Surveys suggest that Australian business leaders are far more concerned about ransomware than their peers overseas. Yet, as infections continue to rise with each new strain of ransomware, many businesses are putting themselves in danger by taking a laissez-faire approach – paying the ransom and proceeding with business as usual.
Ransomware continued to explode through 2016, with US Department of Justice figures suggesting that over 4000 attacks were occurring every day and that the volume of successful attacks had increased threefold over the previous year.
Paying up may seem like the easiest option once a business is confronted with having its critical data encrypted with potentially no way to recover it. However, ransomware has become increasingly nasty over time: one recent variant, called Ranscam, deletes files even when the ransom is paid, while Pacman ransomware installs a keystroke logger and supporting processes that prevent analysis of code that will makes files permanently inaccessible if no payment is made within 24 hours.
Indeed, ransomware authors have proven extremely creative in developing new ways to torment their victims; little wonder, then, that a Mimecast survey earlier this year found that 34 percent of Australian executives consider ransomware to be a ‘high threat’ – well ahead of the 25 percent in the US and 18 percent in South Africa.
Australia’s relative wealth and well-established business community have made it a high-profile target for ransomware scammers – which, Mimecast ANZ country manager Nick Lennon warns, is why they particularly need to develop ransomware-protection strategies that are effective enough to let them avoid playing into scammers’ hands.
Businesses need to develop “a multifaceted way of thinking about it”, Lennon advises, noting that the real costs of a ransomware incident can run into the thousands or tens of thousands of dollars from lost productivity, business downtime, recovery costs, consulting expenses, reputational damage, and potential fines from compromises of customer data.
Developing a complete strategy to minimise these potential damages includes not only addressing security at a technical level, but looking at how quickly systems can get back online, work around business-continuity planning, and having access to different technologies that can help in the event that a primary system is locked down.
“We’re seeing a lot of organisations adopting continuity services as part of that strategy so if they have been significantly attacked, they can recover back to a point in time quickly,” he explains. “They can execute against their plan knowing that their customer engagement and user productivity aren’t affected.”
While ransomware offers plenty of headaches from a technical perspective, putting it within a business context allows would-be victims to think more broadly about its potential impact – and to implement protections that circumvent the potential interruption caused by having one system rendered inaccessible by ransomware. This is core to the idea of ‘cyber resilience’ – ensuring that if a suitably robust business-continuity plan ensures that data is continuously backed up, for example, that data remains available even when its primary copy is locked up on an infected machine.
Although many businesses may consider the cost of ransomware to extend only as far as the ransom itself, the potential ramifications can extend long after the ransom is paid – even if the scammers prove true to their word and unencrypt the files. Many ransomware attacks can, for example, decrypt files when the ransom is paid – but leave behind pervasive, insidious malware that infiltrates the corporate network and quietly steals sensitive data on the company and its customers. If a worried employee has quietly paid the ransom to avoid censure by the business IT team, this infiltration may happen without anybody even knowing about it.
The broadening scope of ransomware attacks is pushing the industry to follow suit by delivering a broader defence surface to match. Since major security vendors have now predominantly shifted to cloud-based platforms for securing email and corporate data, this defence surface often includes capabilities sourced from other providers – or, in Mimecast’s case, partners including PhishMe and ZeroFox.
Such partnerships are a crucial part of Mimecast’s Cyber Resilience Coalition (CRC), an effort to build out its core email protection with complementary features designed to protect against human lapses in maintaining corporate information security.
PhishMe, for example, monitors the sites that users click on and intercepts requests for potential phishing sites that often turn out to be conduits for ransomware infections. And the recently announced addition of ZeroFOX to the CRC adds continuous monitoring of social-media threats for security risks and business threats targeting employees, customers, and businesses.
Cloud-based security architectures are facilitating the unification of such capabilities to give businesses better protection against ransomware and other threats – including having an offsite backup of critical data that can be easily restored during a ransomware recovery. And, given that email is by far the most common vector for ransomware and other malware attacks, addressing security at the email level can significantly dent any company’s exposure to potential ransomware threats.
By building on that platform to deliver a business-relevant system of protections, companies can not only work to prevent infections in the first place, but can implement and maintain the business-continuity capabilities that can make a ransomware attack more of a speed bump than a dead end.
“The key is having availability at the core of the decision,” Lennon says. “As people start looking at email security defences they are looking for controls, and having questions asked by the business. By ensuring that they can recover their data down to the imminent split second before these attacks take place, organisations can take a high degree of business confidence from that.”