You are here:Home/Blog Post/What Bryley’s Learned About Minimizing Ransomware
How to Fight Back Against the Thieves
Turn on syncing? the browser asked.
“Syncing” tells the browser to allow stored credentials to be available across a person’s devices. And, why not? Sounds convenient.
Well, maybe the browser account password was phished1. Or maybe the browser password had been reused from some other, previously compromised account. Whatever the exact reason, syncing turned out to be a problem when the personal browser account got hacked.
And the real problem was that a work login was found by the criminals among the passwords stored by the browser – and these work credentials were used to steal company data and lock the company systems with ransomware.
It’s easy to say the person shouldn’t have had a work login in a personal account. True enough, but what’s the reason someone would be doing that anyway? Is it convenience? a false sense of security about their phone or home computer? Were they taught the risks of keeping business credentials on a personal device?
What things could the business management have done to have prevented this scenario from unfolding?
Ransomware Incidents Doubled the Past Year
Bryley partner Barracuda just released its 2023 State-of-Ransomware Report. In it they showed a doubling in reported ransomware attacks since last year and “the volume of unreported attacks has also increased dramatically.”2 Barracuda’s researchers attribute some of this bump to AI tools that increase the volume and sophistication of attacks that are readily available to people who want to steal and otherwise harm.
Jackie Burns Koven of Chainalysis (a government contractor that tracks crypto movement) ascribes the ransomware increase to changes in Russia (a number of prominent ransomware gangs are in Russia): “I really think the tide of the Russia-Ukraine conflict has impacted these numbers. Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”3
In IBM’s Cost of a Data Breach report, it showed the average data breach cost increased by $1 million when remote workers were involved; a corollary aspect: it took organizations with a remote workforce fifty-eight days longer to identify and contain the breach than strictly office-based organizations.4
What Helps Prevent Ransomware?
So in the example, above, an employee had a work login stored by his personal browser. What steps can a business take to lessen the chance this will happen?
Security Awareness Training Security Awareness Training (SAT) can teach people how to use technology securely, preventing a source of ransomware outbreaks. Barracuda shows that Business Email Compromise (BEC) is the chief way ransomware is delivered. BEC is a branch of social engineering and a relative of phishing, only more sneaky than phishing as the ransomware-delivering emails originate at a trusted source (such as another employee’s compromised email account). Ongoing SAT will alert your employees of up-to-date tactics.
Communicate the Scarcity of the Organization’s Compliancies (if applicable) According to criminologist Fabian Muhly writing in the Harvard Business Review, “people find objects and opportunities more attractive if they are rare, scarce, or difficult to obtain. Senior leaders can make use of this psychological tendency …” by promoting the organization’s difficult-to-obtain compliancies. Communicate honestly that these are vital to the business and would be in jeopardy if there was a breach in security.5 This can help workers understand the importance of good cybersecurity practices, so that they more willingly comply.
Classify Organizational Data Also from Muhly, “senior leaders should [create] a classification system that separates innocuous from sensitive information. Employees will acquire a sense for the scarce — must-be-protected — information.” This will keep staff attentive in protecting the holy jewels of the company — like logins. By contrast, asking for staff to protect everything regardless of its seriousness can feel insincere and needlessly taxing.6
Authority and knowledge Muhly advises that when senior leaders personally instruct their workforce to comply with cybersecurity best practices, they will more likely achieve the desired outcome. “But there’s a catch,” writes Muhly, “leaders need to be seen as a trusted source in addition to being the boss. It’s the difference between merely … ordering the workforce what to do, and being perceived as … knowledgeable of the topic.” This means that your leaders need to set the tone about the importance of security and have a fundamental knowledge about security principles. Authority and real interest in the topic is the most effective combination to get workforce support.7
Strong Multifactor Authentication (MFA) Strong forms of MFA include a phone app and USB hardware keys. MFA can check people’s errors in judgment because it is a layered security approach. Requiring users to validate their identity with more than one security factor allows your admins to maintain better control over who is accessing your network and data. Using a second means of authentication makes it more difficult for an attacker to sabotage the credentialing process, because it means the attacker has to infiltrate two different authentication approaches. Admins will be able to see if a criminal has a password, but not the second factor, so the compromised password can be reset.
AI-Powered Email Threat Protection AI that’s continuously trained on your employees’ email content, contacts and behaviors scans inbound transmissions to detect aberrant emails. In this way ransomware can be quarantined before an end-user is even able to accidentally click a link, downloads a document or runs an executable containing malware.
Anti-Malware/Anti-Virus Not all ransomware will be detected by anti-malware/anti-virus software, but most of the known forms will be detected and quarantined and/or removed before the ransomware can do damage. Install anti-malware/anti-virus software on all devices and make sure the anti-malware/anti-virus software stays current as threats keep changing.
What Helps a Business Recover from a Ransomware Incursion?
And what if ransomware is deployed? What then? Incident Response Plan This is a step-by-step guide on how to respond to a security incident, such as a ransomware attack. The plan should answer: how will you detect a security incident? How will you eradicate the threat? How will you recover from a security incident? An Incident Response Plan includes a list of roles and responsibilities. An Incident Response Plan can give you and your workers confidence that your organization is prepared to respond to a security incident. This can help provide calm in a stressful situation.
Network Segmentation This can be done in two ways: logically (keeping the data and data-flow separate) or physically (using different devices and cables). When components are separated, it can help stop ransomware from spreading. For example, if one part of the network has endpoints/workstations and another part has servers, and an endpoint gets infected, the infection may be stopped before it spreads to the servers. But, if everything is on the same network, and just one endpoint gets infected, the ransomware can easily spread to infect everything.
Backup Strategy Reliable, current data backups allow recovery from ransomware by restoring systems, applications and files to a previous, non-infected state. A sound Backup Strategy is configured according to system priority, monitored for success and routinely tested for recovery assurance. It is also good practice to have multiple copies of backup files stored on different types of media in different locations.
Disaster Recovery Plan A Disaster Recovery Plan includes your organization’s step-by-step recovery procedure from ransomware encryption or other disaster. Reliable and current backups are only helpful if they can be actually used in recovery. Document your procedure and test its effectiveness at least annually. If recovery process documentation gets exposed, attackers will use it against your organization to make sure that recovery is impossible without paying the ransom, so protect your documentation with encryption and privileged access. Additionally, keep your disaster recovery process documentation (and all plans and policies) in other forms, like physically printed.8
Formulate an Approach that Serves Your Needs and Budget
As long as ransomware’s existed, Bryley has counseled on keeping it at bay. Bryley has engineers and techs with wide-ranging experience with how to deal with the threat of ransomware. For more information about ransomware strategies please contact Bryley through the form, below, call 978.562.6077 or email ITExperts@Bryley.com.
1 Phishing is criminals pretending to be someone else to get you to give up information, like a bank account number or a password.
2 https://blog.barracuda.com/2023/08/02/threat-spotlight-ransomware-attacks-double-ai-tactics Ransomware goes under-reported. Unfortunately to try to preserve their reputations, organizations sometimes do not make vendors and clients aware the business has been the victim of ransomware.