Ransomware. It’s a word you’ve probably heard a lot of in recent years. Perhaps you remember hearing about it during your office cyber security training, or you’ve seen it on the news. Maybe a pop up has appeared on your computer screen warning of a ransomware infection. But have you ever wondered why there's such a fuss?
Well, you’ve come to the right place if you want to learn all there is to know about ransomware. Indeed, anyone and everyone should be looking to understand such a prevalent type of attack; in 2021, ransomware attacks against businesses will occur every 11 seconds.
In this blog, we cover what ransomware is, how it starts, who can be a target, what some past examples of ransomware are and, most importantly, how you can keep your business protected.
What is ransomware?
The earliest variants of ransomware were produced in the late 1980s – and now, the type of attack has evolved into one of the biggest security problems on the internet today.
Ransomware is a form of malicious software – malware – that locks and encrypts files and documents on anything from a single PC all the way up to an entire network, including servers. Cyber criminals will then demand some form of payment from a victim, usually via bitcoin, if they want to regain control. Virtual currencies such as Bitcoin are generally used because it means the identity of cyber criminals can remain anonymous and is difficult to trace.
Unlike other cyber-attacks, the victim is told that they are being attacked and given guidance on how they can recover through payment. This will often come with a deadline – and if it is not met as requested, the victim’s files are encrypted for good. Therefore, if you are targeted, you are often left with very few options: pay the ransom to the criminals behind the attack; restore from backups; or hope there is a free decryption key available.
How does a ransomware attack begin?
There are multiple ways in which a ransomware attack begins. Infected software apps, infected external storage devices and compromised websites are all examples. One of the most common methods though is through phishing scams, whereby attackers will trick their victims into clicking on a malicious attachment or link. These will often be disguised as a legitimate file or a URL link, and the email will appear to come from a trusted source or well-known brand. If either the attachment or link is opened, the infected file will instantly encrypt the targeted files and documents.
Drive-by downloading, also known as malvertising, is another common infection process used by cyber criminals. This is when malware is spread by online ads with little or no user interaction required. “While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.” Malwarebytes explains.
Then we have other, much larger ransomware campaigns where awareness of phishing and social engineering tactics is again not enough. Cyber criminals go one step further, secretly searching through networks for software exploits and flaws, cracked passwords and other vulnerabilities in order to gain complete access to organisations. For instance, using weak points such as internet-facing servers or remote-desktop logins.
If sensitive files and documents, networks, or servers are unexpectedly encrypted and inaccessible, it can be a headache for businesses of all sizes. Even worse, the financial loss due to legal costs, purchasing credit monitoring services for employees/customers, or ultimately deciding to pay the ransom can be enough to force a business to cease trading.
Who can be a target?
Anyone can be a target for a ransomware attack if they have both attractive and essential data. Indeed, some ransomware spreads automatically and indiscriminately across the internet.
It can also depend how quickly you may need to respond to a ransom demand, how vulnerable your security is, and how well you trained your employees are on phishing emails, among other things. Most of the time it is a matter of opportunity. For example, attackers may target those in education because they tend to have smaller security teams and lower budgets for security tools, as well as a large user base that frequently shares files, making it easier to breach.
On the other hand, as we briefly touched on, some organisations are particularly tempting because they are more likely to pay the ransom. For instance, government and medical services would most likely need immediate access to their files and computers. Law firms and other organisations with lots of sensitive data may also be more willing to pay to keep the news of a compromise out of the public eye.
Examples of ransomware:
Now you know what ransomware is, how it occurs and who can be a target, let’s take a look at some well-known examples. The four chosen below show just how dangerous and different a ransomware attack can be.
Wannacry – Designed to exploit a vulnerability in the Microsoft Windows operating system, WannaCry was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. It highlighted the problematic use of outdated systems, and in 2017 spread across 150 countries, infecting 230,000 computers globally. Perhaps most notably, it hit a third of hospital trusts in the UK and cost the NHS millions.
BadRabbit – Again in 2017, BadRabbit was deployed using a method called a ‘drive-by’ attack. This is where insecure websites are targeted and a user visits it, not knowing it has been compromised by a hacker. BadRabbit used a bogus request to install Adobe Flash as a malware dropper to spread the infection. Victims clicked on this without realising it was malware in disguise.
CryptoLocker – CryptoLocker was first seen in 2007 and spread through infected email attachments. Once in a computer, it would search through and encrypt valuable files, then hold them to ransom. Cryptocurrency (Bitcoin) was the required method of payment. The attack is thought to have infected 500,000 computers. That’s until law enforcement and security companies managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker.
Troldesh – The Troldesh ransomware attack occurred in 2015 and was spread via spam emails with infected URLS or attachments. Interestingly, the Troldesh attackers communicated directly with victims to demand ransoms. Some even negotiated discounts for those who they had built a rapport with!
How can you protect your business?
Defending against ransomware may feel intimidating at first glance. But the truth is, some of the most simple, easy-to-implement steps can help protect your business from an attack. These include:
- Backup your data
- Regular backups of your data can make all the difference in the event of a ransomware attack. If one does lock up your IT systems, a recent backup can be restored on a clean, secure device and get your business up and running again.
- Updates and patches
- Patching, updating, and maintaining your IT systems and network on a regular basis can help protect against or eliminate known cyber security vulnerabilities. It can also prevent attackers from accessing your systems via the internet.
- Protect internet connected devices
- Firewalls and effective endpoint security will allow you to limit access to known malicious sites, as well as block malicious code and secure access to cloud apps and corporate websites. VPNs and RDSs can also help, providing a secure way for remote workers to access company data and networks. Find out more about them here.
- Develop culture of cyber security
- Employees should be trained so they know and understand the tricks attackers use. Therefore, they can spot and avoid any potential phishing links, as well as flag requests for personal information or credentials. Strict password policies, password managers and multi-factor authentication can also help keep devices and company data secure.
- Monitor network for threats
- To stay ahead of ransomware attacks and prevent them happening, you need to know what is happening across your IT environment. Tools that allow you to monitor your network, end-user devices and cloud services for suspicious activity or traffic are key for identifying potential risks early.
Take note – as ransomware continues to evolve and become more sophisticated, these measures will not completely destroy the threat, but they can help to significantly mitigate it. Moreover, effective defence isn’t just down to your IT department. It requires an all-in approach that brings together an entire company so education is key.
Ransomware is not going anywhere
To put it simply, ransomware is a growing, expensive problem – and no organisation is completely safe. The impacts of an attack can lead to devastating circumstances that will disrupt business operations, your bottom line as well as your business' standing and consumer trust among other things, for instance:
- Temporary, and sometimes permanent, loss of company data
- Possible complete shutdown of company operations
- Financial loss as a result of revenue generating operations being shut down
- Financial loss associated with remediation efforts
- Damaged company reputation
Although cyber groups have most recently turned their attention to Covid-19 lures, post-pandemic, there is evidence to suggest they will move towards more creative and even more aggressive ways of extorting ransoms. These include ‘double-extortion’ techniques, whereby cyber criminals will steal proprietary or data and threaten to publish it. As this happens, it will be key for businesses to revise their cyber security strategy and commit adequate funds for cyber security resources into their budgets. Moreover, by following some of the advice in this blog, you will have already taken an key step in helping to keep your business protected.
The entrust IT Group have over 16 years of experience in dealing with some of the most sophisticated ransomware attacks. Indeed, we have helped many of our customers educate their staff as well as implemented some of the best monitoring and end-point security solutions that significantly mitigate the risk of an attack happening. Please get in touch with a member of the team on 0330 002 0045 or email enquiries@entrustit.co.uk if you think you too could benefit from our help.
