Ransomware is indiscriminate; prepare for everything to fail

Ransomware attacks continue to grow in frequency. In the past 12 months, 76% of organisations have been affected by ransomware attacks, constituting a 15% year-on-year rise as per Veeam’s Data Protection Trends Report for 2022.

As well as being more common, ransomware is also getting more potent. When businesses are struck by ransomware, they are unable to recover over a third (36%) of the data they lose on average.

Clearly, the threat landscape is as volatile as it has ever been. There are more attacks taking place. They are more diverse. And they can have grave consequences for the companies they affect.

On the other hand, rather than tremble with fear at the awesome power of the cyberattacks waiting to be deployed against them, organisations must focus on what they can control – their defence. Protecting your business against cyberattacks requires following some fundamental and consistent principles, no matter what is being thrown at you.

The ransomware wild west

There is a lawless and brutal feeling about the current cyber landscape that businesses operate in. It is difficult for governments to hold cybercriminals to account, and businesses are often keen to minimise public attention towards an incident that has compromised them. This contributes to a situation where almost all the focus is on the victim (the business) rather than the criminal (the attacker).

Furthermore, ransomware – and most contemporary cybercrime – is almost indiscriminately about those who suffer. The fact is that every business is a target. Yes, hacktivist organisations such as Anonymous use organised cyberattacks as a means of exercising social justice and calling out businesses or governments they view as immoral, unlawful, or dangerous. But even the most philanthropic and virtuous companies can find themselves begging a cybercriminal gang to restore their data and systems while a hefty ransom is demanded of them to do so.

You often see a comparison made between cyberattacks and fishing. Hence the term ‘phishing’, which refers to the use of an email or text message as bait to trick a victim into ‘biting’ – in this case, clicking on the link and unwittingly downloading malware onto their device. With ransomware especially, we are now seeing industrial-scale attacks being carried out which are more analogous to trawler fishing. This isn’t one guy with a rod casting out to get a bite off one or two fish; it’s AI-infused algorithms programmed to target everyone and everything, playing a blind numbers game to catch whatever it can.

This indiscriminate nature is compounded by the fact that cyberattacks are generally difficult to contain. For example, cyber warfare between nation states is a threat to every organisation, not just those deemed to be in the firing line. We saw this with the NotPetya attack in 2017 – an attack on a specific utility company – which impacted multiple unrelated organisations through an entirely organic spread of the chaos.

Attack types also continue to evolve. For example, the LokiLocker attack was one of the first reported strains of ransomware to include a disk wiper functionality. This means organisations are not only held to ransom by having services suspended and threats of data extortion. Now they are being threatened with losing vast swathes of data completely if they do not pay up.

Consistent principles of defence

There is some good news for businesses. No matter how scalable, spreadable, or malicious an attack is, these various evolutions can be viewed as attackers simply using bigger guns, and more of them. The fundamental principles of how you prepare your defences against even the most sophisticated and powerful ransomware stay relatively the same.

First, practice impeccable digital hygiene. All employees must be trained to identify suspicious content, and be warned of the impact that malpractice using work devices can lead to. For all the seeming might wielded by cybercriminals, in many ways their biggest weapons are unsuspecting employees who give them the keys to the backdoor of an enterprise network. Given the scattershot approach now adopted by many cyberattacks, criminals are not necessarily targeting your organisation specifically. But if you prove to be an easy hit, you’ll become a victim.

With that said, all businesses must prepare for their defences to fail, no matter how robust you might think they are. Concepts such as zero trust and deploying techniques such as two-factor authentication can be useful for restricting the attacker’s access to data.

Ultimately, the best way to protect data is to ensure that it has been securely backed up and is fully recoverable before an incident takes place. Follow the 3-2-1-1-0 backup rule, which states there should always be at least three copies of data, on at least two different types of media, at least one off-site, and one immutable or offline, with zero unverified backups or errors.

While the headlines and constant discussion around cybersecurity and ransomware can be daunting, it’s important to remember that the fundamental actions required to protect data remain the same. Modern data protection strategies ensure businesses can protect all data from cyberattacks, server outages, accidental loss, and deletion across physical, virtual, cloud, SaaS, and Kubernetes environments.

Investing in a data protection strategy and taking advantage of a solution that enables continuous backup and disaster recovery can give businesses peace of mind that should the worst happen, they never need to pay the ransom.