The massive use of digital technology by businesses to conduct their operations has led them to change the way they manage, store and exchange more and more information directly on and from their desktops.
It is this paradigm shift that partly explains the success and rise in power of cyber attacks in recent years, particularly those carried out via Ransomwares that demand a ransom from their victims in order to unlock their systems or not to publish their confidential data. These attacks primarily target users when they interact with the Internet (booby-trapped website or email) for the initial compromise, before infecting the rest of the company's information system through lateral movements.
In this respect, it should be noted that the ransomware criminal network has become structured: on the Darknet, there are players who publish ready-to-use kits and offer control platforms for hire, as well as money laundering service providers for ransoms paid in cryptocurrency. They thus enable sponsors to launch their first attacks very quickly with little technical knowledge. This phenomenon is no longer anecdotal, its highly profitable business model is evolving (we now speak of triple extortion) and represents a market of several hundred million euros each year on a global scale, with even the beginnings of a reaction at the level of the States.
Treat the subject before it is affected
The analysis of (published) attacks over the last three years shows that organisations of all sizes and in all sectors are affected: from local VSEs to multinationals. The subject must be taken seriously by all companies and integrated into their governance (not only at the level of the IT department, but rather at the level of general management, which will play a fundamental role as sponsor for the success of the project). Once this awareness has been achieved, the next step is to assess how to proceed. At this stage, many companies limit their response to a question of tools, which are often expensive. While this approach can be effective to a certain extent, it is clearly not sufficient, especially when the promise of automatic and effortless security is trumpeted.
Focus on the weak link
In concrete terms, it is the user/workstation link that is the key link to be taken into consideration. Consequently, the subject of awareness-raising is unavoidable and must be an important part of the project from the outset. This founding action will enable the teams to integrate knowledge and adopt good reflexes on the use of IT tools and email in particular. However, it is also necessary to evaluate the configuration of these workstations. In this respect, it is necessary to carry out a "stress test" on targeted and representative workstations.
This approach consists of providing an assessment at a given time, for a given user account and computer, of its exposure and resistance to the attack vectors of active ransomware groups, i.e. their Techniques, Tactics and Procedures (TTPs). Among the topics assessed are such structuring points as: user rights, software updates (not only Windows, but also third-party applications), network partitioning, application security, email and web browsing content filtering, relevant event logging, detection of suspicious events, data backup strategy as actually performed and as understood by users, or the level of preparedness for security incidents and employee awareness.
Checking and improving one's level of resistance against Ransomware is therefore a strategic issue for all companies. It is by mobilising on a large scale and constantly updating its posture that it will be possible to limit its exposure to cyber risk.
By Stéphane Reytan
Director BlueTrusty
ITSGroupCybersecurity Unit
