Three Reasons Companies Fall Victim to Ransomware – and One Big Way the Game is Changing

by Quentin Rhoads-Herrera, Critical Start Director, Professional Services

Ransomware is naturally a concern for any company, and in our discussions with customers they often want to know: what are the key reasons companies fall victim to ransomware? In this post, I’ll cover that topic, along with another that customers are often surprised to hear, which is how ransomware attacks are changing to include not only encrypting data for ransom but also stealing data outright.

From our incident response and cybersecurity assessment work with customers, we see three main reasons companies are victims of ransomware attacks.

Patching to prevent ransomware

First is when a known vulnerability is discovered and published. Criminals quickly latch on to these events and literally scour the internet looking for computers that may be vulnerable. At this point it becomes a race: companies need to patch the vulnerability before the attackers find and exploit their systems.

When companies are too slow to patch their systems, the attackers can win. That’s especially true for legacy applications that may be running on older Windows operating systems that are beyond end-of-life, meaning Microsoft no longer issues security patches for them. To its credit, Microsoft occasionally issues patches even for OSs that are well beyond end-of-life, such as the patch issued in 2019 for Windows XP and Windows Server 2003 in response to a remote code execution vulnerability, and for the infamous WannaCry attack in 2017. Still, it’s up to customers to install the patch. As WannaCry made all too clear, many don’t.

Thwarting phishing attacks

The second reason companies suffer ransomware attacks is phishing. In fact, from our experience providing incident response services to ransomware victims, phishing is the most prevalent source of entry to the target network.

I’ll spare you the lecture about how important it is to educate users to recognize phishing attacks and instead encourage you to explore some next-generation endpoint security systems that can help identify phishing attacks even when your users don’t. HP Sure Click, for example, uses isolation technology from the company’s acquisition of Bromium. Whenever a user opens an email attachment, browser tab or file, it’s opened inside a micro-virtual machine (VM) that’s isolated from the rest of the computer and the attached network. If the file or attachment contains malicious code, it’s confined to that micro-VM and can’t harm anything else on the computer or network.

Responding immediately to attacks

The third and last reason companies fall victim to ransomware is they take too long to detect and respond to attacks. To successfully thwart an attack, you need to be able to catch bad actors at the initial time of compromise or soon after, to get them off your network before they spread ransomware. The good news is you have a window of opportunity. Attackers won’t distribute ransomware code before they have a strong foothold in your environment because they don’t want to show their hand before they’re sure they can successfully spread their code.

Detecting and thwarting attacks means either establishing your own alert detection and response capabilities or partnering with a managed detection and response (MDR) provider such as Critical Start to help you.

Adding extortion to ransomware

Taking steps to thwart ransomware is imperative, because attackers are changing the game. Today, we’re increasingly seeing instances of attackers stealing data prior to encrypting it and demanding ransom. They’re stealing entire virtual machines, customer data, valuable intellectual property (IP)– anything and everything they can find, before deploying their ransomware.

The idea is, if a victim refuses to pay the ransom, such as when they have adequate backups in place, the attackers have another avenue to pursue: extortion. They can threaten to release your IP or customer data or sell it off to someone else unless you pay up. Naturally, that has potentially devastating consequences, including brand damage and the risk of important IP landing in the hands of a competitor.

This is a tactic ransomware groups started to employ at the end of last year, and we’re seeing it continue this year. I expect it’s going to become even more prevalent.

All the more reason to ensure you’re keeping up with patching and to taking a fresh look at your endpoint protection strategy. You’ll likewise need to ensure your alert detection and response capabilities are up to the task. If not, let us know – we’ll be happy to help.