Fortinet guides how small and midsize businesses can protect themselves from ransomware
From small and midsize businesses (SMBs) to large enterprises, data is at the heart of most organizations today. While 90% of the world’s data was created in the last two years, in that same time span, data breaches were up 54%. Recognizing the value of data, cyber criminals are increasingly turning to ransomware as a means of monetization. They infiltrate IT systems and access data through various hacks, encrypting, locking, and exfiltrating files. Unable to access information that is critical to their businesses, hacked organizations are forced to pay for the information to be released by the cyber criminals.
Ransomware attacks skyrocket
Ransomware attacks more than doubled last year, with hackers modifying attack methods for more lucrative payouts. Yet at the same time, only one in three organizations say they are confident they can track and remediate attacks.
The financial repercussions of ransomware skyrocketed as well. Ransomware is expected to have a global impact of $20 billion by 2021. Ransomware demands commonly reach six-figure sums, and because the transfer is often made by bitcoin, it is relatively simple for cyber criminals to launder it without it being traced.
The indirect costs are those of business interruption that are associated with a ransomware attack. In the public sector, 42% of organizations have suffered a ransomware incident in the last 12 months, with 73% of those experiencing two or more days of downtime as a result.
Business impact of ransomware
The cost in system downtime and the inability to access information due to ransomware attacks equates to billions of dollars today, a number that could rise into the tens of billions as ransomware hacktivists go after Internet-of-Things (IoT) devices.
Doxxing
Cyber criminals are an innovative bunch. Rather than threatening to delete locked data, some cyber criminals are beginning to threaten to release it (as known as “doxxing”). For organizations that deal with private and sensitive customer data, like financial services, hospitals, law firms, and others, this can have deleterious consequences. In addition to the impact to brand reputation, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require customer notifications and other painstaking activities that can quickly tally into hundreds of thousands—or even millions—of dollars.
Storing up bitcoin for a “Ransom” day
The impact of ransomware reaches beyond those organizations that are hacked. Take banking as an example. As the potential impact resulting from lost data or the inability to access data is measured in minutes or even seconds, businesses cannot wait several days for cyber criminals to grant them access to their hacked data.
Real-life attacks
Nearly every industry sector and organization size is affected by ransomware. During 2019, ransomware attacks affected 113 government agencies, municipalities and state governments, 764 healthcare providers, and 89 universities, colleges, and school districts with up to 1,233 individual schools potentially impacted.
Healthcare
Healthcare is a sector where there is much cause for concern regarding ransomware. This makes a lot of sense, considering that many IT systems and data in healthcare are connected to patient care. Any system downtime or inability to access information could put lives at risk. Even if the ransomware attack doesn’t affect system and data used for patient care, the loss of patient records can incur tangible fines and time remediating the damage.
With doxxing, whereby cyber criminals threaten to release rather than delete private information, becoming a tactic that ransomware cyber criminals employ, the repercussions are even more serious. Add ransomware attacks on IoT devices used to deliver patient care, and the implications become life-threatening.
Ransomware attacks dominated healthcare headlines during the latter part of 2019, increasing by 350% in Q4, with attacks on IT vendors disrupting services on hundreds of dental and nursing facilities, while many hospitals, health systems, and other covered entities reported business disruptions from these targeted attacks.
There are many examples from recent years, including how hacktivists gained access to a MongoDB database containing protected health information for 200,000 patients of a major health center. The database was wiped clean and replaced with a ransom demand for $180,000 in bitcoin for its safe return.
Another major medical center in Hollywood, California, declared a state of internal emergency after its systems were infected with Locky ransomware. Physicians and other caregivers were locked out of electronic health records, forcing staff to use pen and paper for logging patient data, and fax—instead of email—for communicating with each other. The hacktivist demanded 40 bitcoin (or about $17,000) in exchange for a key to decrypt the locked files, which the hospital paid. But cyber criminals do not always grant victims access to their information. In the case of a hospital system in Kansas, the hospital paid the initial ransom, but the hacktivists did not fully unlock the files and demanded more money to do so. It was at that juncture that the hospital elected to decline the additional ransom.
How ransomware happens
So, how does ransomware happen? Let’s begin by addressing how it is distributed. Any digital means can be used: email, website attachments, business applications, social media, and USB drivers, among other digital delivery mechanisms. Emails remain the number one delivery vector, with cyber criminals preferring to use links first and attachments second.
· Email Links, 31%
· Email Attachments, 28%
· Website Attachments, 24%
· Unknown Sources, 9%
· Social Media, 4%
· Business Applications, 1%
End-to-End protection from Fortinet
Prevent phishing with FortiMail
FortiMail brings powerful antispam and anti-malware capabilities complemented by advanced techniques like outbreak protection, content disarm and reconstruction, sandbox analysis, and impersonation detection.
Stop users from traveling to malicious URLs with FortiGuard Web Filtering
The FortiGuard Web Filtering Service enhances the core web filtering capabilities of FortiGate NGFWs by sorting billions of webpages into a wide range of categories that users can allow or block.
Detect and respond to malware before it can launch with FortiEDR
FortiEDR real-time endpoint security solutions proactively reduce the attack surface, and protect endpoint devices using machine learning anti-malware and behavior-based detection technology. Customizable playbooks automate responses and remediation procedures.
Identify unknown threats and prevent advanced attacks with FortiSandbox
FortiSandbox leverages two machine learning models that enhance static and dynamic analysis of threats and easily integrates across both Fortinet and non-Fortinet products to provide real-time threat intelligence and speed threat response.
Thwart credential theft with two-factor authentication with FortiToken
With two-factor authentication, a password is used along with a security token and authentication server to provide far better security. Authorized employees can access company resources safely using a variety of devices—ranging from laptops to mobile phones.
Halt lateral movement and worming across your network with FortiGate Intent-Based Segmentation
Fortinet intent-based segmentation provides end-to-end protection across the network. It intelligently segments network and infrastructure assets, whether on-premises or across multiple clouds. Analytics and automation capabilities ensure quick detection and neutralization of threats.
Takeaways
Chanvith Iddhivadhana, Fortinet’s Thailand Country Manager advises that, “Organizations will do well to heed the following takeaways as ransomware evolves and mutates into an ever-increasing threat to organizations of virtually every shape and size:
1. Stop Known Threats. Seek out a cybersecurity solution that stops known ransomware threats across all attack vectors. This requires a layered security model that includes network, endpoint, application, and data-center controls powered by proactive global threat intelligence.
2. Detect New Threats. As existing ransomware is constantly morphing and new ransomware is being released, it is important to institute the right sandbox and other advanced detection techniques to pinpoint the variants across those same vectors.
3. Mitigate the Unseen. Real-time actionable intelligence must be shared between the different security layers (and generally vendor products) and even extended to the broader cybersecurity community outside of your organization such as Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centers (ISACs), and industry coalitions like the Cyber Threat Alliance. This rapid sharing is the best way to respond quickly to attacks and break the kill chain before it mutates or spreads to other systems or organizations.
4. Prepare for the Unexpected. Segmentation of network security helps protect against ransomware wormlike behavior such as that of SamSam and ZCryptor. Data backup and recovery is just as important. Organizations that have recent data backups are able to spurn demands for a ransom and quickly and easily recover their systems.
5. Back Up Critical Systems and Data. Although it can be a time-consuming process to restore an encrypted system, as well as an interruption to business operations and a drain on productivity, restoring a backup is a far better option than being held hostage with no guarantee that your ransom payment will result in your data and systems being unlocked and restored. In this case, you need the right technology, processes, and even business partner to ensure your data backups meet business requirements and their recovery can be done expeditiously.”