Ransomware. It’s a word you’ve probably heard a lot of in recent years. Perhaps you remember hearing about it during your office cyber security training, or you’ve seen it on the news. Maybe a pop up has appeared on your computer screen warning of a ransomware infection. But have you ever wondered why there's such a fuss?
Well, you’ve come to the right place if you want to learn all there is to know about ransomware. Indeed, anyone and everyone should be looking to understand such a prevalent type of attack; in 2021, ransomware attacks against businesses will occur every 11 seconds.
In this blog, we cover what ransomware is, how it starts, who can be a target, what some past examples of ransomware are and, most importantly, how you can keep your business protected.
The earliest variants of ransomware were produced in the late 1980s – and now, the type of attack has evolved into one of the biggest security problems on the internet today.
Ransomware is a form of malicious software – malware – that locks and encrypts files and documents on anything from a single PC all the way up to an entire network, including servers. Cyber criminals will then demand some form of payment from a victim, usually via bitcoin, if they want to regain control. Virtual currencies such as Bitcoin are generally used because it means the identity of cyber criminals can remain anonymous and is difficult to trace.
Unlike other cyber-attacks, the victim is told that they are being attacked and given guidance on how they can recover through payment. This will often come with a deadline – and if it is not met as requested, the victim’s files are encrypted for good. Therefore, if you are targeted, you are often left with very few options: pay the ransom to the criminals behind the attack; restore from backups; or hope there is a free decryption key available.
There are multiple ways in which a ransomware attack begins. Infected software apps, infected external storage devices and compromised websites are all examples. One of the most common methods though is through phishing scams, whereby attackers will trick their victims into clicking on a malicious attachment or link. These will often be disguised as a legitimate file or a URL link, and the email will appear to come from a trusted source or well-known brand. If either the attachment or link is opened, the infected file will instantly encrypt the targeted files and documents.
Drive-by downloading, also known as malvertising, is another common infection process used by cyber criminals. This is when malware is spread by online ads with little or no user interaction required. “While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.” Malwarebytes explains.
Then we have other, much larger ransomware campaigns where awareness of phishing and social engineering tactics is again not enough. Cyber criminals go one step further, secretly searching through networks for software exploits and flaws, cracked passwords and other vulnerabilities in order to gain complete access to organisations. For instance, using weak points such as internet-facing servers or remote-desktop logins.
If sensitive files and documents, networks, or servers are unexpectedly encrypted and inaccessible, it can be a headache for businesses of all sizes. Even worse, the financial loss due to legal costs, purchasing credit monitoring services for employees/customers, or ultimately deciding to pay the ransom can be enough to force a business to cease trading.
Anyone can be a target for a ransomware attack if they have both attractive and essential data. Indeed, some ransomware spreads automatically and indiscriminately across the internet.
It can also depend how quickly you may need to respond to a ransom demand, how vulnerable your security is, and how well you trained your employees are on phishing emails, among other things. Most of the time it is a matter of opportunity. For example, attackers may target those in education because they tend to have smaller security teams and lower budgets for security tools, as well as a large user base that frequently shares files, making it easier to breach.
On the other hand, as we briefly touched on, some organisations are particularly tempting because they are more likely to pay the ransom. For instance, government and medical services would most likely need immediate access to their files and computers. Law firms and other organisations with lots of sensitive data may also be more willing to pay to keep the news of a compromise out of the public eye.
Now you know what ransomware is, how it occurs and who can be a target, let’s take a look at some well-known examples. The four chosen below show just how dangerous and different a ransomware attack can be.
Wannacry – Designed to exploit a vulnerability in the Microsoft Windows operating system, WannaCry was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. It highlighted the problematic use of outdated systems, and in 2017 spread across 150 countries, infecting 230,000 computers globally. Perhaps most notably, it hit a third of hospital trusts in the UK and cost the NHS millions.
BadRabbit – Again in 2017, BadRabbit was deployed using a method called a ‘drive-by’ attack. This is where insecure websites are targeted and a user visits it, not knowing it has been compromised by a hacker. BadRabbit used a bogus request to install Adobe Flash as a malware dropper to spread the infection. Victims clicked on this without realising it was malware in disguise.
CryptoLocker – CryptoLocker was first seen in 2007 and spread through infected email attachments. Once in a computer, it would search through and encrypt valuable files, then hold them to ransom. Cryptocurrency (Bitcoin) was the required method of payment. The attack is thought to have infected 500,000 computers. That’s until law enforcement and security companies managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker.
Troldesh – The Troldesh ransomware attack occurred in 2015 and was spread via spam emails with infected URLS or attachments. Interestingly, the Troldesh attackers communicated directly with victims to demand ransoms. Some even negotiated discounts for those who they had built a rapport with!
Defending against ransomware may feel intimidating at first glance. But the truth is, some of the most simple, easy-to-implement steps can help protect your business from an attack. These include:
Take note – as ransomware continues to evolve and become more sophisticated, these measures will not completely destroy the threat, but they can help to significantly mitigate it. Moreover, effective defence isn’t just down to your IT department. It requires an all-in approach that brings together an entire company so education is key.
To put it simply, ransomware is a growing, expensive problem – and no organisation is completely safe. The impacts of an attack can lead to devastating circumstances that will disrupt business operations, your bottom line as well as your business' standing and consumer trust among other things, for instance:
Although cyber groups have most recently turned their attention to Covid-19 lures, post-pandemic, there is evidence to suggest they will move towards more creative and even more aggressive ways of extorting ransoms. These include ‘double-extortion’ techniques, whereby cyber criminals will steal proprietary or data and threaten to publish it. As this happens, it will be key for businesses to revise their cyber security strategy and commit adequate funds for cyber security resources into their budgets. Moreover, by following some of the advice in this blog, you will have already taken an key step in helping to keep your business protected.
The entrust IT Group have over 16 years of experience in dealing with some of the most sophisticated ransomware attacks. Indeed, we have helped many of our customers educate their staff as well as implemented some of the best monitoring and end-point security solutions that significantly mitigate the risk of an attack happening. Please get in touch with a member of the team on 0330 002 0045 or email enquiries@entrustit.co.uk if you think you too could benefit from our help.