It’s any company’s worst nightmare – an employee in the organisation unknowingly downloads an email attachment containing malware, and within minutes your system has been hijacked and all your data encrypted. To make matters worse, the perpetrators are demanding a ransom payment in cryptocurrency in return for a decryption key.
According to the CyberSecurity Ventures 2022 Ransomware Market Report, ransomware gangs are refining and intensifying their attacks and it is predicted that ransomware will cost its victims around $265-billion a year by 2031.
When it comes to South Africa, data from Kaspersky reveals that more than 12 000 ransomware attacks were experienced in the country in the first half of 2021, costing an average R6,4-million to remediate. This makes us the second most targeted country in Africa, according to an Interpol report.
Despite the increasing prevalence – and sophistication – of ransomware attacks, many companies fail to report that they have fallen prey to a security breach because they fear their reputation will be damaged. Instead, they quietly pay and move on, while improving their security measures after the fact.
Roy Evans, IT manager at CRS Technologies, says giving in to the hackers’ demands merely serves to encourage them to continue their criminal activities.
“Cyber criminals are cunning. Generally, the ransom amount they demand is high enough to be worth their while, but also low enough so that for the victim, it’s cheaper than the cost of restoring the system and reconstructing data. The attackers also offer discounts if victims pay quickly.
“Unfortunately, however, paying the ransom does not guarantee the provision of a working decryption key, or that the data won’t be damaged if it is recovered.”
CRS has assisted several of its clients when they’ve faced ransom demands aimed at their supply chain, customer files or system.
“Should your company become the victim of a cyber-attack, the first step is to isolate infected systems,” says Evans. “Disconnect all infected devices from the network and wired/wireless connections to prevent the ransomware from spreading further. Then reset the credentials of all systems on a clean network and devices and begin the recovery process.
“It’s important to conduct a thorough investigation to determine the origin of the attack. This can help to address vulnerabilities in your system.
“Finally, a ransomware attack is a crime and should be treated as such. It’s imperative that you report it to the relevant authorities.”
Evans points to various preventative measures that can be implemented to protect your business against ransomware attacks.
“Start by installing reliable antimalware, antivirus software and firewalls. These solutions are your first-line defence against cyber threats. They work by scanning data before it enters the network, and blocking anything suspicious that is detected.
“Another best practice is to have multiple backups stored in different places and on different media, such as external drives and cloud servers. Additionally, make sure these backups are tested regularly.
“Ransomware is specifically designed to exploit system vulnerabilities and legacy features. Use a patch management solution to ensure that your servers, operating systems, web browsers and all other software are kept up to date.”
Be proactive
It goes without saying that a proactive approach is the best way to limit the impact of a ransomware attack before it happens. Evans advocates the following:
* Network segmentation: Connecting all your devices to one server gives cybercriminals unlimited access to your system in the event of a successful cyber-attack. Segmenting the network into smaller sub-systems helps to limit the spread of ransomware.
* Email protection: Emails are one of the most common causes of ransomware infections. Don’t open emails from unknown senders and never download attachments or click on any links they may include.
* Password policies: Ensure user passwords are strong (minimum ten characters in upper and lower case, with numbers and special characters) and reset them at least once a month.
* Privileges and permissions: Practise the “least privilege” principle. Limit user access and permissions to only the data and systems on which they need to work.
* Assessments and testing: Ransomware is constantly evolving. Security policies and environments must be regularly evaluated and tested for preparedness and risk.
* Education: End-users and employees are the most common gateway for cyber-attacks. Consequently, security awareness training is crucial.
“Cybercrime is here to stay,” Evans concludes, “which is why companies should prioritise the formulation of a comprehensive cyber-attack defence strategy. Without one, they risk losing not only their data, but the business itself. Waiting until an attack occurs before taking action is too late.”