Think of ransomware and the first thing that often comes to mind is the extortion of multimillion-pound corporations.
The association of ransomware with high-profile organisations, such as the NHS, FedEx and Nissan, for instance, is largely shown in the news. But ransomware comes in all shapes and sizes, and the malware that accompanies a ransomware attack is the cause of constant concern for many IT departments, of varying sizes.
‘Ransomware: A type of malicious software designed to block access to a computer system until a sum of money is paid.’ – The Oxford English Dictionary
The term Ransomware is relatively new. Added to the Oxford English Dictionary only three years ago, it signifies the branch of malware that demands payment after infecting a computer. But, in the three years since being added to the dictionary, ransomware has increased dramatically both in terms of the number of attacks, but also in terms of the range of methods used to conduct said attacks. And because there are now many varying methods of incidents, we know, and can guarantee that it is not just large organisations that are being targeted.
“Ransomware maintains its reign as the most widespread and financially damaging form of cyber-attack.”- Europol director, Catherine De Bolle.
How does a ransomware attack work?
First of all, for a ransomware attack to be possible, a breach needs to be made. To create a breach, bad actors need to target an organisation or individual, and send out phishing emails. Once a phishing email attack is successful, this makes a breach possible. Then, through this breach, and without the victim knowing, a malicious payload is dropped. A malicious payload is the element of the attack which causes the actual harm to the victim and contains the malicious code. Once the attacker has access to the victim’s networks, this leads to data exfiltration. Which is what the victim is held to ransom to. Following this the payload is deployed.
The payload is activated over time. Sometimes staying inactive for months at a time. A threat is meaningless without proving that the data is actually stolen/accessible. So, the bad actor needs to exfiltrate the victim’s data, and threaten to make this data public. By shutting down systems, or reducing access, the victim then knows that the threat is not a bluff. This, usually, is the catastrophic moment when the target recognises the gravity of the situation.
Who’s experiencing ransomware attacks?
In a word…everyone. The end goal of the majority of cyber attacks is to gain access to personal/private data and, using this information, extort money or assets of value from the victim. Every business, no matter the size, holds something valuable that an attacker could use to their advantage. Which makes every business, from finance to the charity sector, education to healthcare services, a target.
In a recent Ransomware attack on London’s Hackney Borough Council, the BBC reports how ransomware attacks ‘are a growing problem for public services, from councils to hospitals. In such attacks, hackers take control of computer systems and data and demand payments in order to unlock them.’
The concerning issue is, when it comes to ransomware attacks, no one knows the true number of attacks, as many victims do not report them for fear of losing money, their business or personal or private data. This means that the number of attacks is actually far greater than those provided by Statista who recorded 187.9 million cases worldwide in 2019 alone.
“The frequency of ransomware attacks — among the scariest and most costly online assaults — has been hard to pinpoint because many victims quietly pay off their attackers without notifying authorities.” –Nathaniel Popper, New York Times
In the early 2010s, ransomware began to emerge. This was mainly due to rapid improvements to the performance of PC’s. The processing power of computers have developed tremendously in the last ten years. And now computers are so powerful that they can encrypt their own files in a matter of hours.
This means that areas, including cryptocurrency, have also developed. Which makes it relatively easy for threat actors to blackmail and receive payments without getting caught. As a public security breach would cause mass panic and potential lawsuits, organisations will often pay off cyber criminals into an anonymous cryptocurrency account, rather than suffer the loss of client data.
What makes an organisation vulnerable to attack?
The statistics provided by Statista sourced from leading MSP’s around the world, shows that in 2019 the percentage of respondents of 187.9 million cases, reported that 67% of infiltrations happened via Spam/Phishing emails, 36% due to a lack of cyber security training, 30% because of weak passwords and access management, 25% due to poor user practices, 16% because of malicious websites and ads and 16% reported clickbait.
What is evident from these statistics, is that more training is required, across all organisations, in cyber security procedures and policies. Especially with regards to insider threats. Many employees are completely unaware that they are a threat in the first place. Take, for instance, an employee working remotely. This employee may be sat at a local cafe where they decide to work on a company device. If this device was unknowingly hacked while using a different Wi-Fi, the user may be completely unaware that they are spreading malicious malware via their device throughout the company.
It all comes down to the right training, so that every employee is aware of their security, the security of the devices and data they process, and the procedures and policies they need to maintain.
To pay or not to pay?
This is purely a business decision. But it is crucial to remember, whatever the business decision is, that there is no honour amongst thieves. Attackers are extremely sophisticated. Once they have your data, there is no guarantee that if you pay them off, that your data will be given back or decrypted. There is also no guarantee that you will not be a target a second time around. Often, once an attack is made, the bad actor will sell the details on to their associates to come after the victim again after deployment, because the payload can still be there, activated and deactivated.
The ironic thing is, there are state-of-the-art helplines, ran by the criminals behind attacks, offering help with the logistics of an attack 24/7. Traditionally, bitcoin is used to pay these ransoms. But lots of people don’t know how to procure bitcoin, so they need the criminal helpline services to guide them through the payment process.
Money or time?
Monetary loss is the number one concern for the majority of businesses affected by ransomware. But it all comes down to business priorities and financial calculations. For many, actually the greatest cost in the event of a successful ransomware attack is downtime. The cost of retrieving the encrypted data and making it accessible again can add up quickly and, for a large business, downtime can prove to be more costly than the initial ransomware payment itself.
Sometimes victims speak out, but this does not always end well. Take Travelex, the currency exchange company, for instance. Following an attack by a Sodinokibi ransomware in January, $6 million (€5.07 million) was demanded in exchanged for 5GB of personal data. Since the attack, Travelex has fallen into administration, with PwC saying that the ‘foreign exchange firm was acutely impacted by COVID and the recent cyber-attack.’
We can debate the merits and drawbacks of paying a ransom, based upon the cost of the attack, at length. But at the end of the day, the chief concern of the organisation will either be the cost of restoration or the ransom amount demanded. Which is why the methods used to react to a ransomware attack, will differ between each organisation.
Best practices to avoid being a ransomware target
• Back up your computers and servers regularly.
• Secure mapped network drives with a password and access control restrictions.
• Educate your employees on the latest email phishing scams and social engineering.
• Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
• Update your anti-virus solutions with the latest virus definitions.
• Keep your operating system, network, and security devices at the current release patch update.
• Run software with the least privileges.
• Monitor your endpoints 24×7 by deploying EDR technology to detect advanced cyber-attacks.
• Have business continuity plan in place to endure user downtime.
• Align with better IT security practices and tools.
• Associate insurance policies that cover cost in case of an attack.
In the end, the best way to respond to a ransomware attack is to avoid having one in the first place. Backup data regularly. Scan the network infrastructure for vulnerabilities and patch the latest security updates to avoid ransomware infection. That way, if attacked, you can ensure that your downtime and data loss will be minimal.
SecurityHQ is a Managed Security Service Provider, delivering engineering-led solutions to clients around the world. By combining dedicated security experts, cutting-edge technology and processes, clients receive an enterprise grade experience that ensures that all IT virtual assets, cloud, and traditional infrastructures are protected. For advice, contact our experts.
Follow us and Comment on Twitter @TheEE_io