Over the last year, ransomware attacks in Canada have increased in scale, frequency, and sophistication. This was recently confirmed in the Canadian Centre for Cyber Security’s threat bulletin. According to their data, there were 235 ransomware attacks reported last year, however since most attacks are not made public, we know that this number just reflects the tip of the iceberg. Nevertheless, there are some points drawn from those attacks that cybersecurity practitioners should pay attention to.
Before we delve into the analysis, let’s review the topic at hand. Ransomware attacks typically use malware to infect an organization’s devices and encrypt sensitive data, locking staff out of their files and demanding a ransom in exchange for decrypting them. The most common techniques include:
- Phishing – Malicious links sent via email, text, or social media post,
- Malvertising – Malicious code triggered when a user clicks on an online advertisement, and
- Drive-by Downloads – Malware forcibly downloaded and installed on a computer via an infected website.
Now that we’ve reviewed what ransomware is all about, here are three important things you should know:
1. Industrial control systems are prime targets
More than half the ransomware attacks cited targeted critical infrastructure, including electrical grids, oil and gas facilities, and hospitals. According to the authors, “The COVID-19 pandemic has made organizations like hospitals, governments, and universities more mindful of the risks tied to losing access to their networks and often feeling resigned to pay ransoms. Cybercriminals have taken advantage of this situation by significantly increasing the value of their ransom demands.” These institutions are among the highest value targets because cybercriminals believe these entities have the greatest incentive to pay due to the critical functions they perform.
2. Ransomware-as-a-service, here to wreak havoc and here to stay
While nobody asked ransomware groups to discover a new way to become even more detestable, they went and found it anyway: Ransomware-as-a-Service (RaaS). The advent of RaaS has officially turned the practice of holding organizations’ data for ransom into an industry. Developers of these platforms sell or lease ransomware to other cybercriminals in exchange for receiving a percentage of each victim’s ransom payment. The result: a business model that makes widespread fraud campaigns more cost effective for malicious actors than ever.
3. Surging recovery costs far exceed ransom costs
While the global average ransom payment has stabilized around $200,000 CAD, the average cost of recovery exploded. In 2020, these costs were just under $1 million CAD. In 2021, they grew to $2.3 million CAD. According to the Canadian Centre for Cyber Security, ransom payments “are likely reaching a market equilibrium, where cybercriminals are becoming better at tailoring their demands to what their victims are most likely to pay given the growth of recovery cost and the risk of reputational damage from public data leaks.”
What you can do
Although ransomware attacks may have increased in scale, frequency, and sophistication, implementing basic countermeasures can still greatly reduce your exposure to most types of attack.
With the proliferation of RaaS platforms and recovery costs surging, it’s crucially important to secure industrial control systems and maintain the fundamentals of a sound cybersecurity practice. Start by having some level of protection in the form of a secure email gateway solution and then incorporate a level of protection against malvertising as well as conventional email filtering and anti-virus functionality. Unfortunately, even if your email security platform prevents 99.9% of malware or malicious links from getting through, it only takes one well-crafted email to cause a breach. It’s therefore very important to configure these tools according to best practices and ensure that both IS teams and end users maintain constant vigilance.
In the event your organization does suffers a ransomware attack, it’s important to:
- Have a plan – Don’t “wing it”
- Assume the attacker is still there – Monitor your environment closely for anomalous activity
- Close the barn door – Failing to do so means you’ll likely be attacked again
- Get professional help – Your team will likely lack either the skills or capacity to do it all
And if you’d like more information on this topic, simply reach out to our team, we are here to help.