Battle Against Ransomware Continues

The rise of ransomware over the past few years has been an ever-growing problem that has quickly become an extremely lucrative criminal enterprise. According to the annual “State of Ransomware” report by cybersecurity company Delinea, more than 75% of organizations are paying for ransomware.

More victims are Agreeing to Pay
Cybercriminals are strategically extracting sensitive data. They are increasingly employing extortion techniques to coerce targets into paying, and ransomware victims must pay to prevent the exposure of confidential information.

If the targeted organization chooses to pay, the cybercriminals make a profit. If the organization chooses not to pay, the threat actor still has exfiltrated data they can sell. In some instances, threat actors may even try to double-dip and make money both ways.

Unfortunately, most of the victims are of the opinion that paying the ransom is the most cost-effective way to get their data back. Faced with the potentially crippling consequences of ransomware, more organisations are opting to meet ransom demands as a pragmatic response to contain the impact.

“One thing we do not recommend is paying the ransom. You might not get your data back even if you do. Additionally, this will set a precedent for other threat actors, potentially resulting in further attacks,” says Ashraf Koheil, Regional Sales Director META for global cybersecurity leader Group-IB.

Emad Fahmy, Systems Engineering Manager Middle East, NETSCOUT

“To pay or not to pay is the final ransomware question. The answer is, don’t do it,” says Emad Fahmy, Systems Engineering Manager Middle East, NETSCOUT. “Whilst a difficult decision to make, organisations should never pay when struck by a ransomware attack. Paying the ransom can lead to a number of negative consequences, in some cases including sanctions for supporting a criminal enterprise. Not only that but even if they do pay, cybercriminals often fail to provide the encryption key to unlock their systems. Organisations are also left vulnerable to another attack from the same criminals who have already penetrated the system, posing further future ransom demands, ” Emad Fahmy adds.

“Paying the ransom isn’t always encouraged as it may encourage future assaults, and there is no guarantee of receiving decryption keys,” says Rich Davis, Director of Product and Solution Strategy at Netskope.

Vulnerable vectors for ransomware attacks
Whilst ransomware is not a new cybersecurity risk, its tactics continue to demonstrate growing technological sophistication. Cloud infrastructure, applications, privileged access, endpoints, and email are the evolving threat vectors of ransomware.

Recently, ransomware attacks on cloud infrastructure and applications have seen a remarkable rise. The reason for this is not far to seek. As organizations become more reliant on the cloud, it’s no surprise that the cloud is fast becoming a lucrative target for ransomware gangs.

“As more businesses adopt the cloud, ransomware developers are increasingly targeting cloud infrastructures to exploit vulnerabilities in cloud applications and virtual machine software,” says NETSCOUT’s Emad Fahmy.

Ilyas Mohamed, COO at AmiViz

In the case of a ransomware attack occurrence, immediate action is required to control the damage and protect sensitive data. Ilyas Mohammed, COO of leading B2B cybersecurity enterprise marketplace AmiViz, says, “Immediate action is crucial when facing a ransomware attack. Isolate infected systems, notify relevant stakeholders, and establish an incident response team. Effective communication and engagement with law enforcement agencies and cybersecurity experts are essential for a coordinated response.”

Vendors Offering Solution Fighting Ransomware
In the constant battle against digital crime, specialized vendors are continuously upgrading its own technologies and offering solutions that can help your organization effectively defend against ransomware and other cybersecurity threats.

The vendors’ solutions equip customers to better protect and recover their data in the face of ransomware threats.

“We have implemented a number of innovative new AI-infused upgrades to our solutions as part of our commitment to constantly enhance our tools and methods, such as our Managed XDR product. Group-IB’s Unified Risk Platform, which was unveiled in June 2022, is an ecosystem of solutions, bespoke to each organisation’s threat profile, tailoring defences against them in real-time from a single interface, providing complete coverage of the cyber response chain,” says Group-IB’s Ashraf Koheil.

NETSCOUT has evolved a strategy to detect attacks, reducing the impact and even sometimes stopping a threat from occurring altogether. NETSCOUT’s Omnis Cyber Intelligence (OCI) ensures a proactive approach to threat identification, also allowing organisations to delve into past network activities to swiftly detect, address, and neutralise potential threats.

NETSCOUT’s Omnis Cyber Intelligence (OCI) is an advanced NDR solution that plugs the gaps left by other security tools. It enhances threat detection capabilities by providing real-time and historical visibility through deep-packet inspection. NETSCOUT’s OCI ensures a proactive approach to threat identification, also allowing organisations to delve into past network activities to swiftly detect, address, and neutralise potential threats.

Netskope has developed the capability to detect encrypted files using machine learning (ML) and generate encrypted data movement alerts as part of Advanced UEBA (user and entity behaviour analytics). “This has helped our customers to identify and isolate ransomware attacks as they unfold in their network. One example is to detect encrypted files uploaded to a corporate share such as Onedrive, blocking the upload and isolating that device from the wider network. This is possible through our Cloud Access Service Broker (CASB) functionality within the Netskope Security Services Edge (SSE),” says Netskope’s Rich Davis.

Rich Davis, Director of Product and Solution Strategy at Netskope

Incident Response Plans
Ransomware incident response should be key to your company’s business continuity and disaster recovery planning. As the threat of ransomware attacks rises, organizations cannot afford to ignore the critical importance of incident response strategies. A commitment to robust incident response is crucial in mitigating the impact of ransomware attacks and fostering a culture of resilience and preparedness.

“Businesses should always have a comprehensive cybersecurity incident response policy in place that covers a range of attack methodologies, like ransomware. This plan usually includes isolating affected systems, notifying regulators, employees, and affected customers and suppliers, and initiating response operations to patch vulnerabilities and recover data from backup systems,” says Rich Davis.

“No business is immune to ransomware attacks, so it is essential for organisations to adopt proactive measures to safeguard assets and maintain business continuity,” says Ashraf Koheil.  In the event of a ransomware attack, the best course of action, according to Ashraf Koheil, is to reach out to incident response specialists as soon as possible.  He says, “That’s why we offer solutions such as the Incident Response Retainer, giving organizations piece of mind that should a ransomware attack occur, we can jump into action immediately.”

Ashraf Koheil, Regional Sales Director META for Group-IB

“We encourage organizations to avail our Incident Response Retainer, saving an organisation’s time, money, and reputation, by ensuring our sector-leading Incident Response team, which has a wealth of experience across the whole Middle East and Africa region, is ready to jump into action as soon as a ransomware attack is detected, ensuring a quick and efficient response,” says Ashraf Koheil of Group-IB.

Zero trust strategy
Companies can reduce the risk of ransomware attacks by taking a zero-trust approach to security. Under a zero-trust strategy, workers have access only to the applications, systems, and capabilities required for their jobs. “Prevention is always preferable to remediation, and a zero-trust approach limits risk by ensuring employees and partners can only access the data, applications, and systems they need to perform their role,” says Rich Davis.

He adds, “Governments and regulators the world over are pointing to a zero-trust approach as the best way to protect data from both external threat actors and insider threats, and we see this pattern of incident>resolution>re-architecture in many of our early conversations with customers.”

Security Budget
Today, most companies have a dedicated budget to protect against security attacks. For some, that budget is a result of their post-ransomware attack increase from last year. Netskope’s Rich Davis says, “After an attack has been handled, it is a great opportunity to review processes and systems and to take advantage of the board’s interest in the risk to potentially reallocate budgets to strengthen the security posture for next time.”

Conclusion and Next Steps
Businesses of all sizes are likely to experience ransomware. Ransomware operators continue to develop their attack methods as their appetite grows.

Establishing strong cybersecurity fundamentals is the best way to reduce your risk. Recovering from a ransomware attack requires a systematic approach. Early detection of ransomware threats is critical for minimizing their impact. “In the end, proactive measures, early detection, and effective recovery strategies are essential for combating ransomware attacks. By implementing comprehensive cybersecurity practices and maintaining readiness, organizations can mitigate the risk of ransomware and safeguard their operations and data,” says Ilyas Mohammed, AmiViz’s COO.