What to do against a ransomware attack?
Almost every day, organisations fall victim to ransomware attacks. Ransomware is malicious software that is used to encrypt files. Victims have to pay ransom to the attackers to get their files back. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.
The ransom demand has increased explosively in recent years. Whereas the ransom usually amounted to a few thousand euros in 2012, a sum of hundreds of thousands or even millions of euros is now demanded. In recent years we have seen that attackers no longer focus on infecting a single computer, but take over entire networks, including the systems where backups are stored. If it is impossible to restore backups, many organisations are forced to pay the ransom.
The costs quickly mount up during a cyber attack. Your company is temporarily offline, systems need to be cleaned up and you lose income. As an organisation, you also have to deal with damage to your reputation, which is more difficult to express in terms of costs. In the longer term, I expect that costs will increase even more. And no matter how well you insure yourself as an organisation, you can never cover all the costs.
A rise in ransomware attacks in 2021
The company Cybersecurity Ventures predicts that by 2021, there will be a ransomware attack on a company every 11 seconds around the world. They estimate that the cost of ransomware to businesses will be $20 billion and the global damage from cybercrime will be $6 trillion. These are not just the ransom payments, but also the costs of recovery and damage control after an attack. Recovery costs in particular are significant. And with the number of attacks out there today, it's smart to consider these costs when budgeting for the coming years.
Check Point, one of our partners and a provider of cybersecurity solutions, is also seeing an increase in the number of ransomware attacks. During a survey in the summer of 2020, they saw the daily average of ransomware attacks increase by 50% compared to the previous period. These attacks mainly involved ransomware such as Egregor (successor to Maze) and Ryuk.
Records were broken in 2020 in the number of attacks. According to Check Point, this trend began when the worldwide COVID-19 pandemic broke out and everyone started working from home en masse. This allowed 'holes' to appear in the defence of IT systems.
Ransomware & COVID-19
Attacks occur in every sector, but for the healthcare sector in particular, these attacks are now more severe because they are already under pressure due to the COVID-19 pandemic. Unfortunately, cybercriminals are not deterred by this crisis.
A research report from Zscaler wrote that more than 6.6 billion encrypted threats were detected in their cloud from January to September 2020 within encrypted channels. As you can see, healthcare is number one in the number of attacks, but other sectors don't fare too well either:
- Healthcare: 1.6 billion (25.5%)
- Financial and insurance institutions: 1.2 billion (18.3%)
- Manufacturing: 1.1 billion (17.4%)
- Governments: 952 million (14.3%)
- Service: 730 million (13.8%)
The biggest increase was visible in March 2020, when the World Health Organization (WHO) declared the virus a pandemic. At that time, researchers saw a five-fold increase in the number of ransomware attacks over encrypted traffic. Cybercriminals used the fear of the virus as a tool.
For a successful approach to ransomware, it is necessary to focus on several issues. These include:
- E-mail security
- End-point protection
- Patch policy
- Network segmentation
- Incident Response
In this article, I will focus further on how to use a SOC to combat ransomware.
Launching the attack against ransomware with a SOC
With the right security solutions, you can detect most ransomware attacks in time and thus limit/stop them. One of the means is a Next-Generation Firewall (NGFW). My colleague Remco Hobo has made a nice overview of the top 5 NGFW for 2022. But often firewalls and antivirus systems are insufficient to stop a ransomware attack. That's why more and more organisations are switching to a Security Operations Centre (SOC).
A SOC is the physical location of an information security team. This team is responsible for monitoring and analysing the security of an organisation continuously. They are also active in preventing, detecting and responding to cybersecurity incidents. The team that monitors your network and systems does this with a Security Information & Event Management (SIEM) platform. It provides real-time analysis of security alerts and improves threat detection and response capabilities. A SIEM helps to provide insight into the daily activities within your network and forms the basis of an effective security framework. A lot of things are automated in a SOC, so that connections can be made between incidents and the cause of the problem can be found more quickly. This also reduces the time needed to resolve the incident.
When a Chief Information Security Officer (CISO) wants to start with a SOC, it is a challenging task to set up a full SOC at once. That is why we recommend starting small and gradually growing towards a complete SOC. In addition, it is also important to engage with the entire organisation. After all, information processing is done by everyone. This makes setting up a SOC a challenging activity.
Setting up a SOC
Proper monitoring of information security within your organisation requires more than monitoring log files of antivirus solutions or the firewall. Several things need to be set up and organised:
- Information security policy - this sets out the information security objectives for the organisation and how information security is organised.
- Overview of the application landscape - this provides insight into what information an organisation has and how this information is processed. It is also necessary for risk analysis.
- Results of recent risk analysis - this maps out the consequences for the organisation in the event of problems with the availability, integrity and confidentiality of certain information. It also shows which threats in the processing of information constitute an unacceptable risk.
- IT management organisation - a SOC will detect attacks and uncover network weaknesses. Proposals are made for this so that attacks can be averted or security can be improved. These are passed on to the IT management organisation. This requires good agreements and established processes between the SOC and the IT management organisation.
- Ownership of information systems - Every information system must have a manager as the system owner. This is in case tactical decisions need to be taken based on an observed incident.
In addition to putting all of the above in place, it is also important to find the right people to do the monitoring. A SOC is still fairly new, so finding experienced SOC staff can be difficult. Therefore, you should first look for employees within your organisation with the right motivation and mentality to get started. It is also important to invest in their training. This should be a recurring item because cybercriminals do not stop developing their attacks. Furthermore, it is important that monitoring is set up 24x7 and for all days of the week if possible. Hackers also work outside office hours (wink).
Set up a SOC yourself or outsource it?
If, as a CISO, you want to set up a SOC to reduce the threat of ransomware attacks, one of the things you should think carefully about is whether you want to set it up yourself or outsource it. Building a SOC from the ground up can be a challenging task as you have read above. You can also outsource this, then you choose Managed Detection & Response or also called SOC as a Service (SOCaas). Then you don't have to start building a SOC yourself, choosing the right software, the people and all the processes involved.
When you outsource your security, you don't lose control over it. As an organisation, you remain ultimately responsible. An external SOC team will notify you when there is a threat or breach to your network and give you feedback on this on a priority level, and can assist in resolving the breach.
Find out what a managed SOC is all about, why outsourcing your IT security isn't scary and how to choose the right managed »