Cracking the Code: Ransomware’s entry routes and high-value targets
One of the first things that hackers hone in on is backups - 3 in 4 companies lose at least some of their backups in ransomware incidents.
Watch our webinar: Cracking the Backup Illusion
Written by: Gary Pigott, Solutions Architect: Disaster Recovery and Backup
Ransomware has become a ubiquitous threat in the digital age, with organisations facing an alarming surge in attacks.
The recent example of the ransomware attack on MGM Hotel Resorts serves as a stark reminder of the financial repercussions of such an assault when the company’s online and offline services were shut down for 10 days. They refused to pay the ransom, but lost $100 million in revenue and paid $10 million in recovery costs.
And MGM Resorts are not alone. The Veeam Ransomware Trends Report 2023, which surveyed 1,200 IT leaders globally, reveals that a staggering 85% of organisations admitted to experiencing at least one ransomware incident within the past year. More alarming is the fact that only 16% of organisations that fell victim to ransomware attacks were able to recover their data without paying the ransom.
The ransomware hit list
One of the primary targets for ransomware attackers (94%)[1] is backup repositories; these days it is the first thing that hackers hone in on, and three in four companies lose at least some of their backups in ransomware incidents. This focus on backups stems from the understanding that by erasing backup data, attackers significantly increase the likelihood of a ransom being paid. The recent Veeam report also found that 39% of backup repositories become unusable post-attack, even if the ransom is paid.
The primary objectives of ransomware attackers are to disrupt an organisation’s infrastructure and hold its data hostage, all with the aim of extracting a ransom. This relentless pursuit of making money at the expense of organisation’s’ operations and data integrity is at the core of every attack.
Take our free Ransomware Recovery Assessment
Holes in the armour: where ransomware strikes first
As ransomware attacks escalate in scale and sophistication, recognising the critical targets within your IT infrastructure becomes essential to building a robust shield against this relentless threat. The most common entry points[2] are:
- Phishing (44%): Phishing attacks often target end users. Employees play a vital role in defending against this threat, making it imperative for organisations to invest in educating their workforce on recognising and avoiding phishing attempts.
- Infected patch or software package (41%): Compromised patches or software packages can become entry points for ransomware criminals because they exploit the trust users place in updates and legitimate downloads. This tactic capitalises on the fact that users often quickly download and install updates to keep their systems secure, inadvertently allowing ransomware to infiltrate.
- Credential compromise and brute force on external gateways (35%): Cyber criminals are increasingly using techniques like credential compromise and brute force attacks on external gateways. Recent critical security patches issued by companies like Fortinet and Cisco firewalls underline the significance of staying vigilant against these threats. In both cases external attackers were able to leverage weaknesses in the external web UIs to gain administrator level access.
- Insider threats (32%): Internal vulnerabilities should not be underestimated. Organisations need robust processes for revoking access when employees leave the company, ensuring that only authorised personnel have access to specific tools and systems. Employers should also ensure that no employees are given access levels higher than what they require to perform their job functions.
- Zero-day threats or critical vulnerabilities (26%): The enigma of zero-day threats lies in their unpredictability. Organisations must acknowledge that these threats are impossible to protect against entirely because of their elusive nature. This makes having a regularly tested Ransomware Response Playbook even more critical.
Read about our premium backup, Ekco Airgap
The aftermath of a ransomware attack
Recovering from a ransomware attack is an arduous process that can severely impact an organisation’s operations, employees, and even its customers. It takes an average of at least three weeks [3]for a company to recover after a ransomware attack, and this is only for critical systems. Tier two and tier three systems often take even longer to restore.
Additionally, the impact of ransomware extends beyond individual organisations. The case of Toyota suspending operations in 28 lines in 14 plants due to an attack on a supplier in 2022 exemplifies how such attacks have a ripple effect, affecting not only the targeted company but also its customers and employees.
Understanding the entry points and targets of ransomware is a critical step in fortifying an organisation’s cyber security defences. The prevalence of ransomware incidents and the potentially devastating consequences make it imperative for organisations to invest in education, security measures, and proactive strategies to mitigate this ever-looming threat.
Ransomware on your mind? We can help.
[1] Veeam Ransomware Trends Report 2023
[2] Veeam Ransomware Trends Report 2023
[3] Veeam Ransomware Trends Report 2023
Question?
Our specialists have the answer