A ransomware attack often targets the weak link; humans. One careless click on a link in an email message – and the cyber-attack begins. The threat is the full encryption of sensitive data, carried out by cybercriminals who do not shy away from blackmail. Ransomware attacks can threaten a company’s very existence. It would be a mistake to be lulled into a false sense of security, for example, because your own company has been spared from attacks so far. This is because ransomware attacks can affect companies of any size, type or sector. We explain attack patterns and show how proactive and reactive measures combined with a company’s resilience, can help reduce the risk.
According to a ranking by the EU Agency for Cybersecurity (ENISA) from 2022, Germany is the second most attacked country. Furthermore, the study shows that an average of 10 terabytes of data were stolen per month – more than 58 percent of which was personal data of employees. In general, ransomware attacks were still among the biggest threats in 2023.
The more intelligently the attacks are carried out, the greater the risk for companies of falling victim to the attackers. The fake e-mails (phishing mails) used as bait can appear deceptively genuine. The aim is to create a moment of weakness in which thinking briefly stops and reflexive emotions instead take over.
“If you don’t update your data immediately, it will be irretrievably lost…”.
Messages like this often mark the beginning of a so-called “kill chain”, which can end with a ransom demand.
How does a ransomware attack work?
- When the link (or file attachment) in the phishing email is activated, the actual attack begins: new accounts are now created using the captured access in order to gain extended rights.
- Using these access details, the criminals gradually steal company data and store it on external servers, often in third-world countries.
- There are several options for the attackers to capitalize on the stolen files. One possibility is to sell the data. In this case, it is not a complete ransomware attack because the data is not encrypted.
- If, on the other hand, the criminals succeed in smuggling large amounts of data out of the victim company’s systems, the encryption process starts and business operations come to a halt. Unfortunately, many companies only notice the attack when data is already encrypted or is in the process of being encrypted.
- It doesn’t take long before the attackers threaten to damage the company’s reputation and publish the data. This threat is coupled with a demand for a ransom.
Why are ransomware attacks so dangerous?
Once a company is confronted with a ransom demand, it faces a dilemma. It is by no means certain that paying the ransom will solve the problem. The reason for this is that successfully extorting a ransom makes a company even more attractive to criminals – coupled with the risk of falling victim to them again. Furthermore, the hackers who have been successful for the first time may continue to have access to the infected systems.
Even without paying the ransom, economic damage is inevitable in the event of a successful ransomware attack. This is because in most cases, the affected systems are subject to downtime. According to the ENISA study, the average downtime was recently around 23 days.
How long the downtime lasts in individual cases depends on which systems are affected and how effective the protective measures taken in advance were. In the worst case, the downtime can last for several months – in which case a ransomware attack becomes an existential threat.
How can ransomware attacks be averted?
Companies that want to protect themselves against ransomware must take a multi-layered approach. It involves a mix of security (protection), detection (identification) and response (reaction) measures. In addition, the resilience of the company plays a key role.
Protection
- Awareness-raising among employees: Well-trained employees are less likely to fall victim to attacks. This means that phishing emails are recognized more quickly and, in the best case, even reported.
- Roles and rights concept based on the principle of minimalism: Robust access management prevents attackers from quickly creating new accounts and thereby gaining additional rights. Strong passwords and MFA provide additional protection.
- Secure backup: A secure backup, separate from the other data. This ensures access to the infrastructure. Strong access management should also be in place here.
- Network separation: Physical and virtual separation of networks to prevent extended data outflow.
- Emergency and crisis management: Solid crisis management, procedures and measures must be established and practiced in advance so that they can be implemented in an emergency.
Detection
- Monitoring systems (preventative): SIEM solutions, firewall log analyses, endpoint and network detection can identify malicious actions at an early stage. Well-developed rules and use cases are important for this.
- Virus and malware protection (preventative): Virus and malware protection identifies unsafe software and links, providing preventative protection against malicious actions.
- Security processes (reactive): Incident response processes are used to restore and analyze the infected infrastructure and systems.
Reaction
- Restoring the infrastructure: Rebuilding all affected servers and clients; if necessary, reinstalling them, including resetting and cleaning the accounts.
- Emergency plan: Depending on the extent of the attack, the emergency plan may have to be invoked.
Protecting against ransomware attacks means practicing prevention and denying attackers access to critical systems as best as possible. Overall, well-thought-out, coordinated measures significantly reduce the risk of an attack.
What we recommend as basic protection!
At the heart of every defense strategy is the careful handling of user rights and sensitized employees who check phishing links or email attachments three or four times rather than risking the wrong click. We recommend the following measures as basic protection.
Technical measures
- Creation of a backup plan (On-Premise)
- Establishment of monitoring systems
Organizational measures
- Awareness training for employees
- Authorization management based on the principle of least privilege
- Implementation of suitable policies
In the event of an attack, the implemented measures largely determine the speed of response and the scale of potential damage. If you would like to know how you can individually protect your company against ransomware attacks, please feel free to contact us.