Ransomware attacks have exploded in recent years. From the first quarter to the second quarter of 2021, attacks jumped 250%. No matter the size, location, or industry of your organization, ransomware attacks are growing in number and severity. This alarming increase has pushed ransomware defense into the forefront of every security professional’s initiatives.
Ransomware definition
Ransomware is a type of malware that encrypts the files on a device. The attackers then withhold the information or threaten to release the information until a ransom is paid. For enterprises who rely on that information to function or are trusted to protect consumer information, a ransomware attack is disastrous.
How does ransomware work?
Ransomware attacks begin when a bad actor gains access to the data through an employee or network vulnerability. Once that information has been compromised, the attacker uses asymmetric encryption to prevent the owner from accessing the information. At this point, the attacker will typically leave a message displayed on the computer’s screen demanding an amount, usually in cryptocurrency, to be sent within a particular time frame. If the attacker is true to their word to decrypt the information after they have been paid, they will share the private key with the victim, allowing them to access the information.
Why is ransomware spreading?
Ransomware attacks are increasing rapidly. Two thirds of organizations with 500 employees or more dealt with ransomware attacks in the span of a year. This percentage grows to 80% with organizations that have 3,000-4,999 employees.
The rise of remote work means that employees are using more unsecured endpoints. This opens the door for phishing emails and malicious downloads.
Ransomware as a service
The rise of Ransomware-as-a-Service (RaaS) means that ransomware is available to more people than ever. It is possible to purchase malware software and pay the developer a percentage of the ransomware earnings. Since you no longer need to be a coder to launch a ransomware attack, this widens the pool of people with the capabilities to become bad actors.
Ransomware examples
Ransomware often follows the same approaches and tactics. This makes it important to learn from past ransomware attacks.
WannaCry
Wanacry is a type of ransomware that spreads on its own. In 2017, a group of hackers used an exploit called EternalBlue to attack Microsoft WIndows operating systems. This ransomware worm infected over 250,000 systems before it was stopped.
NotPetya
NotPetya is considered to be the most devastating attack yet. In 2017, NotPetya leveraged EternalBlue, the same vulnerability from WannaCry, to spread quickly throughout Ukraine government offices, businesses, and banks. While NotPetya posed as ransomware, it technically is a wiper and not ransomware. This is because no way to decrypt the data was build into the system.
CryptoLocker
CryptoLocker was the first type of ransomware that required cryptocurrency for payment. In 2013, the CryptoLocker trojan horse found files to encrypt using asymmetric encryption to lock the files. The most common infection method is vida emails with unknown attachments.
Ryuk
Ryuk was first discovered in 2018 and was one of the first types of ransomware with the ability to encrypt network drives as well as shadow copies on the endpoint. This means that it is impossible to recover from the attack without external backups. Ryuk is deployed often using spear phishing — a tactic that targets specific individuals posing as a trusted individual.
Double extortion
Many ransomware attacks now feature double or even triple extortion. In double extortion, a bad actor exports the sensitive data in addition to encrypting it. Then they threaten to release that information. In triple extortion, attackers take this information and contact the individual customers or third parties for ransomware payments in exchange for keeping their personal information secret. Venafi has found that 83% of successful ransomware attacks feature double or triple extortion.
The business impact of ransomware
Ransomware has a devastating impact on the productivity and reputation of a business. Your business may need to partially shut down while attempts are made to recover business-crucial data. In the case of the Colonial Pipeline attack, the company shut down its operations leading to gas shortages.
If confidential customer information is leaked as part of the attack, your reputation could plummet. You also may be subject to regulatory fines in the case of a data breach.
How to prevent ransomware
Prevention is absolutely the best strategy when it comes to dealing with ransomware. There are a few strategies that should be in place at your organization to minimize the attack surface.
- Patch systems regularly and make sure software is up to date
- Segment your network to ensure that ransomware can’t spread beyond the infected system
- Train employees to look for attacks and report suspicious emails
- Back up systems frequently and store these backups somewhere that cannot be accessed from the network
- Secure your digital certificates and ensure the private key is not compromised
- Require all macros to be code signed
Responding to ransomware
Swift action is key when a ransomware attack is discovered. Make sure your organization has a ransomware response policy in place before an attack occurs. If your organization is the victim of a ransomware attack, be sure to involve the authorities and report the incident.
Slow the spread
If you suspect a device has been infected with malware, disconnect it from the network and other devices as quickly as possible. This will stop the ransomware from spreading further throughout your network. Since ransomware moves so quickly, it is likely that other devices will have already been infected. Disconnect all suspicious devices from the network and shut down wireless connectivity.
Identify the source
Check for alerts in your antivirus or Endpoint Detection & Response (EDR) software. Also ask your employees if they have received any suspicious emails. Also see if you can discover what type of ransomware you are working with. Then alert all unaffected employees as soon as possible with the signs they should look for to see if they have been infected.
Assess your backups
See if the information that has been encrypted is backed up and if you still have access to that backup. Then deploy an antivirus solution to wipe the devices clean of malware. If you don’t have backups, No More Ransom is a great source to find free decryptors and applications that could possibly help. While there is no guarantee, it is possible that you will find a decryption key that will work to restore your files.
Should I pay the ransom?
Never pay the ransom to get your files back. A 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declares that most cases of paying a ransom are illegal.
There is no guarantee that the attackers will actually share the description key and you will be funding criminal activities. The same attackers may attack you again in the future since they know you will pay.
Never pay the ransom to get your files back. There is no guarantee that they’ll actually give you the decryption key, and you’ll be funding criminal activities. Paying will also make you a recurring target. Now that the ransomware criminals know they can get money from you, they’ll continue infecting your devices in the future.
Related Posts
