Ransomware attacks have been increasing rapidly as cybercriminals have capitalized on the panic and disarray caused by the COVID-19 crisis. The latest AFP Payments Guide provides insights on how companies can protect themselves against these attacks.

RANSOMWARE EVOLUTION

The first quarter of 2020 saw a 25% increase in ransomware attacks from the previous quarter, according to cyber insurer Beazley Breach Response (BBR) Services—and that’s after these attacks jumped a whopping 131% in 2019.

Beazley noted that the two most common ways to deploy ransomware are via phishing emails and breaching poorly secured remote desktop protocol (RDP). RDP enables employees to quickly access their work computer desktops or their company's primary server from home, and without the right security measures in place, it can open the entire network up to ransomware attacks.

“The coronavirus has forced many more employees to work from home and in this pressured environment, it is very important that companies take the right steps to reduce the vulnerability of their IT infrastructure,” said Katherine Keefe, global head of BBR Services.

Ransomware attacks can also come via drive-by download. This is when a user visits a seemingly innocuous website only to find that it begins to download malware onto their device as soon as the page is open. In the pandemic environment, creation of drive-by download sites (and attracting web traffic to them) has been easy for cybercriminals. In late February, malicious actors began buying up domain names that included the words “corona” or “COVID,” which they were used to distribute malware.

According to research by security firm Check Point, more than 4,000 website domains containing words like these have been registered between January and March 2020. While only 8% of those domains were flagged as malicious or suspicious, that’s still 50% higher than the malicious rate of all other domains over the same time period.

And just as the methods of ransomware distribution have evolved, so have the tactics of the perpetrators. Ransomware operators have been coordinating with each other and sharing their practices, leveraging each other's resources.

TO PAY OR NOT TO PAY

Ransomware attackers have also been demanding higher payments. In the early days, one of the “better” aspects of being hit by a ransomware attack is that the criminals generally asked for a low amount to ensure that they received payment.

That’s changed in the current environment. According to the Coveware Ransomware Marketplace Report, the average ransomware payment increased by 33% in Q1 2020 from the previous quarter. “During the first quarter of 2020, ransomware threat actors took advantage of the economic and workplace disruption caused by the COVID-19 outbreak,” the report said. “Spam attacks related to the outbreak surged and seldom used ‘work-from-home’ network configurations led to increased ransomware attacks across the board.”

And one payment may not be enough. As Brian Krebs noted, some ransomware gangs have been demanding two payments—one to secure a digital key to unlock their files and another to avoid having sensitive information shared publicly. The latter is something companies that have been infected with ransomware need to consider when weighing the pros and cons of paying the ransom.

As for whether companies should ultimately pay the attackers, Brad Deflin, CEO and founder of Total Digital Security, believes there is no blanket recommendation. It largely depends on the organization itself. “What is the state of your systems? How do you get back in business? What is the damage to the business? We saw a situation this year where I felt it was absolutely logical and smart to pay, because the damage was well beyond the cost of the ransom. With that company’s lack of preparedness and what it would have done in the long term, honestly, paying the ransom was the smartest thing they could do,” he said.

On the other hand, if a company is prepared for this type of an attack and has a plan in place, then a calculated response can take the place of a knee-jerk reaction. This puts a company in a position to potentially not pay the ransom and instead minimize and mitigate the overall effect of the attack. Doing so requires organizations to see these types of attacks as something company-wide and not just IT’s problem.   

Deflin noted that when ransomware attacks first emerged, they existed almost exclusively in an enterprise environment aimed at the server. So it was largely viewed at the time as an IT department issue. “Now, of course, it's all the way to the individual and the device that they're using, whether it's a company-owned device or a personally-owned device,” he said.

That’s important because employees’ computers can be exploited to ultimately to get into the broader enterprise system. Therefore, Deflin believes that protecting against ransomware—and any threat for that matter—needs to be around the people and not solely the responsibility of IT. “There has to be a cross-divisional partnership—a cultural approach where the talk and the walk starts from the top,” he said. “There needs to be a broad cultural adaptation around these particular risks.”

For further insights, download Combating Fraud in a Remote Working Environment, underwritten by MUFG Union Bank.