CNME Editor Mark Forker spoke to Tarek Kuzbari, Regional Director, Middle East & Turkey at Cybereason, to learn more about the economic impact ransomware attacks are having on a global scale, what practices businesses need to implement to better protect themselves – and discuss the findings of their recent ransomware report in the UAE.
There has been a spate of high-profile ransomware attacks over the last number of months that have had devastating consequences for those effected. Ransomware has now entered the consciousness of the mainstream public, but as Kuzbari points out, ransomware attacks are not a new phenomenon.
“I do not think there has been a massive spike in ransomware attacks, they have been around for quite some time, in fact, the first ransomware attack occurred in 1989, when a virus was spread across a floppy disk, so it is not something new. However, I think the major difference now is that it is impacting schools, healthcare providers, government entities and other businesses, so everyone is now much more aware of ransomware attacks because it has become personal to them, especially in the case of the HSE (Health Service Executive) in Ireland, in which thousands of patients had their sensitive data leaked”, said Kuzbari.
Ransomware may have been around for some time, but as Kuzbari highlights there is no doubt that cybercrime is intensifying, and some of the numbers around the economic impact incurred by ransomware over the last few years is quite staggering.
“It is undisputed that cybercrime is getting significantly worse, the combination of factors such as the proliferation of connected devices, and geopolitics between economic superpowers such as the US and China, have undoubtedly fragmented the tapestry of the global security community, and these factors play right into the hands of cybercriminals. According to Cybersecurity Ventures, it has been estimated that so far this year there has been a ransomware attack on a business every 11 seconds. If you look at the trend of ransomware attacks on a global scale it is extremely worrying, in 2015, it typically used to cost the global economy $325m, but it is now being projected to cost the global economy $20bn by end of 2021, and if it continues at the same pace then it is estimated to reach $264bn by 2031”, said Kuzbari.
Many industry analysts have declared that companies should not pay the ransom as all that serves to do is create a lucrative market for these sophisticated cybercriminals to continue to tap into. One of the most high-profile ransomware attacks of late, was Colonial Pipeline in the United States, who paid $4.3m to get their oil supply back in operation after it was crippled by the attack.
However, as Kuzbari points it is much more complex than simply deliberating over whether a company should pay the ransom or not.
“It’s easy to debate over this topic, and everyone within the industry have their own points of view, and it is very easy to say that I would not pay the ransom. However, the situation when under the attack is completely different, and this is something we see with enterprises that are hit by an attack. As you know being subject to a ransomware attack once is already a nightmare for any organisation, but you also need to take into consideration that there is a high probability that the organisation that has already paid the ransom will be hit again by the same attacker, or another cybercriminal within a very short space of time, so it is not always as black and white as some would suggest”, said Kuzbari.
Cybereason sponsored a comprehensive report that examined ransomware attacks in the UAE, and they discovered that 84% of companies hit by an attack opted to pay the ransom, but incredibly 90% of those were then struck by another ransomware attack.
Kuzbari believes there are a number of factors as to why some companies are more vulnerable to others when it comes to preventing ransomware attacks.
“There are several cases behind these incidents that range from poor cybersecurity posture, to lingering vulnerability, to persistent threat actors, so it is critical for every organisation that has been hit by a ransomware attack to really understand and determine the root cause of the attack. What happens is sometimes the root cause may not have been the ransomware, but it could be what made it visible, and in many cases’ ransomware is the just the by-product of another undetected infection, so that is why investigations and remediating the underlying cause of any attack is crucial in terms of preventing any subsequent future attacks”, said Kuzbari.
The Cybereason executive also added that many businesses tend to forget the fundamentals when it comes to security – and outlined the four best practices that enterprises need to adopt to become more resilient.
“Many businesses ignore the basics when it comes to security, so what I would recommend is four steps to become more secure. The first one would be to follow the security hygiene best practices such as offsite data backup and enhancing the security awareness of employees through additional training, this is very important, and every organisation simply must do it. The second step that I would recommend would be to deploy multi-layer prevention capabilities on all the enterprise endpoints across the network. The third one would be to implement the extended detection and response solution, which is known as an XDR across the whole environment, because it is really all about connecting different aspects beyond the traditional end point from identity to network, which gives you better visibility to end these advanced ransomware attacks. The last point that I would advocate for is to practice strategy and implement a zero-trust architecture with restricted sensitive data access and protection”, said Kuzbari.
One other startling fact from the report was that 71% surveyed in the report said that they had a specific policy in place to manage a ransomware attack, and 67% said they believed they had the right people to get the job done, but if businesses have a plan, then why are most of them still worried?
“Policies and plans are very important, but always the devil is in the detail, and when you come under an attack the situation varies because of a lot of unknowns, such as a misconfiguration, or how the public can react, or how certain authorities intervene, or it is a double-extortion type of attack. If I examine the Colonial Pipeline attack in May, within 5 days they made the payment, and their CEO told lawmakers in the United States that although his company had an emergency response plan in place it did not include a plan in response to a ransomware attack – and because the company had insurance the decision for payment was very swift”, said Kuzbari.
Kuzbari stressed that there are many factors that effect an organisation in terms of whether they are going to pay a ransom or not, but that usually the decision is made at the very end of the negotiation when the organisation can determine if they can recover all their backup data and avoid the payment, but he further illustrated that the issue of data integrity was a real problem.
“It is very difficult to be certain on the integrity of the backup, and it can take several days. The backup integrity is a real issue currently within any organisation impacted by a ransomware attack, most of the companies do not have a properly configured backup, or have not tested the resilience of these backups, or tested the ability to recover their backup against ransomware scenarios. It is not that easy to say I am not going to pay, or if I just have a policy then I am safe, there are other elements at play that you need to look at. I think at the end of the day all these incidents from Colonial Pipeline to JBS has provided us with a sobering wake-up call to make us realise that we are not as safe as we thought, and is provoking us to react and respond to these threats”, concluded Kuzbari.