Ransomware Attack
Becoming More Aware
In a ransomware attack, cyber criminals hold the victims’ data and systems hostage and ask for a financial payment, often in crypto-currency since it is anonymous and less traceable.
32% of UK businesses reported suffering a cyber-attack or breach in 2023 and for medium businesses, this rises to 59% and 69% for large businesses. It is estimated that UK businesses lost around £736 million to cyber-crime in 2021 with 31% of businesses estimating they are attacked at least once a week.
The true count of ransomware incidents is a known unknown for officials trying to figure out how to tackle the problem. Victims are not obliged to report attacks to law enforcement, and darknet extortion sites only provide a partial count of victims who refused to pay.
Cyber Security & Data Breach Stats
Did You Know?
It was estimated that approximately 2.39 million cases of cyber-crimes affected UK businesses over the past 12 months
The average cost of a data breach within the UK has increased by 8.1%, resulting in a total cost of £4.56 million
Approximately 20% of UK businesses who became victims of a cyber-attack needed to carry out new precautions as a preventative measure
Protect Your Business
23% of UK businesses now allocate time for their staff to deal with cyber security breaches
Only 11.3% of UK IT budgets are currently spent on security works
Approximately 50% of senior executives in the UK undertook action after a cyber incident has taken place, concentrating more on the recovery than prevention of an attack
Be Informed
Around 49,000 fraudulent incidents across all UK businesses were recorded as a result of cyber-crime
Around 90% of UK organisations have encountered a greater risk of exposure to cyber security threats due to the rise of digital use over the past two years
Approximately 83% of businesses that encountered a cyber-threat were targeted by a phishing attack
Last Line of Defence
Stop, detect and recovery
Stop, detect and recovery is the last line of defence. Recovery is always the last thing to do as it causes so much disruption to fall back to a period prior to any attack. Remember ransomware encryption attacks are not triggered at the same time as the attackers penetration. They tend to leave the payload running for days, even weeks prior to triggering to cause maximum disruption.
Security is multifaceted. It’s a people thing not just a technology thing. Phishing and social engineered attacks are dependent on people treating all external emails as suspicious with constant re-enforcement training.
Robust security measures should highlight end point security for roaming and remote working as being a big vulnerabilities, this should also include governance and acceptable use policies – i.e. VPNs only work if the device has not already been infected. These all increase attack points and without the end user managing their use and security, it can all be circumvented. If a device becomes infected then the VPN is irrelevant as any ransomware can travel down the encryption tunnel the same way authorised traffic can. So end point defence becomes very important in roaming and work from home workforce environments.
Ways To Reduce Ransomware Encrypted Files
Employ Robust Security Measures:
Enforce rigorous IT security policies across the organisational spectrum, encompassing full-time employees, contractors, and vendors. Instigate measures that bolster overall security resilience against ransomware threats.
Exercise Caution with Electronic Communications:
Heighten awareness regarding suspicious emails, links, and attachments, recognising phishing as a prevalent ransomware delivery vector. Exercise utmost caution when dealing with emails or links from unfamiliar sources, as these could pose a significant risk to the network's integrity.
Ways To Reduce Ransomware Encrypted Files
Establish and maintain periodic backups of critical data. Utilise a specialised backup service designed for swift restoration, minimising downtime in the event of an attack.
5 Steps of Best Practices
A ransomware attack is one of the worst-case recovery scenarios that organisations can face. An impacted company or agency will likely be dealing with widespread operational and logistical issues caused by the attack. Claritas has helped a number of customers successfully recover from ransomware attacks.
As a result, we have developed a set of best practices to help plan for, identify and remediate ransomware attacks. These consist of the following five basic steps:
Best Practices For Ransomware Attack Recovery
1/ Preparation
Put yourself in the best position for success by preparing in advance for a ransomware attack
2/ Prevention
Use third party or develop your own tools to prevent ransomware from entering and attacking systems. Catch ransomware attacks before they can do damage
3/ Detection
Apply tools such as monitoring, etc. to detect where ransomware has attacked to enable surgical remediation
4/ Assessment
During an assessment, decide what needs to be recovered first and when
5/ Recovery
Data can be recovered only after ransomware has been neutralised and blocked from re-infecting data
FAQs (Your Questions - Answered)
How can businesses fortify themselves against ransomware attacks?
Implement robust cyber security measures include stringent access controls, and advanced threat detection systems to proactively thwart ransomware infiltrations as well as robust backups
What preventative measures can businesses take to avoid falling victim to ransomware?
Enforce strict security policies, conduct employee training on phishing awareness, keep software up-to-date, and employ email filtering to thwart malicious attachments - all integral to reducing the risk of ransomware infections.
What role do backups play in ransomware recovery?
Backups are a critical component; regular, immutable backups ensure a clean data restore in the event of a ransomware attack, minimising downtime and data loss. But need to ensure backups don't contain any of the malware.
In the event of a ransomware attack, what steps should be taken immediately?
Isolate affected systems, notify relevant authorities, and initiate the restoration process from clean, immutable backups. Concurrently, conduct a thorough analysis to identify the attack vector and strengthen defences against future incidents.
How long does ransomware recovery take?
The duration of ransomware recovery is contingent upon the scale and intricacy of your company's IT infrastructure, usually spanning from a few days to weeks. A well-structured backup and recovery plan can significantly mitigate downtime, facilitating a swift restoration of business operations.
How quickly can a business recover from a ransomware incident?
The recovery time depends on the severity and preparedness. With a well-orchestrated backup and recovery plan, businesses can typically resume operations within days, if not sooner.
What is the best way to recover after a ransomware attack?
The optimal approach for post-ransomware recovery involves bolstering of security measures include social engineering (combined with strong education and awareness training) and the availability of immutable backups poised for deployment upon infection.
4 Ways to Recover from Ransomware
In the event of a ransomware incident impacting your company, swift action and a well-defined recovery strategy are imperative. All recovery procedures should be regularly tested, bi-annually as a minimum. No point having a backup policy if you can’t recover from it AND you only find out when you need to recover.
Consider the following engineering-centric approaches to restore normality:
4 Ways To Recover From Ransomware
Use Layer Security approach:
The business should asses its maximum recovery window should an attack take place. How far back in a recovery process does the business become none-viable. By understanding this the business will be able to assess the risk and deploy funds and develop internal governance policies for mitigation.
Train personnel so they become the first line of defence to external attacks: Suspect email links and attachments from external sources. Beware of social engineering attacks by training and highlight vulnerabilities to roaming and home workers. Include acceptable use policies and governance with HR enrolments. Deliver regular workforce training to reinforce company expectations.
Edge Connectivity Security:
All edge connectivity by electronic means should have the highest security levels and penetration defences. Electronic communications and workforce connectivity are the highest vulnerabilities. These should be tested regularly via external means.
Internal threats should be assessed for accidental or malicious internal bad actor attack. Use regulated access control for user and systems to limit the capability and spread of any attack.
Core and business priority systems should deploy increased monitoring and alerting. Where possible automated response capabilities should be used mitigate the spread of any attack.
Immutable backups:
Include external services such as MS365. Assess the location and placement of these backups. Backing up to the cloud may not cost on the inbound, but any data repatriation back on premise at the point of recovery could incur excessive communications cost from the cloud provider.
If solutions are cloud native for both data and application look at best practice recovery models for cloud only environments. This includes Software as a Service applications such as Salesforce and SAP. Ensure the SaaS service provider meets the businesses recovery time and point objectives.
Dedicated Backup for High Value Services:
Use best practice recovery models matched to the businesses recovery time and point objectives. Ensure that if a ransomware attack lays dormant for a period of time before triggering, hence becoming imbedded in the backup, that there are enough historical recovery points to recover from: Business RPO/RTO dependant.
Minimise and Reduce Your External Exposure
How We Can Help You Recover From A Ransomware Attack
Deploy prevention techniques combined with user education and technology are cornerstones to a robust ransomware recovery plan. Protect against ransomware attacks with a robust ransomware recovery plan to minimise disruption and maintain business continuity.
We have experienced professionals on hand who have earned high-level certifications in foundation technologies such as Cisco infrastructure, VMware virtualisation, and popular Linux distros. This breadth of expertise gives Claritas the ability to identify and integrate the undamaged parts of your IT environment after a ransomware intrusion and reconstruct them rapidly into an operational network.
Partners We Work With
How We Have Helped Our Clients
Taking Precaution
Liability insurance
As cyberattacks continue to rise, businesses face heightened risks, particularly in terms of liability insurance. Without effective ransomware prevention policies, companies are vulnerable to significant financial losses and operational disruptions.
In response, insurance providers are likely to demand robust cybersecurity measures, including IT health checks, to mitigate risks. Failure to comply may result in premium penalties or even withdrawal of coverage for high-risk businesses. This shift underscores the critical role of proactive cybersecurity strategies in safeguarding business operations and financial stability.
By prioritising comprehensive prevention measures, such as regular IT assessments and ransomware defence protocols, companies can not only protect themselves from potential cyber threats but also ensure continued access to essential insurance coverage. Ultimately, integrating cybersecurity best practices into business operations is essential for mitigating liability risks and maintaining insurance protection in an increasingly digital landscape.
