The Biden administration recently issued a laundry list of essential cybersecurity protections for private-sector organizations to implement. The list runs the gamut of must-haves, including two-factor authentication, offline data backups, installing system patches and updating passwords.
Although the announcement was nominally sparked by the war in Ukraine and threat intelligence indicating the potential for Russian cyberattacks, the truth is that these recommendations have been table stakes for years already. That’s in no small part because of the growing threat posed by ransomware, which now afflicts virtually all industries, from finance, education and retail to healthcare, energy and government services.
Ransomware has become so lucrative for bad actors that, in some cases, they’re practically running into one another. Last December one Canadian healthcare organization was struck by two different ransomware groups at the same time. A “dual ransomware” attack such as this is not yet the norm, but it’s a trend for which I’ve seen increased evidence while researching incident response reports.
Incidents of multiple attackers are indicative of a deeper and ongoing problem: Many essential and basic cybersecurity practices still have not been adopted across the board. In the face of an increasingly hostile cyber threat landscape, organizations urgently need to begin participating in their own rescue – and that starts with implementing best practices.
Cyberattackers are tripping over each other to breach targets
A survey found that while the total volume of ransomware attacks has actually declined over the past five years, the impacts of the attacks have grown more severe, including:
- The total cost of a ransomware attack more than doubled from 2020 to 2021, accounting for $ 1.85 million on average.
- Many organizations have resigned themselves to being attacked by ransomware in the near future because they feel it is simply too sophisticated to thwart.
- And “extortion-style” ransomware, where the data of a targeted organization is stolen and threatened for public release or sale on the dark web in exchange for payment, is on the rise.
These evolving ransomware attack methods have been unleashed on critical industries, such as healthcare. An ongoing pandemic hasn’t determined attackers from going after hospitals or healthcare providers. In fact, as in the case of the Canadian healthcare provider attacked last December, ransomware groups are more unrelenting than ever.
In that incident, a ransomware group called Karma deployed an extortion-style ransomware attack against the provider – not encrypting the organization’s systems, but stealing their data and holding it for ransom.
Unbeknownst to both the provider and the Karma group, though, a second ransomware strike hit a week later. This attack, by the Conti group, deployed a more typical ransomware package that encrypted the target’s data in exchange for payment. The Conti attack didn’t encrypt just the provider’s data, though; it also encrypted Karma’s ransom note.
The healthcare provider did not even realize it was being extorted twice because the ransom note of the first attack had been concealed by the second. Two ransomware groups, two different attacks, one target environment, only a week apart.
The cyberthreat landscape is packed with bad actors ready, willing and able to attack organizations of all sizes, across all industries. And their success rate isn’t strictly because of their incredibly sophisticated tactics. Plenty of amateur groups with low-level skills have found success breaching their targets simply because so many organizations have not yet done the bare minimum to protect themselves. Breaching target networks has become so easy that attackers are practically tripping over each other in the rush to exploit vulnerable targets.
Seven ways to start participating in your own rescue
Though not the typical data breach, experiencing multiple, near-simultaneous ransomware attacks is the latest symptom of a more widespread problem: a lack of widely adopted and basic cybersecurity protections and best practices. This is both a wakeup call and a golden opportunity for many organizations.
There are many relatively easy-to-implement, overdue and extremely necessary security practices that organizations can put into place right now:
- Educate employees on the importance of creating unique passwords, minimizing both easy-to-crack passwords and sharing the same password across multiple applications. Additionally, educate employees on the telltale signs of a spear-phishing or social engineering attack. Make sure they know whom to alert in the event they suspect they’re the target of such an attack.
- Mandate multifactor authentication across your network’s users.
- Ensure you are continuously updating systems with the latest security patches.
- Back up data in secure, offline locations. Consider the “3-2-1” method: three data backups, stored in two locations, one of which is offsite. This level of redundancy helps ensure that you’ve got multiple options to choose from for restoring your data in the aftermath of an attack.
- Develop an incident response plan in advance so that you have contingency measures ready to go in the event of a cyberattack, instead of scrambling in the heat of the moment to figure out next steps.
- Deploy threat detection and threat hunting solutions that can proactively identify potential intrusions and flag them based on priority and urgency.
- Give people the permission to say they need help. In some organizations, there may be a single person in charge of all things information technology and security, who simply lacks the bandwidth and resources to implement the necessary protections. These individuals need to feel it’s OK to say they can’t do it all alone and that they need support – so the company can leverage outside solutions, experts and security operations centers as needed.
These are foundational security practices. As attackers grow more sophisticated, no organization can afford to take their foot off the gas on protecting their network and their users. Doing this work now helps minimize your chances of being a target in the future – and, in the event of an attack, helps you get back on your feet quickly.
Participate in your own rescue. Make your organization more resilient than your peers. At a time when attackers are falling on top of each other to breach targets, there’s no time to waste.
John Shier is a senior security advisor at Sophos Group plc, with more than two decades of cybersecurity experience. He has researched everything from costly ransomware to illicit dark web activity, uncovering insights needed to strengthen proactive cybersecurity defenses. He wrote this article for SiliconANGLE.