Targeted Ransomware Attacks on the Rise

by | Mar 11, 2020 | Cybersecurity, Data Breach, Incidence Response, malware, ransomware

At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”

Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.

Easy Money

So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.

However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.  

Protect and Prepare

Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.

Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.

However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.

Are These the Cybersecurity Guidelines “To Which Nobody Can Deny”?

by | Mar 10, 2020 | Cybersecurity

It may seem that when you seen one set of cybersecurity guidelines, you’ve seen……one set of cybersecurity guidelines.  Every vendor, every regulation, every client is looking for something similar, but not quite the same when it comes to cybersecurity.  Maybe there’s some hope, for U.S. businesses, at least, coming from the Securities and Exchange Commission.

At the end of January, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report of cybersecurity guidelines based on observations made during “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” The report details a series of cybersecurity practices within 7 key areas of concentration:

#1 Governance and Risk Management

The report emphasizes the role senior leadership needs to play in defining and implementing cybersecurity strategies for the organization. Board members and other senior leaders should oversee the adoption and regular updating of policies and procedures based on an organization-specific risk assessment as well as establish proper communication channels regarding cyber threats throughout all levels of the organization.

#2 Access Rights and Controls

The report also highlights the need for organizations to limit access to sensitive information only to those who need it for specific and legitimate purposes. The OCIE recommends organizations frequently reevaluate access privileges and implement systems to monitor unauthorized access attempts.

#3 Data Loss Prevention

The OCIE also outlines a number of steps organizations should take towards preventing the loss or exposure of sensitive information. This includes measures such as frequent vulnerability scans, encryption and network segmentation, and insider threat monitoring.

#4 Mobile Security

Organizations should also have policies and monitoring systems in place for the use of mobile devices for business purposes. The OCIE recommends training employees on mobile security as well as requiring the use multi-factor identification for any business applications used on mobile devices.

#5 Incident Response and Resiliency

Developing and testing a response plan for any cybersecurity incidents is also an important area for organizations to concentrate. The OCIE recommends assigning and training specific staff members in incident response, simulating an incident to test response effectiveness, and updating the response plan based on testing.

#6 Vendor Management

Because vendors may have access to an organization’s information, the OCIE also recommends implementing policies to assess and monitor vendors’ security posture. This includes reviewing vendor contracts and implementing a vendor management program.

#7 Training and Awareness

Lastly, the OCIE encourages organizations to provide training in cybersecurity for all employees. Organization leadership should develop the training based on the their specific security policies and use training programs that actively engage employees.

Implications

While the cybersecurity guidelines that the OCIE outlines cannot ensure compliance or prevent liability concerns, many consider the report as a strong and practical roadmap for organizations to consider. In an article for the Legal Intelligencer, Devin Chwastyk laments the legal ambiguity of what is considered “reasonable care” with regards to safeguarding sensitive information and sees the steps outlined in the SEC’s report as offering “practicable (and understandable) advice on how [organizations] might start to try to avoid liability for a data security incident.” The National Law Review also notes that, while the report is aimed at the financial sector, it provides “helpful benchmarks” for a variety of industries. Moreover, given the SEC’s strong focus on cybersecurity in the past few years, there is speculation that this report could help inform regulation enforcement determinations in the future.