In December 2020, UK’s largest cosmetic surgery chain, The Hospital Group, was hit by a ransomware attack. A hacker group stole about 900 GB of patients’ before/after photos and threatened to publish them online. In June 2020, another hacker group tried to auction 22,000+ stolen files from a Canadian agricultural company on the Dark Web.
Unfortunately, such “cyber extortion” attacks are becoming very common.
“Cyber extortion is the act of cybercriminals demanding payment through the use of or threat of some form of malicious activity against a victim.”
–Center for Internet Security
Ransomware is the leading type of cyber extortion, with criminals now targeting organizations for huge ransoms. Packetlabs discovered that in 2020, ransomware incidents cost $170 billion in ransom payments and downtime. Other extortion methods include Distributed Denial of Service (DDoS) attacks, database ransom attacks, and cyber blackmail.
The good news: your organization can protect itself against cyber extortion! Packetlabs’ security experts have compiled a list of “anti-extortion best practices” based on their experience finding and addressing serious security loopholes through penetration testing. Read on!
1. Implement Strong Cyber Defenses
Reduce ransomware risk with strong antivirus and anti-malware protection for all systems. Also, ensure that all systems’ software is patched and up-to-date.
Conduct regular penetration testing to proactively find security vulnerabilities that potential extortionists may exploit. A word of caution – automated vulnerability scanning cannot find all holes, much less help you fix them. Reliable and consistent security starts with comprehensive manual pen testing, which only an expert like Packetlabs can provide.
Finally, implement a disaster recovery plan to ensure quick recovery if a ransomware attack does occur.
2. Encrypt and Back Up All Data
Data encryption and backing up your data is an excellent way to protect against cyber extortion. Encrypt all data, devices and files on every location, including the cloud. This ensures that even if potential extortionists steal or duplicate your files or data or demand a ransom for its release, they won’t be able to read or view the information as it is encrypted.
3. Set Up Firewalls for DDoS Protection
Set up a strong firewall that blocks access to all unauthorized IP addresses. A Web Application Firewall will also mitigate SQL injection or cross-site request forgery attacks.
Also, minimize the attack surface area by placing all computation resources behind Content Distribution Networks (CDNs) and restricting direct traffic to certain parts of your infrastructure, e.g. database servers. You can also use firewalls or Access Control Lists (ACLs) to control the traffic that reaches your applications.
4. Use Strong Authentication
Implement a consistent password policy across the organization. All employees must secure their accounts with strong passwords. They must never store passwords in insecure spreadsheets or text files and never reuse or share them.
But despite these precautions, passwords are a weak authentication mechanism, so, if possible, implement other methods like multi-factor authentication with biometrics or security tokens, Single Sign-on (SSO), passwordless authentication, etc.
5. Address Your Weakest Link – Your People
“People often represent the weakest link in the security chain.”
— Secrets and Lies: Digital Security in a Networked World
Train your people to practice good cyber hygiene. Explain why it’s important to never open attachments from unknown senders, avoid posting sensitive company data on social media sites, etc. Train employees to identify phishing or social engineering attempts and how they can protect the company’s devices and data to reduce its exposure to potential extortionists.
Should You Pay Up?
The Canadian Centre for Cyber Security (CCCS) suggests not getting financially involved with a cyber threat actor. If you are ever a victim, you will need to decide if paying up is worth the impact on your business. If you decide yes, then having cyber insurance can keep the financial damage to a minimum.
However, keep in mind that paying may not guarantee that you get your assets back.. Some victims never get their assets back even after paying. Occasionally, attackers demand even more money, and the cycle never breaks.
Any company can become a cyber extortion victim. But with a strong cyber defense strategy, a well-informed workforce, and proactive security measures like penetration testing done by specialists like Packetlabs, you can protect your firm against cyber extortion.