How to help protect your business from one of today’s biggest cyberthreats
What businesses need to know about ransomware
High-profile ransomware attacks on Colonial Pipeline, the Washington DC Metropolitan Police and meatpacking company JBS underscore a trend. Data from 21 notorious ransomware groups shows that ransomware attacks doubled in the first half of 2021 and show no sign of slowing.
Cyberattacks that use malware to lock people out of their data unless they pay a ransom, also known as ransomware, are exploding across the world. And unfortunately, many large and small organizations are unable to stop an attack or recover quickly.
Why is ransomware growing so fast? Simply put, it’s easy money. It’s a relatively low risk way for financially motivated groups to extort millions of dollars from organizations globally.
Another driver is the notion of ‘ransomware as a service,’ which is where a ransomware group will lease out their malware and infrastructure to other criminals in exchange for a percentage of any ransom paid.
This drastically lowers the barrier to entry. Cybercriminals no longer need to develop their own ransomware; they can just hire another group’s capability.
So, there’s a whole cybercriminal economy that has evolved around ransomware with potentially millions of dollars up for grabs, and this has been a key driver in the surge of attacks.
"Cryptocurrency is the enabler that allows ransomware attacks to increase their size and scale. For law enforcement interested in tracking or following the money, it’s a shell game.."
– Brett Wallace, Head of Cybersecurity Operations, JPMorgan Chase & Co.
It’s all about the payday
“Often ransomware isn’t the first piece of malware that a victim organization receives,” says Brett Wallace, Head of Cybersecurity Operations at JPMorgan Chase. Usually, an unwitting employee is first induced to download malicious software that grants an attacker access to the network.
Once a hacker has access, they move through the network gathering information to understand what the organization does and how much revenue it generates. This information is used to set the ransom amount. “Different businesses are asked to pay different amounts based on their revenue. These groups are smart about that. They do their homework,” says Wallace.
Then, information is often stolen from the network before ransomware is finally deployed. A typical business cannot go long without the ability to access business or customer data, and the attackers usually apply further pressure by threatening to publish the data they stole. Out of desperation, owners often pay.
But it’s how they pay that’s the real gamechanger.
Other attempts at online theft bring in less or take more work. If a hacker steals credit card numbers, they can sell them or use them, but the value of those numbers is limited and credit card fraud is often detected quickly. Large bank withdrawals or transfers are risky because they’re often flagged and the transaction cancelled. Hacks that require social engineering rely on employees to carryout orders or make approvals that take time and could look suspicious.
The beauty of ransomware, from a hacker’s point of view, is that it requires direct payment. And that payment is usually made using a cryptocurrency such as Bitcoin. “Cryptocurrency is the enabler that allows ransomware attacks to increase their size and scale,” says Wallace. “For law enforcement interested in tracking or following the money, it’s a shell game.” You send the money and it can disappear into the internet.
What can you do to prevent an attack?
“No industry is immune. Everyone who has an online presence and is connected to the internet is a potential victim,” says Wallace.
The good news? Basic cybersecurity practices continue to be effective for organizations of any size. In particular, Wallace believes that focusing on three layers of protection will significantly reduce your risk:
1. Multifactor authentication
A ‘factor’ in authentication speak is just a way of confirming your identity when you try to sign into an account. The three most common types of factors are something you know (like a password), something you have (like a smartphone or one-time passcode generator) or something unique to you (such as biometric data i.e., fingerprint). Multifactor authentication is the practice of using more than one factor. So, even if a hacker steals a password, they still can’t gain access to your accounts without an additional authentication factor — which they are unlikely to possess.
2. Vulnerability management
Exploiting software bugs, known as vulnerabilities, on internet-facing devices is the easiest way for hackers to enter your network. Investing in a capability to identify vulnerabilities in your technology and remediating them promptly will significantly reduce the risk of compromise.
3. Employee awareness
Even with the best technology in place to prevent attacks, it can all be undone by an employee clicking on a malicious link or opening a weaponized attachment. A rigorous education and awareness program, which includes sending fake malicious emails to your own employees, can foster a strong security culture and reduce the likelihood of malware being introduced to your network.
What do you do if your business is attacked?
There is no one-size-fits-all approach to a ransomware attack. That’s why it’s so important to develop an incident response plan.
“The time to develop an incident response playbook is not during an incident,” says Wallace. “A lack of preparedness could put you in a situation where you don’t have choices.”
A few questions to ask yourself when writing your plan:
- Who needs to be involved in responding to a cybersecurity incident?
- What is each person’s role?
- How can they be contacted?
- How will you assess what happened to understand the scope, impact and extent of the damage?
- What systems need to be assessed?
- What data is most at risk?
- What data can you not afford to have lost or exposed?
- How will you document your assessment?
- How will you contain the incident?
- How will you know when the incident is sufficiently contained?
- What are the steps for eradicating the threat?
- How will you recover and return to regular operations?
- Do you have sufficient backups for critical data?
- Have you tested restoring backups to make sure you can complete the task quickly and effectively?
- How will you communicate to the team the progress of the recovery?
- How will you monitor operations after the recovery?
- How will you learn from the incident and make changes?
Not every business is able to carry out an incident response on its own. If not, businesses may want to work with an IT consultant to ensure they’re able to recover with minimal disruption.
Keep learning
The U.S. Cybersecurity & Infrastructure Security Agency offers free resources to help you understand cybersecurity threats and take proactive steps to protect your business. The U.S. Small Business Administration [DR2] and its partners regularly host in-person and virtual events on cybersecurity.
If you suspect your business is a victim of fraud, contact your Chase Client Service Representative immediately or call the Chase Connect® Service Center at 1-877-226-0071 (for government and not-for-profit organizations: 1-855-893-2223).