Originally ransomware attackers would invade a system and encrypt the files, then display a ransom message when users next tried to access the systems. The message would instruct the victim to pay a ransom amount through a blockchain payment solution like Bitcoin. In exchange for payment, the attacker promised to provide a decryption key to recover the data.
The amount of ransom can vary from a few hundred dollars for a small business to many millions for a large company. Attacks can target individuals, specific groups, or global entities.
Often ransomware will be designed to exclude attacks within certain countries. Some attackers claim to exclude targets like hospitals and critical infrastructure, but these organizations have been hit anyway.
Blockchain payments are the favored payment method because they’re typically anonymous, difficult to track and hard to unwind. Monero seems to be the preferred digital currency for ransomware payments because it was designed to be more difficult to track. Attackers often include instructions on how to set up an account with the demand note. Some even provide help desks to make the payment process easier.
Once ransom is received, the attacker is supposed provide a decryption key, or other means of recovery. Unfortunately, this doesn’t always happen. That leaves the victim without a means of recovery and minus their ransom payment. To make matters worse, paying a ransom doesn’t prevent repeat attacks – sometimes even from the same attacker.
New Variants
Several new ransomware variants have appeared in the past year or so. Originally, attackers just encrypted data then offered a decryption key for its recovery. When contacted, the attacker might even offer proof that the data could be decrypted.
As companies became better at recovering on their own, attackers started to copy data and threaten to release it publicly. They wanted to make the world aware that the company had been compromised. The premise was that the victim might be willing to pay ransom to avoid embarrassment and other consequences like fines and restitution. As always, there was no guarantee that if the ransom was paid, the data would be destroyed or not released.
Another recent variant is for the attacker to create a large distributed denial of service (DDOS) against a company’s Internet infrastructure, promising to end the attack once the ransom is paid. This can be very effective if a large part of a company’s revenue is generated online. It also holds an advantage for the attacker — there’s no need to insert malware code into the victim’s systems.
A narrow, but effective method is target a single or small group of systems. One recent attack crippled a door entry system used by a number of hotels. The door locks became operational again once the ransom was paid. Experts say that in the future, hotels are likely to see targeted attacks against property management and point of sale systems.
The Means of Attack
Attacks typically start as a quiet malware invasion into the company’s network. Any number of vulnerabilities may be used to install the malware, but phishing attacks seem to be a very popular method. These email attacks send messages that appear to be from a trusted source. An apparently innocent attachment can carry the malware infection. However, any vulnerability that can inject malware into a system can be used. This includes drive web attacks, the recent spate of supply chain attacks, and vulnerabilities exposed in Microsoft Enterprise software.
Most ransomware attacks are designed to slowly work their way through a victim’s systems. Once in, the malware moves from system to system over a period of days, weeks or months. When finally activated, the malware begins encrypting and copying data. Often the malware works when the systems aren’t in use, so its actions go unnoticed.
How Do I Protect my Organization?
Ransomware prevention has a lot in common with general cybersecurity best practices. You need to defend your systems, detect when they’ve been infiltrated, respond to the attack and recover afterward.
Defense is all about protecting your company’s internet technology (IT) assets. This includes the data, applications and services your systems provide. A good starting point is making sure that all software, including operating systems, is updated and patched to the most current versions. This prevents attackers from using known vulnerabilities that have already been fixed.
Isolation is another defense technique. This method uses network segmentation and access control to prevent malware from jumping between systems. To enforce access control, you’ll need secure login credentials and multi-factor authentication for all privileged users, processes and systems.
Access control should follow the principle of least privilege: Limit information access to the minimum amount required to do a job. For on-premise systems, it’s important to know each component’s physical location. During an attack, you may need to physically disconnect from networks and other systems while keeping the main system working, but under observation.
Defend any data that needs protection with strong encryption before storing or transferring it. This prevents an attacker from capturing or revealing the data. Store encryption keys and access passwords in a secure data vault. They should never appear as plain text in configuration files or documentation. This should limit many common exploits and make it more difficult to move between systems.
Data defense also includes plans to routinely create secure data backups and restore them as needed. Once a plan is established, test the backup and recovery process periodically to make sure they work as expected.
To protect email against phishing, use malware scanning tools and train employees to detect and avoid the attacks. Run detection tools on each system to help find malware infections. This could include an off-the-shelf anti-malware solution, code signatures or other file system checks.
What to Do If You’re Attacked
Response and recovery plans help to ensure your IT team is ready to quickly and efficiently respond to an attack and recover from it as quickly as possible. Test the plans periodically after you put them in place.
It’s wise to consider cyber insurance when you’re thinking about recovery options. Even if you don’t pay a ransom, you may still encounter attack-related costs. These can grow quickly if company data is released and you face penalties, fines or remunerations.
Be aware that paying a ransom may encourage future attacks. Also, cyber insurance payments may encourage larger ransom demands. However, cyber-insurance companies may be more experienced negotiating with attackers to achieve a lower ransom payment.
Remember, paying an attacker doesn’t guarantee recovery and recovery by decryption may take longer than recovery based on good data backups.
