Current ransomware threats are also characterized by a number of characteristics. Recently, successful ransomware attacks infect corporate networks with a combination of malware and “manual” methods that exploit misconfigurations in the network and target employees in order to gain access to data . The attack via the Kaseya software is an exception, as the security gap used here was not intended to infect companies directly, but via their MSP software.
It can also be observed that ransomware gangs are increasingly using a “double blackmail tactic” in which they demand a ransom both for decrypting the encrypted data and for not publishing it online.
The fact that ransomware is doing great business has also recently led to what it seems like criminals are starting to span the arrows. The attacks on the Colonial Pipeline as well as the Kaseya hack have led many governments to take the problem more seriously and are considering effective countermeasures. Even if these have not yet come into force, negative consequences for ransomware actors are already emerging. We can already see that the interest in buying and selling ransomware has already declined in some hacker forums.
Even if the situation for cyber criminals is not all rosy right now, companies still need to step up their protective measures against ransomware. In doing so, you should pay particular attention to the following recommendations:
- Take an inventory of your data in order to classify it and, depending on its importance, secure it with additional measures.
- Reduce unnecessary access rights and permissions for user accounts so that the damage remains limited should end devices be infected.
- Create a disaster recovery plan for ransomware attacks to quickly mobilize internal resources to limit the damage (e.g. a checklist of who to call, what to isolate, and what to document).
- Use a system for securing the endpoints that provides remote isolation for administrators.
- Use behavior-based detection technologies to identify ransomware threats based on activity rather than signature.
- Have a ransomware recovery tool handy just in case.
- Keep your systems up to date as well as the apps on the end devices.
- Reduce services that allow remote access to systems or take additional precautions to secure the access ports.
What can the state do?
If a company follows the recommendations mentioned, a lot has been gained, if only because it is no longer one of the simplest goals. After all, cyber criminals are efficient and want to keep the effort as low as possible. Ultimately, however, more consistent government intervention is required to make ransomware attacks less attractive and to contain them on a large scale. Fortunately, more and more governments around the world are ready to take serious action. From our point of view, the following points have priority:
- Increased cooperation between governments and providers of IT security solutions.
- An intensified communication and extensive exchange of information between state law enforcement organizations and providers of IT security solutions.
- Collection and provision of detailed information about attacks originating from the affected companies. Affected companies are currently silent far too often, cases such as that of the shelving and furnishing specialist Berger are among the laudable exceptions. Information of this kind must also be collected centrally.
- Targeted measures against the ransomware infrastructure, e.g. B. the hosting and payment servers, as well as a targeted tracking of payments to make attacks less lucrative.
- Increase the risk of criminals using ransomware by reducing their hiding places. This requires, among other things, international cooperation and the willingness to enforce sanctions more consistently against certain states that offer cybercriminals a refuge.
In the current situation, self-help should be a top priority for companies. However, because the danger posed by ransomware cannot be contained in this way in the long term, companies should also exercise their influence and increasingly press for government measures against ransomware criminals. The fact that the discussion of government measures alone has led to negative consequences for cyber criminals should make us optimistic.