Cyber security: the evolution of ransomware

Cyber Resilience 27th June 2023

Ransomware was first reported in 1989, and the initial attack was via a floppy disc and requested $189 be sent to a PO box to restore access to their systems.

As with everything in the digital world we live in, it has gone through many evolutions and reinventions over the last several decades.

Ransomware is a form of malware, this is a file or code that infects an infrastructure to perform any action the attacker wants.

Ransomware, the primary function is to lock your infrastructure, preventing access to any systems or data.

The emerging trend; infects the system and hides. It collects as much information as possible, finds and deletes your backups, and times the attack perfectly to yield the biggest return on their investment!

Deleting your backups is one of their top priorities, without this, you cannot recover without paying the ransom!

Historically, cybercriminals were focused on encrypting your data and charging a ransom to unlock it. If the ransom was not paid, the data would be permanently deleted or the ransom would be increased. If you choose not to pay the ransom you have two choices, recover from your backup or pay the ransom.

In 2019, there was a significant increase in the number of attacks, and this saw insurers mandate “offsite” backup of data to mitigate the reliance on paying cybercriminals. From 2020 onwards, the cybercriminals made more changes to their attack strategy.

Firstly, the introduction of double extortion. Not only encrypting but also stealing the data. Why did they make the change? If a company refuses to pay the ransom, it could still be extorted to avoid data being released into the wider world or other criminals. Secondly, the introduction of ransomware as a service (RaaS), makes ransomware attacks available to criminals with zero cyber knowledge. Procuring the services of experts to execute their attack for a fee!

It is clear that cybercriminals are relentless in their efforts to hit their targets successfully, and are investing in new and smarter ways every day. Unfortunately, this is leaving technology and security system vendors on the back foot. Pressure is also on businesses and organisations to ensure they are taking the appropriate steps to protect their systems, information and assets.

So, with all of the recent changes, what is the real risk and impact of ransomware currently? Hiscox (Business Insurer) released their Cyber Readiness report for 2022 recently, and this helps to better understand the risk. Scope; 5000 businesses, 8 countries and a range of sizes and sectors.

Key Findings;

  • 41% of companies who paid the ransom did not get their data back.
  • If you pay, it can still take up to 2 weeks to unencrypt the data.
  • Ransomware can damage systems at the time of the attack, meaning data is lost or uncoverable.
  • 43% of those who paid the ransom reported they still had to rebuild their entire systems.

Risks in paying the ransom:

  • Paying the ransom does not guarantee that you will get your data back.
  • There have been many reports of a repeat attack after the first ransom was paid.
  • Paying the ransom does not protect your data, the cybercriminal could have stolen and sold this on without your knowledge.
  • Even if you have cyber insurance, there is no guarantee they will pay out your claim for the ransom payment you have made.
  • The ICO & the NCSC have made a joint stand that paying the ransom does not protect you from prosecution or that you will gain benefit from a reduction in enforcement.
  • While paying the ransom is not illegal, there could be sanctions in place making the payment illegal e.g. current sanctions against Russia as a consequence of the invasion of Ukraine.

Your best allies in your battle against ransomware attackers, and in fact most cybercrime are prevention and preparation.

Prevention

The best forms of prevention are certifications that provide assurances to you and your clients that you have taken steps to reduce risk, demonstrate compliance and protect data and information.

The most well-known is the Cyber Essentials Certification, which focuses on assessing your technical controls to ensure you have them in place to protect you from the vast majority of common cyberattacks.

Cyber Essentials Plus is a higher-level certification that gives the added reassurance of an independent assessment.

Newer to the world of cybersecurity is the IASME Cyber Assurance Certification, developed through government funding to create a cybersecurity standard. This standard allows small companies to demonstrate their cybersecurity, as an alternative to the international standard, ISO27001.

The IASME Cyber Assurance Level 2 gives the added reassurance of an independent assessment.

Value

You are demonstrating to your key stakeholders and the outside world that information security is at the core of your business. No matter how big or small the business, it can bring additional value;

  • Competitive advantage over your peers.
  • Access to new public and private sector customers who often require this as a mandatory expectation.
  • Increase your external reputation and status.
  • Provides assurances that you are compliant with all legislation, regulations & best practices for securing your data and information.
  • Significantly reduces your threat from outside and internal attack.

Preparation

Key areas;

  • Risk Management.
  • Business Continuity.
  • Disaster Recovery.

Risk Management; a process that enables to you understand risk, and act against it, minimising threats and maximising opportunities.

Business Continuity Planning (BCP) is about having a plan to deal with difficult situations, so your organisation can continue to function with as little disruption as possible. This plan needs to account for people, locations and processes based on criticality. The process is designed to understand the critical employees, critical time periods and your dependency on your offices.

Disaster recovery (DR) is a plan designed to recover the IT and infrastructure after a disaster. A DR plan comprises recognising crucial IT systems and networks, categorizing the RTO, and reporting the activities required to resume, reconstruct, and recover IT systems and networks. DR is part of the overall BCP.

Recovery Point Objective (RPO) is the tolerable amount of data the organisation is prepared to lose.

Recovery Time Objective (RTO) is the amount of time needed to recover critical systems and applications.

In closing;

  • Ransomware is a significant risk to all companies, regardless of size.
  • Prevention & Preparation are your best allies.
  • Paying the ransom doesn’t give you any guarantee of getting your data back.
  • Backup must be held off-site and off your network to avoid cybercriminals being able to delete or corrupt them preventing your ability to recover.
  • Accreditations and certifications are affordable, attainable & available for all.
  • Cyber Risk.
  • Loss of reputation.
  • Loss of ability to operate.
  • Financial penalties.
  • Failure to win new and retain existing clients.

We hope you have found this guide useful, our team can be reached on 03300 0241666 or contact@net-defence.co.uk should you have questions or want to better understand what your business needs.

Further reading:

Defence, protection, security. We've got you covered.

Whether you need to enhance your approach to cyber threats, overhaul your IT infrastructure or improve your communications, we’re here to help and advise. Talk to a specialist today and take the next step towards being a stronger, more resilient business.

Speak to a specialist

Need support? Take Control.

The button below is to be used when instructed by our technical support team. This will allow a file to be downloaded to your device for them to take control and help solve the issues you are having.

ND Take Control

exe · 7.6MB

Please note: only to be used when instructed by a member of our support team. Windows devices only.