Protecting your digital assets and information against the growing ransomware threat is crucial in the current digital and security landscape. The ever-evolving sophistication of cyber threats, particularly ransomware attacks, poses a significant risk to small and medium enterprises (SMEs). These businesses, often with limited IT resources, face daunting challenges when protecting their critical data and ensuring a swift and effective recovery in the face of an attack.
As National Computer Security Day approaches, our conversation with Dr. Shekhar Pawar aims to enlighten the audience about the risks associated with ransomware and effective strategies that businesses can implement to strengthen their cybersecurity defenses. Dr. Shekhar Pawar is a distinguished cybersecurity expert, holding a Ph.D. from SSBM Geneva. He is widely recognized as the founder and CEO of SecureClaw Inc. and GrassDew IT Solutions Pvt. Ltd. Dr. Pawar’s passion for advancing cybersecurity extends to his contributions as an author and inventor. He is the visionary behind the BDSLCCI cybersecurity framework. With his extensive knowledge, experience, and achievements, Dr. Shekhar Pawar is a leading figure in cybersecurity, dedicated to protecting digital assets and enhancing the security landscape for individuals and organizations worldwide.
In this interview, he delves into the world of ransomware security and data recovery, equipping you with the knowledge and tools needed to protect your business from these insidious threats and recover swiftly in the event of an attack.
1. What is your take on the current landscape of ransomware attacks and their impact on small and medium businesses (SMBs)?
Ransomware, a cyber attack implemented using malicious software, is the most popular financial gain-motivated cyber attack performed by cyber criminals. It can target personal devices as well as organization-level infrastructure and devices. The aim of any ransomware software is to encrypt files or systems and stop users from accessing them. In this malicious scenario, files, and at times, entire devices, are subjected to encryption and subsequently held captive until the target submits a ransom in return for a decryption key. This key serves as the means by which the user can regain access to their encrypted files or the affected software systems. It was known as a single extortion attack. After that, cyber criminals started a new technique to gain an additional ransom from their targets, which can be called double extortion. In cases of single extortion, many organizations overcome the threat of file encryption with a simple, up-to-date backup system. Cyber criminals aim at stealing sensitive information from organizations and threatening to release or sell it, often on the dark web or other information black market platforms. However, even if the targets pay a ransom for data recovery, they may still be forced to pay another ransom to prevent their stolen data from being made public.
Furthermore, in addition to double extortion attacks, triple extortion attacks in various areas are also possible, where cyber criminals add another layer of threat by disrupting the organization’s services to apply extra pressure. Taking this a step further, quadruple extortion is possible if ransomware attacks impact the third-party associates of the targeted organization.
Ransomware attacks have a long chain of extortion for their targets; hence, it is recommended to implement preventive measures as well as not pay ransom money to threat actors. According to my recent research studies among small and medium companies, a lack of funds to implement available cybersecurity standards in the market, demand for dozens of controls to be deployed, a lack of skilled teammates to implement or maintain cybersecurity controls, and a lack of visibility of Return on Investment (ROI) while investing resources in adopting cybersecurity standards were four key issues faced by those companies.
2. What are some common TTPs and security gaps that cyber criminals use to initiate ransomware attacks for SMBs?
Many recent reports indicated that ransomware attacks originate from various social engineering tricks, remote desktop vulnerabilities, remote server attacks, unpatched software, password guessing, credential theft, third-party security gaps, misplaced USB drives, etc. Once a machine gets infected by the malicious software, the threat actor uses the command-and-control (CC) server to execute further steps. Using an encryption key, cyber criminals can encrypt the machine. Even before encrypting, they can back up data to their CC server or another place. After the encryption of data on the target device, a ransomware note is shown to the user of that device. Generally, it has instructions for targets on how they can communicate with cyber criminals and how they can transfer the ransom to a cryptocurrency account. Also, threatening comments ask not to try decrypting these devices using third-party tools, or the organization could lose the data.
Further, they threaten the target by giving them a timeline of, say, 24 hours or so to decide to pay ransom, with more threats to try to sell it on the darknet and so on. Human beings have been the weakest link in most cyber attacks. A malware attack followed by a ransomware attack is the kind of combination that works for threat actors. Many SMB companies are not able to invest more in advanced cybersecurity controls due to a lack of knowledge and budget. During my research studies, I even found that more than one-third of small and medium companies never had any cybersecurity training for their employees. Another one-third of them have a once-a-year kind of security awareness training, and the rest have different periodic such training. Around one-third of such companies do not have any security policies, procedures, or guidelines in place. Around 25% of companies do not implement physical and technical security controls.
3. What steps can businesses take to proactively protect their data and systems against ransomware attacks?
Today, there are various mature and leading standards of cybersecurity, such as NIST, ISO 27001, the Zero Trust Framework, and so on. The only thing is that many times, SMB companies do not have enough resources or readiness to adopt them. One of the observations is that many standards are generic for all business domains, which results in many cybersecurity controls being implemented. Every SMB should look at two verticals of cybersecurity control implementation. The first is the defense in depth mechanism, also known as the onion or castle model. It has various layers of cybersecurity controls, increasing the difficulty for cyber criminals to perform their tricks or techniques. Even if one layer is compromised, other layers often prevent malicious intent. Also, top management needs to identify mission-critical assets (MCAs) on which their maximum business is able to survive or grow. There should be extra attention provided to such MCAs. As part of my international research studies and publishing, I have invented a business domain-specific least cybersecurity controls implementation (BDSLCCI) framework for securing SMB or SME companies. As its name suggests, depending on the business domain of the SMB or SME company willing to adopt BDSLCCI, the list of cybersecurity controls for its business domain will vary. BDSLCCI also provides information on which control needs to be implemented first and the rest of the control order to be implemented. It helps SMBs protect themselves against cyber threats with a reduced number of controls and, hence, a reduction in the resources required to adopt BDSLCCI.
4. In the unfortunate event of a ransomware attack, what are the best practices for incident response and data recovery?
Yes, it is possible, due to any unaware employee’s mistake, associated supply chain, or any such circumstances, that despite lowering the overall risk of undergoing any successful ransomware attack, there may be a successful attack. The organization must have regular backups in different networks or locations, which should be operational. Also, backups should have been tested regularly to see if they were really going to work during recovery in case of a ransomware attack. After a specific device has been infected, the initial step is to quarantine it from the network to prevent the malware from spreading to other devices. A few cybersecurity experts can help you decrypt files using the few available tools. In many countries, as per law and compliance, it is required to report such cyber attacks to the Computer Emergency Response Team (CERT) or similar authorities within a few hours. If organizations suspect that their customer data or similar might have been impacted by ransomware, it is always better to inform affected customers. Otherwise, their hacked information can be used by hackers to perform another crime. It is a recommended best practice not to pay ransom in such cyber attacks, as no one should trust the unknown or hidden face of a cyber criminal.
5. How do data recovery and business continuity aspects for SMBs differ from those of MNCs?
For large organizations or multinational companies (MNCs), investing in and implementing data recovery and business continuity aspects is relatively easy as they can recruit or outsource certain IT or security functions. When we look at SMEs or SMBs, they are lagging in their respective skilled resources and funds, and their top management only prioritizes sustaining or growing their business goals.
Top management needs to write a practical business continuity plan prioritizing mission-critical assets to be safe and secure during unforeseen circumstances. SMBs need to identify critical data to be protected and take regular, secure backups of it. There can be incremental data backups or even full backups, as per the top management’s decision. Now that every SMB must have a work-from-home or remote working facility, it is possible to consider a backup site rather than not having anything in place. Only employees need to undergo regular cybersecurity awareness training to make sure they maintain cyber hygiene while working remotely. Only per-need access should be granted to the employees; no admin privileges must be given to every employee for their device. It is also recommended to simulate cyber drills once every six months to check business continuity readiness.
6. Are there any specific tools or technologies that you suggest SMBs to consider when planning their data recovery strategies?
Various data recovery tools are available on the market, and it is important to use trusted sources and read reviews of such tools. There are many websites that even compare the tools available on the market. SMBs need to do research. The top management decides to compare and choose. If the SMB’s business is data-centric, they need to purchase such tools. If the size or value of the data is not high, then they can even have a manual process or develop small tools using technology. Today, many endpoint protection software options have built-in data backup and recovery features. A few SMBs even develop small SQL batch jobs to take regular backups of crucial data or files. It is important to keep encrypted backups at secured locations so that even if backups get hacked, they can’t be used by threat actors. Always keep a backup teammate for crucial data backup and recovery operations. One important thing is that even encrypted backups can be kept on an external hard disk or tape, which should be kept in a secured physical locker. This preparedness helps during an actual incident.
7. How can SMBs balance the cost-effectiveness of data recovery solutions with the need for robust cybersecurity?
It is a myth that only costly tools can provide the best security. It is a combination of the operations team’s efforts and tools that makes a well-secured ecosystem for any organization. Adopting a particular data backup and recovery solution is a very strategic decision. The cloud is a good and cost-effective solution, according to my experience working with SMBs. A few SMBs even take backups at two different locations; this is good practice. Only the SMB needs to encrypt data in all three states: data in rest, data in transit, or data in use. Also, only limited access should be granted to the backups or their operations, as those are very sensitive. It is important to delete unnecessary data or even backup files to reduce the cost of backup and recovery operations. Data layer security policies are very important, especially to avoid insider threats and to have good access control. The smaller the size of the data, the better the performance of backup and recovery operations.