Interview with Chief Security Officer, Frank Martin

What is ransomware?: 

In its lowest level form, ransomware is malware that requires you to pay a ransom to get access back to your systems. 

‍

Why is ransomware such a concern at the moment?: 

in the last few years, ransomware attacks have escalated, causing the price of ransom to increase and the cost to protect your business and recover. 

Attacks are increasingly advanced, with adversaries spending months preparing and infiltrating your business systems early and waiting for the opportune moment to strike. 

How do businesses recognise they are under attack?: 

You can put systems in place to alert you if they detect an attack. Ransomware attacks follow a pattern of evasion, escalation, encryption and finally, the ransom demand. This often happens at speed and can be difficult to spot quickly enough to respond manually. 

SIEM solutions can detect all stages of the ransomware attack, allowing for prevention of the attack or isolation of the attack to limit the damage. Unexpected application execution, credential harvesting, unexpected privilege escalation, deletion of backups, and bulk file modifications are monitored as they are common indicators of an active ransomware attack.

Why would certain businesses be attacked?: 

There are many different reasons businesses may have been targeted. It could be purely for money, or they may have chosen you specifically due to high-value targets or your sector. 

If it's organised crime, it's purely for the money. Therefore the criminals behind this won't care who you are or what your business does. If it were state actors, money wouldn't have been the cause; instead, they would be after information. 

If they thought they could use your business to access others, that could have been the cause. They could have used you to connect to a more significant sector.

What will happen in a ransomware attack?: 

Usually the first thing that will indicate this type of attack will be one or many employees noticing a message on their screen asking to pay some form of ransom, usually in bitcoin or some other cryptocurrency.

Whilst larger organisations may have awareness campaigns around these types of events, smaller organisations generally do not.  At this stage trying to reboot the device will not matter as the perpetrators are already inside your systems so it is too late.

The perpetrators, which may be organised crime or state actors, could take over your web camera and take photos of you as well as capture images of your desktop to show proof they have your information and data and will threaten to share this information which at this stage they will have already encrypted. They will give you social evidence they have your information, file capture shots, extract information to show you what information they have - if you don't pay (always in a short time frame), they threaten to send the information to your clients, put this out to papers, further threaten how to extort you.

‍

On the initial screen telling you, you have been attacked. There will be a unique code to tell which organisation you are from. They will then provide instructions and a breakdown on paying the ransom and steps to create a crypto account and transfer the money.

What will happen if you pay the fine?: 

First, there is no guarantee you will get the data back. They could only give it back partly and demand even more money; now they know you are willing to pay. 

The ransom will be delivered in cryptocurrency, so the transaction can't be tracked and hidden from the authorities. If you pay the ransom, you might also be opening yourself up to other attacks as they could let other hackers know that you are willing to pay. 

You may need to pay a fine on top of the ransom if industry regulators in your sector make it illegal to pay a ransom. 

What are some of the unexpected fallouts of a ransomware attack?: 

There is the cost of the attack, the cost of recovering, the cost of mitigating future attacks, and perhaps fines. 

In many cases, businesses are told not to pay the fine to retrieve their systems, which encourages them to continue to attack companies as they receive large sums of money. For example, in the financial industry in the UK, Industry regulators have now made it against the law to pay these fines. However, many business owners are now in this dilemma, as they don't want to start their business from scratch and would rather spend the fine. 

There may be reputation costs as well; hackers could threaten to share your data or client information as a way of pressuring you to pay.

How do they initially get into businesses systems?:

Ransomware enters the system typically by email. The malicious actor will trick a recipient into flowing a link or opening a malicious attachment. USB memory sticks are another common attack vector.

What can businesses do to protect themselves?:

Scanning all emails for malware types and patterns is a good place to start. You should also make sure to limit users access privileges so they can only be targeted for limited file encryption and use privileged identity management to ensure administrator accounts only have in-time access. Keep all operating systems patched with the latest security updates and take regular backups and maintain separation of responsibilities. Asking employees to avoid unauthorised USB memory sticks is another area that some businesses falter.

Is the cost of protection services worth it?: 

Without a doubt, yes, the cost of paying a ransom can be millions of pounds, then you might have to pay fines on top of that and the potential cost of getting all new devices if you feel they are not safe. 

If you don't pay the ransom, you may need to start your business from scratch as you have lost all your data and systems. If you lose clients data, there may be penalties to pay here. Prevention will always be the best option than recovering.