Recovering your data is no longer enough, you need to stop ransomware threats in their tracks
Ransomware attacks have not only become more prevalent in the past few years, but they have also become more malicious and vicious. The original attack of encrypting data is now being followed by double extortion, where data that is stolen is threatened to be released publicly unless a ransom is paid. There is also triple extortion where the information itself is used against individuals unless a fee is paid. Recovering data in the event of a breach is no longer enough – once data is stolen, it has been exposed and can be used in ongoing ransom-generating activities. A new approach is needed to stop attacks in their tracks.
Attractive targets
Businesses in Africa are particularly attractive targets for ransomware attacks, especially public services organisations, because the value of the data they hold and their potential ability to pay ransoms is high. There are many examples of high-profile attacks that highlight the need for greater focus on this evolving threat. The nature of infrastructure in Africa exacerbates this challenge – users have embraced digital transformation and leapfrogged traditional solutions, with innovative mobile banking, financial and government services. However, there is a lack of robust security, which creates massive vulnerability.
According to the Interpol African Cyberthreat Assessment Report, there are more than half a billion internet users in Africa. In Kenya, 83% of the population is online, while in South Africa this figure is 56%, but 90% of businesses in Africa are operating without the necessary cybersecurity protocols in place, which makes them vulnerable to attack and costs millions. The report highlights that in 2016, cybercrime cost the Kenyan economy about $36 million and the South African economy $573 million, and ransomware has only become more voracious in the years that followed.
Backup is not enough
The most common approach to recovery from a ransomware attack has typically been to ensure that a backup is available so that data can be restored, and operations can continue without the need to pay a ransom. However, while this will still work to recover data that has been encrypted, it is by no means a guarantee that business will be able to continue as usual. Once data has been stolen or extracted there is no way of getting it back – it can be replaced with another copy, but the thieves still have potentially sensitive and highly valuable assets that they can continue to exploit forever.
In light of the evolution of cyberthreats, we need to shift focus from recovering after an attack to preventing data from being stolen in the first place. Data protection needs to start before data is compromised, not at the point of recovery, which means ransomware detection is an essential component of a robust cybersecurity solution, but traditional signature-based approaches simply cannot keep up with threat evolution.
An intelligent solution for a complex problem
Many studies show that there is a significant amount of ‘dwell time’ between a breach and the execution of a ransomware attack, as cybercriminals sift through data to find information of value. One approach to the problem is to use cyber-deception techniques that deploy sensors within the primary and secondary data environments that are only visible to bad actors and mimic real assets. When the attacker then touches or interacts with one of these sensors, alerts can automatically be generated, and protocols set off to expose the threat early and contain an attack before it can have a negative impact on business.
These sensors can be used to gather a significant amount of intelligence, including where the bad actor is connecting from, what credentials they have used, and what vulnerability they have exploited and more. They are not policy or signature based, which means they can detect new and evolving attack vectors. This means that they can contain zero-day threats and supply chain attacks and identify new vulnerabilities. Because the ‘traps’, are not exposed to legitimate users, there are no false positive alerts, and they can be classified according to the severity level of the interaction with the trap and can provide insight into the type of malicious code being executed in attacks.
Comprehensive coverage
To ensure valuable data assets are protected, there are many layers of security that need to be in place, including basic security foundations like firewalls and antivirus, as well as intelligent data management with backup and recovery capability. However, recovering after an attack still leaves businesses exposed to further cyberthreat and potential extortion. A new approach using cyber-deception ransomware detection, delivered as a service via the cloud, can help businesses in Africa and across the world augment their data protection and security to counter the growing threat.