Ransomware remains hot on the cyber agenda after several years of rampant activity, writes Patrick Wragg, pictured, Head of IR at the cyber firm Integrity360.
Back in 2021, the world witnessed a record-breaking year of 623.3 million ransomware attacks that marked a staggering 105 per cent increase on 2020, as well as being 232pc up on 2019. However, and somewhat interestingly, the latter end of 2021 and beginning of 2022 provided a period of slight respite. Indeed, research reveals that ransomware incidents fell by almost a quarter (23pc) in the first half of 2022, continuing the downward trend that had been observed for the previous four quarters.
Much of this drop was driven by the disappearance of Conti, REvil and PYSA, with all three operating Ransomware-as-a-Service (RaaS) models that provide technically unsophisticated cybercriminals with the tools to become effective ransomware actors without complex knowledge or skills. In the United States, for example, the Department of State offered a $10 million reward for information about the leaders of Conti, which ultimately saw the entire operation cease. Naturally, however, the disintegration of these groups left a void, presenting an opportunity for new groups who have subsequently filled it.
Lockbit has taken the mantle as the largest ransomware threat, driving a new surge in the cybercriminal market. With the RaaS model now estimated to be responsible for more than 40 per cent of all global ransomware attacks, this resurgence is only expected to continue through 2023. For enterprises, it is critical to prepare and take the necessary steps to protect themselves properly as threats once again intensify. By how exactly should they look to do this? Here, I believe there are three key priorities which should be pursued.
1)Educating employees
First, improving cyber awareness remains important. It’s no coincidence that 95pc of data breaches involve human error – threat actors know individuals are an easy target and go after them. Therefore, maximising vigilance of common threats such as phishing among the workforce can go a long way in helping staff members to recognise potentially suspicious emails, dramatically reducing the likelihood that they will accidentally download malicious payloads capable of kickstarting ransomware attacks.
2)Improving prevention
Second, there needs to be a greater focus on prevention. Preventative controls have often fallen by the wayside in favour of detection and response, and this is understandable given that industry statistics show that attacker dwell times tend to be around the 200-day mark. However, we’re seeing attacks happening more quickly, and even in an automated manner. Therefore, firms need to adapt and rebalance their strategies to embrace modern prevention techniques designed to combat sophisticated ransomware attacks.
3)Enhancing visibility
Visibility is also vital. Only with holistic oversight of systems are firms able to both prevent threats in the first instance and detect and respond to attacks at speed. Equally, visibility will drive improved transparency and insight, helping companies to measure the effectiveness of their security solutions and adapt them as required to continually enhance their overall security posture.
Fast tracking strategy improvements
Focussing efforts in these areas will go a long way to ensuring enterprises can combat the efforts of ransomware adversaries. However, many organisations continue to find it tricky to update their security strategies in any meaningful way.
In a tough economic climate, many simply lack the budgets (and thus internal expertise and resources) to enhance visibility, education and prevention. However, enterprises can tap into market-leading resources spanning detection, investigation, threat hunting, response and remediation, and supplement the capabilities of their internal security teams by working with Managed Security Service Providers (MSSP) for example. Equally, Managed Detection and Response (MDR) service providers can help firms to undertake advanced threat testing, uncover hidden vulnerabilities and develop relevant response plans.
Critically, both MDR and MSSP solutions are delivered by external providers, removing the need for organisations to invest significant sums in bringing expensive solutions or security professionals commanding huge wage packets in-house. Instead, the same expertise can be accessed as needed on a 24/7/365 basis, helping firms to bridge the cyber skills gaps in a cost-effective manner while easing the load on internal security teams.
Not only that, but MDRs and MSSPs can reduce the growing compliance burden on organisations through proactive reporting and auditing. They also use threat intelligence feeds to identify new threats and exploits and reposition their customers’ security postures effectively, enabling continuous improvement. With ransomware actors adapting their methods all the time, organisations must make the most of these resources as they work to build effective, fluid security strategies capable of defending against evolving threats. By working with external security providers, they will be able to access the resources needed to mitigate the potentially devastating effects of ransomware attacks.
