staff stays on top of new and emerging cybersecurity threats to ensure your business is never held hostage. If you’re in the DMV, contact us today for a free quote from Orion Networks and get your first 30 days free.

Further reading