How Can CISOs Better Prevent Ransomware Attacks in 2024? | A step-by-step guide
Table of contents
Are ransomware attacks going anywhere in 2024?
In short, no.
Ransomware gangs are going to continue to employ sophisticated ransomware as a service (RaaS) methods, leverage critical infrastructure on the dark web and continue to share new tactics to evade law enforcement. But the way that ransomware gangs organize and deliver attacks will evolve in 2024, as takedowns, like the lockbit ransomware gang takedown, show how seriously law enforcement take these cyber threats.
In 2023, ransomware groups plotted extortion, leveraged zero-day vulnerabilities and targeted a wide array of targets including the healthcare industry. Now, 2024 is already shaping up to be a different challenge for cybersecurity professionals when it comes to visibility over the entire ransomware ecosystem.
The aim of ransomware however, has not, and will not change, because ransom payments remain a lucrative and worthwhile business. But it is true, that some RaaS operatives are now a lot more selective about their attack strategy.
For CISOs, it is no longer a matter of stuffing this issue into a one size fits all box solution but instead carefully considering a shifting, continually evolving ransomware threat landscape.
Let’s take a look at what you can roll up your sleeves and do today.
Step 1: Brush up on the cybersecurity proactive costs versus the costs of ransom demands
No company is immune to ransomware attacks; if you have information worth taking, there is a likely a cybercriminal who is ready to take it and then charge you a hefty ransom payment to retrieve your stolen data.
First, let’s look at fresh data from last year that breaks down the critical costs involved in a ransomware incident.
In 2023 the number of ransomware attacks increased over 2022 data, as well as the number of payments, and the number of victims.According to a 2023 report by Allianz, there was a 143% increase in the number of ransomware victims globally in Q1 of 2023 alone.
What is more is that research from Chainalysis, a blockchain research firm, reveals that in 2023, companies, individuals, and other victims of ransomware attacks paid hackers over $1.1 billion to regain access to their data.
This marks a significant increase from the $567 million paid in ransom payments in 2022. The decrease in 2022 was attributed to the Russian-Ukrainian conflict and concerns about potential sanctions risks associated with payments. With some ransomware groups shifting focus to espionage or destructive activities related to Ukraine, and revelations of ties to the Russian state, victims became wary of potential fines linked to U.S. sanctions.
Our blog, The True Cost of Ransomware Attacks, outlines the costs you can anticipate ransomware costing your business in 2024.
In terms of proactive, more board friendly solutions, for a modern CISO, we recommend reading CybelAngel’s 2024 State of the External Attack Surface Report, written by our CISO, Todd Carroll.
But next, let’s take a look at how ransomware gangs in 2024 continue to gain access to so much personal data, stolen data and threat intelligence.
Step 2: Analyze how your critical infrastructure can help or hinder a ransomware group
Malicious actors can utilize multiple points of entry to a network in order to conduct a ransomware attack.
Shadow IT is a popular target, as there are often open ports to be found. It refers to internet-facing assets that a company’s IT department does not know about and therefore cannot protect. Other points of entry include phishing campaigns (tricking a user into providing information) or drive-by downloading (tricking a user into downloading malware/spyware).
There is a bright side: according to 2023 CybelAngel data on ransomware attacks, 45% of organizations using physical backups were able to recover within a week, while only 39% of those who paid the ransom managed to recover within the same timeframe. Investing in proactive services to detect these exposed data points would cost less than 8% of the recovery costs on average per year.
If a “bare-metal” backup (a backup from the original state with no customizations, etc.) is available, companies can restore it to a new device within a few hours and have most data available shortly thereafter. Backups could reduce the cost to an average ransomware attack recovery to $1.6 million (from $1.82 million).
Step 3: Understand the reality of data recovery following a cyberattack
To be clear, being able to quickly recover from an attack is essential, so some form of backup is absolutely mandatory. That said, there is a downside to the security that backups provide: Sophos.com found that 72% of respondents from companies that were not victims of a ransomware attack felt they were not going to be the victim of an attack in the future due to either backups or cyber insurance, neither of which will prevent a ransomware attack. What’s more, Veeam Software found that 95% of ransomware attacks attempted to infect backup repositories as well.
There is no guarantee that organizations who organize ransom payments and meet these elevated ransom demands can fully recover their data. An example of this was the recent targeting of Change Healthcare in the United States.
Ransomware attacks on healthcare providers: A perfect nightmare
This large scale cyberattack which targeted UnitedHealth’s Change Healthcare unit, across North America was made public in February 2024. Blackcat, a ransomware gang, also known as Alphv, claimed last week that it had stolen millions of sensitive records in the hack, only to quickly delete its post without explanation. This attack partially shut down an essential electronic system, leaving hundreds, if not thousands, of health care providers unable to secure insurance approvals or receive payments for essential services, including life-saving surgeries and chemotherapy treatments.
Reuters reports that Blackcat confirmed but later deleted a post suggesting that a ransom payment to the tune of 350 bitcoins or $23 million was made.
In terms of data recovery, the health care provider stated this week on its website that, “We’ve made progress in providing workarounds and temporary solutions to bring systems back online in pharmacy, claims and payments. We continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action.”
The IBM Cost of a Data Breach Report 2023 states that the healthcare sector reported the most expensive data breaches, with an average cost of $10.93 million.
Data security is formulated around the “CIA triad”: confidentiality, integrity and availability. If a cybercriminal has your data, its availability has already been compromised and it is no longer confidential. This naturally means that the data’s integrity can no longer be guaranteed. From a data security perspective, you’ve lost everything because once cybercriminals have your data, they can make copies and sell it after you paid the ransom.
Cyber threat prevention 1.0: Raise awareness of ransomware group tactics
The simple fact is, ransomware attacks rely heavily on employee error. Failure to prepare your team can lead to serious cybersecurity incidents.
Let’s start with your basic IT critical infrastructure. Measures for preventing attacks include:
- Blocking specific ports and web pages in firewalls
- Blocking specific domains in email filters
- Patching devices properly
- Closing any open sensitive ports on internet-facing devices
Employee education is an essential cornerstone. This includes the following steps:
- Ensure that your team and wider team understand what shadow IT is and how this type of cyberattack is carried out.
- Provide regular updates on known scams so that employees know what to look out for. This includes training employees to recognize files with ransomware extensions (e.g., .micro, .exx, .encrypt, .crypz, etc.).
- Conduct regular phishing drills as a way to keep employees alert and engaged in prevention efforts. Actions like these can help prevent attacks from happening in the first place and serve as reminders of overall cybersecurity awareness.
It is also worth brushing up on your “Indicators of Compromise (IOCs),” the forensic data elements that aid in identifying malicious activity or malware linked to a cyber attack, with your wider SOC team. These indicators encompass various details such as encryption extensions, file hashes, and IP addresses. Ransomware groups, like to inadvertently leave these traces behind as they infect a machine or system.
Cyberattack prevention 2.0: Consider proactive cybersecurity versus reactive
Hackers who exploit the myriad of vulnerabilities are looking for two things: money and credibility.
Ransomware gangs can leverage extortion tactics but even without receiving a ransom demand from your organization, they can profit from selling your data via dark web communities or encrypted groups. Sometimes ransomware gangs will give personal data away free of charge to gain credibility, or to secure their reputation as they enter hacker groups.
In order to prevent these types of attacks, preemptive security is the only strategy that works.
That’s where CybelAngel offers a more advanced approach: We find those vulnerabilities before the cybercriminals can.
3 CybelAngel approaches to counter ransomware operations
1: We scan the entire IPV4 space every 24 hours
By identifying third-party servers and continually scanning keywords, CybelAngel can monitor these internet-facing devices for any malicious activity. For example, one of our customers is a had a third-party supplier in Hong Kong. By utilizing keyword matching, CybelAngel detected sensitive files pertaining to the client on a device that had recently been compromised by the Mars Ransomware. CybelAngel alerted the client to the ransomware server so appropriate measures could be taken.
2: We identify malicious domains that aid phishing attempts
Phishing attacks are used in an attempt to gain access to corporate devices. CybelAngel recently found a homoglyph, a type of attack using characters that look similar in order to mimic a legitimate URL. We can alert your organization’s security team so they can block these domains prior to an attack taking place.
3: We find and inventory unknown assets and potential cyber threats
For one customer, CybelAngel found 42 common vulnerabilities & exposures, including an open remote desktop protocol on assets they weren’t aware of—often the entry point for ransomware attacks.
This list of critical threats, prioritized by degree of severity with actionable information, enabled the customer’s security team to take remediation prior to exploitation. CybelAngel’s proactive measures enable an organization to identify a threat before it can move across networks or devices.
To quickly learn if you have exposure that are putting you at risk, request a free External Exposure Scan.
Wrapping up
If you want to protect yourself from ransomware gangs the key is to find out where your data is vulnerable—before threat actors do.
CybelAngel is armed with advanced machine learning and cybersecurity analysts to proactively defend against cyberattacks.
If you have any concerns about ransomware, get in touch with our team.