A Quick Guide to Ransomware
Give Us What We Want and No Computer Gets Hurt
Ransomware has been around longer than you may think, with the first examples being trojan viruses created as early as 1989. And although it didn’t really take off until 2013, with CryptoLocker, this method of exploitation has grown exponentially in recent years, with experts predicting that there will be a ransomware attack every 11 seconds by 2021. Here we’ll explore what ransomware is, what the risks are and how you can protect yourself and your organisation.
What’s the Deal?
Most people understand the general concept of ransomware and the clue is in the name – essentially attackers use malware to infect a device and demand a payment, or ransom, to remove the virus.
There are two main types of ransomware – locker and crypto. Locker blocks users from logging into the machine at all – i.e. it locks them out – and doesn’t usually involve any data encryption. The user is asked to pay a ransom to unlock their device and once done, they are sent a code to regain access to their machine. Crypto ransomware encrypts sensitive data and demands payment from users in exchange for a decryption key.
In recent years, exfiltration ransomware has become more popular. With this type of attack, instead of stopping a user from accessing their device or data, the threat is that the attacker will leak their data to a third party or to the web and is therefore often known as leakware. During this type of attack, the affected person may still have full access to their data, with the malware having created copies in a separate location. Leakware can be a successful attack vector where the victim has sensitive information they do not wish to be shared e.g. customer data that they’re liable to keep secure, intellectual property, or even potentially embarrassing information about their personal life.
It is important to note that ransomware can affect any device, and with the proliferation of smartphones and tablets, mobile is becoming a much bigger attack vector. In the US alone, around 4.2 million users have seen ransomware attacks on their mobile.
For as long as there have been computers, there have been people trying to hack them, and ransomware is one of the most prolific types of malware, given the high potential return for the attacker. The first example of ransomware was seen as early as 1989, and although not very successful due to its easy override, it paved the way for cybercriminals to develop more sophisticated attack methods.
The technique really took off in 2012 with the Reveton trojan demanding cash payments to unlock computers which had supposedly been involved in criminal activity such as using unlicenced software or downloading music from illegal websites. Attackers masquerading as local law enforcement infected devices and issued “fines” to unsuspecting users.
2017 saw one of the biggest ransomware attacks with WannaCry affecting nearly a quarter of a million devices globally, hitting some household names including our own NHS service. Exploiting an SMB vulnerability known as EternalBlue, WannaCry was able to move across networks demanding Bitcoin payment in exchange for a key to access encrypted files.
Fortunately, organisations were quick to speak up about being affected and listened to experts telling them not to transfer funds, meaning the attackers only got their hands on approximately $140,000. It did, however, highlight major flaws in many enterprise security environments, and ended up costing the NHS over £92million in service disruption and subsequent upgrades to IT infrastructure and applications. It is estimated this cybercrime caused up to $4 billion in losses across the globe.
Other infamous incidents include Bad Rabbit, which again demanded Bitcoin payment in exchange for decryption of files and which used brute force attacks to move across networks using credentials that has been hardcoded, and NotPetya which locked the entire device and moved laterally across networks using stolen usernames and passwords.
It’s important that we take note of ransomware as a major threat to our organisational security, with attackers expected to take over $20 billion annual revenue in 2021. There are many ways we can look to improve our defences against ransomware, and it is likely that your organisation is already undertaking some of these activities.
The first is the number one tip we give to all businesses no matter their size, risk appetite or industry, and that is patching. Ensuring you have the latest security updates means that you’re protected against any known vulnerabilities. This means looking for latest updates for your operating system, applications and software.
Invest in cyber security awareness training for your employees. Phishing e-mails are the vector in two-thirds of ransomware attacks, with criminals exploiting the lack of knowledge amongst end users in spotting nefarious content. Using a suitable e-mail filtering tool like Defender for Office 365 or Mimecast can prevent malicious content, documents or links reaching end-users in the first place, but it is important to teach people what to look out for.
Use the 3-2-1 back-up method to ensure that if you do get compromised, you’ve got a way of restoring your data without too much disruption. This means keeping three back-ups of your data across two mediums and keeping at least one of those back-ups offsite.
Understanding where your vulnerabilities are is good practice, allowing you to invest in a more proactive rather than reactive security strategy. With hackers often infiltrating networks, completing reconnaissance activities over an extended time period and then targeting specific users with things like spear-phishing campaigns to improve the success rate of the attack, it’s key that you know how you could potentially be exploited. It’s therefore recommended that you undertake regular penetration testing to keep yourself in the know!
Implementing a SIEM tool to highlight any unusual activity across your security estate can help you detect the signs of potential attacks before they become too serious. Finding a breach early means that you can take steps to mitigate any damage and secure your environment quickly, reducing the impact to your organisation, both reputationally and financially. Look out for things like mass file creation or deletion!
Finally, if you do fall victim to a ransomware attack, it’s key that you do not pay the ransom. As daunting as it may be, it’s important that you report the crime to the police to allow them to begin an investigation.
If you’d like to understand more about how you can protect your business against ransomware, or you’re looking for an expert team to show you where your vulnerabilities are to enable you to instigate a more proactive security strategy, then get in touch with us at firstname.lastname@example.org and we’d be happy to help!