Ransomware: The biggest cyber threat facing businesses in 2020

By Matt R, IT Superhero

The threat landscape for SMBs is ever-changing, and 2020 is looking scarier than ever when it comes to cybersecurity.

The single biggest threat that we see businesses facing currently is ransomware.

This is where a malicious executable runs on your system and changes all the file extensions to something encrypted. The malicious party then tries to force the end-users to pay to receive a decryption key to access their files. The payment is almost always requested via bitcoin or some other digital currency, as it’s exceedingly difficult to trace.
SophosLabs, the threat research arm of Sophos, has recently released some pretty scary statistics;

• Their malware analysis engine is scanning an average of 500,000 malware samples per day. Of these, more than 75% are only seen once and never again
  • This means that the viruses and malware that tries to infect YOU, will likely be the first of its kind encountered, and never seen again.
• 300,000 + websites are analysed daily and categorised into safe/non-safe browsing.
• 80% of malicious web pages come from legitimate websites that have been compromised.
• 2,000 + previously unseen Android apps analysed daily.

As you can see, the internet is full of potential threats, and it’s not getting any smaller.

How does ransomware affect businesses?

How ransomware gets into a network varies, however, the two largest points of entry is through a poorly configured remote desktop system, also known as “RDP”, accessible on the default port 3389, or via a phishing email.

Phishing is where users are tricked into clicking a link or attachment that runs the malware. Hackers are getting smarter, and nowadays we see extremely well-crafted emails that make it difficult to detect. It’s also relatively easy and cheap for a hacker to write and send an email to large database – there are applications that automate most of this, and with the ever-growing list of data breaches, more and more emails are finding there way onto the dark web where they can be purchased.

Many businesses think they won’t fall victim because they might be on the smaller side and fly under the radar, or not present a large enough target. However, time and time again this has been proven wrong.

The online search engine, Shodan.io will scan the entire internet for exposed remote desktop ports, or open VPN ports, returning pages of vulnerable systems for the hackers to then exploit. Plus, many smaller businesses don’t have things like rotational backups, or offsite copies or even cloud replication – meaning if one of these smaller businesses were to fall victim to a ransomware event, they often have no way of recovering their data!

In fact, 61% of breaches affect SMBs, with the average cost to unlock data estimated between $84,000 and $148,000. Sadly 60% of businesses close down after a security breach, as the cost of recovery far exceeds the actual ransom cost in many situations.

Sophos researchers recently completed a test in July 2019 highlighting the dangers involved with RDP.

They created multiple hosted webservers and exposed the default RDP port of 3389 to the internet. Within one minute and twenty-four seconds, the RDP server received its first attempted access via a password guess. By the end of the 30-day trial, the 10 RDP servers logged a combined 4,289,513 failed logins!

So how can we minimize these threats?

Securing the RDP system will ensure a large threat vector is minimised. If possible, consider if you actually need the remote desktop server. Would a VPN provide a similar level of remote access? Otherwise, securing it with a VPN and RD Gateway will go a long way to minimising what’s exposed. It’s also critical to be aware of failed logins to both RDP and VPN’s, and act to block these threats, whether by Geolocation or IP (or ideally both).

Phishing training and staff awareness is also critical. Do you provide staff training on how to view links in emails to determine the true destination. Or are staff advised to pass suspected emails to the IT company? It’s always safer to ask your IT company before clicking a link – I don’t think any IT company would ever complain about a client been too cautious.

There are also technology solutions that can be implemented to assist with this. Sophos Email Gateway provides scanning and assessing of emails and embedded links, along with smart banner attachments.

It’s also critical to have an end-point anti-malware solution that integrates into the firewall for synchronised security. Many traditional end-points run by themselves and receive no input from the firewall for threats, however, Sophos Intercept-X and the XG Firewalls take protection to the next level.

If a threat is detected on an endpoint, the XG firewall will alert other devices in the network to reject connections from the infected endpoint. Is does this through a heartbeat status alert. Once the threat is resolved or cleaned, the device is allowed to connect to other devices again. This works to prevent lateral movement throughout the organisation.
The endpoint protection also links in very closely with the email gateway. If a user sends an email outbound, and the email scanning detects a potential malware or virus, an anti-malware scan will automatically start and scan the end-point for any infections. This massively lowers the time taken to identify threats.

While the threat to businesses is growing by the day, there are always steps that can be taken to protect your business from ransomware and other cyber threats and minimize these risks.  If you’re looking for more information, head to our cybersecurity information centre or contact our team today.