20 Steps to Prevent a Ransomware Nightmare

The threat looms even larger for big networks or organizational IT systems. Ransomware attacks can shut down network access, block internal operations, and seriously damage a company’s reputation. Attacks like those launched last year against Colonial Pipeline and Kaseya have shown that no company is safe. The Colonial Pipeline attack cost the company $4.4 million (some of which was recovered), while the Kaseya attackers initially demanded $70 million.

Organizations must invest time and effort in training employees on the safe use of corporate software, implement reliable security and data storage systems, and maintain flexible network configuration tools.

Ransomware is malware created to lock down a system and exact a ransom from the person or company to regain access to the system. This malware works by hacking the network and cryptographic processes, resulting in the most important files being locked and encrypted so that further system operation is paralyzed.

Unfortunately for end users, as computer technology has increased, so too have the power of tools used by these malicious actors. When ransomware first appeared, symmetric encryption mechanisms were used, for which decrypting tools worked quite well. Modern malicious programs use asymmetric encryption methods, so decryption becomes very difficult.

The success of individual ransomware has led to this attack technology being adopted by hacker groups around the world. Ransomware is offered as a service (RaaS) available for ordering on the dark web. Ransomware has also found its way into the arsenal of groups employing the “advanced persistent threat” (APT) attack, which targets the network infrastructure of companies. The APT technique involves a variety of covert attacks, most of which are not easy to detect right away. The minimum period for their detection is usually one to two weeks, and during this time cybercriminals can cause serious damage.

The situation is complicated by the fact that modern ransomware increasingly can access and distribute sensitive network data before it is encrypted by the computer. Thus, attackers can also threaten an organization with the disclosure of data. As a result, the organization is exposed to the risk of a double extortion attack, as hackers may return demanding more data and threatening the release of what they have already stolen.

Ransomware, like any other malware, breaks into networks using traditional types of infiltration:

• Emails and messages in instant messengers with suspicious links, social engineering methods (baiting, honey traps, scareware), phishing, and malicious sites.
• Software and remote desktop protocol vulnerabilities. With the transition to remote work and reliance on remote desktop software, the number of malicious emails jumped by 600% in the first few months of the pandemic alone.1 Similarly, as organizations move to hybrid set-ups or cloud storage systems, vulnerabilities associated with the cloud are being exposed.

Without the use of a network segmentation policy (more on this below), attackers are free to roam the network, infecting endpoints and servers, and demanding a ransom for regaining access to data.

Email attacks, which allow ransomware to enter a network, are difficult to stop. Attackers can trick even experienced users into clicking on an expected link (such as a financial report) or on a photo purporting to come from someone employees know. It may even be a document that appears to have been forwarded by the boss. These could be emails sent to millions of potential victims or targeted messages to a specific person in a specific organization. The latter is usually combined with social engineering methods, with the help of which cybercriminals collect the necessary information about the victim in advance. These attacks depend on the weakest link in the security chain: the fallible human element. Therefore, organizations must take all necessary training measures to minimize potential attacks.

After a successful attack, the attackers inform their victims that their data is encrypted. To access the decryption key, the victim must make an immediate payment, often in cryptocurrency, which obscures the attacker’s identity. You will know that you are a victim of ransomware if a pop-up window appears on your desktop or a readme.txt file that reads something like this: “Your files have been encrypted and are now inaccessible. You will lose all your information on X date if you do not pay X amount in bitcoins.” There may also be a postscript such as: “IMPORTANT! All your files are encrypted with RSA-2048 and AES-256 algorithms.”

Thankfully, since the cryptocurrency does not hide the wallet address, attackers can sometimes be detected. For example, in the United States, they were able to return part of the ransom after the ransomware attack on the Colonial Pipeline company in May last year, committed by the DarkSide hacker group.2 This is not the norm, however, and companies should not expect to get their ransom payment back.

If a company does not pay within the initial period (usually 48 to 72 hours), attackers are not shy about increasing the ransom and often threaten to delete or compromise data. Of course, in such cases, you can turn to cybersecurity specialists in the hope that they will find a way to recover data. Such options are possible but unlikely.

Modern ransomware also often contains data extraction tools, so sensitive information such as usernames and passwords can simply be stolen.

For all these reasons, the best practice is to proactively prevent ransomware from intruding into the network. And because the breaches in the network mostly happen through unsuspecting users, one of the main tasks in preventing these attacks is training personnel.

Equally important is email and network security, and the network must include a reliable backup program. Fresh copies of the data, which can always be returned in the event of a destructive cyberattack, must be created at least daily.

Researchers from the Beazley Group note that until four years ago, reports from customers about ransomware attacks were infrequent. At the time, these cases usually involved data encryption, but not access or exfiltration. Today, however, the frequency of ransomware attacks has increased significantly, and the additional threat of data leakage makes such attacks much more destructive. As early as 2019, ransomware variants like Ryuk and Sodinokibi were increasingly being launched in tandem with banking trojans like Trickbot and Emotet. And cybercriminals are getting smarter every day; in some cases, the attacks resulted in the suspension of hundreds of clients’ operations.

At the same time, the goals of these attacks were not random. The criminals calculate the probability of receiving a ransom from the attacked company, and the damage that a company may experience if the entire client base and business were to disappear due to the attack. Consequently, ransomware attacks on healthcare businesses are on the rise, due to the sensitive nature of patient data and the critical impact on their care. According to Beazley research, companies in the healthcare sector were the most affected (35% of the total) by ransomware attack, followed by financial institutions (16%), educational institutions (12%), professional services (9%), and retailers (7%). And the total number of attacks increased by 130% in 2020 compared to 2019.

Ransomware has become one of the biggest cybersecurity threats in the world.5 As early as 2016, the total amount of ransom demanded from ransomware creators approached the annual criminal turnover of $1 billion—and that’s just in the U.S. As with Beazely research, Malwarebytes also considers healthcare and financial services to be the most vulnerable to ransomware.

IBM research has determined that:

• Only 38% of government employees are trained to prevent ransomware attacks,
• Only 29% of small businesses have experience with ransomware. 6
• Additionally, 81% of the total number of ransomware attacks occur in corporate infrastructure
• 62% of attacks occur in small and medium-sized businesses. 7

These statistics demonstrate the existence of a widespread, equal opportunity threat that continues to grow.

No one is immune from these attacks, and even the best-laid plans can have security gaps. If your organization is a victim of such an attack, here are some things to remember.

First, focus on getting your organization back to normal by restoring systems from backups. This may take several days, and it’s important to remember that any changes made since the last backup before the attack will be lost. Find out when your data was corrupted to make sure you are restoring from a malware-free backup copy.

It may be possible to restore files on individual systems using the built-in file versioning service. This approach essentially allows you to “go back in time” to restore them to an unencrypted state. Some ransomware variants block this possibility, so this method may not work. If your attacking version of ransomware was implemented with ad-hoc encryption, it may be possible to recover data. Security vendors release decryption tools that automatically generate keys and decrypt files for compromised ransomware. Check to see what may be available for your particular instance.

Unfortunately, these “free” solutions may not always solve the problem, and it may be necessary to have a conversation about whether your organization is willing or able to pay the ransom. While it is obviously not ideal, it is good to know that in the end, 99% of all payments to intruders lead to obtaining the necessary decryption key and restoring all data. Do keep in mind, however, that paying criminals encourages their actions, making future attacks more likely. Decryption is also slow, and in many cases, it is only partially obtained; part of the damaged data often cannot be restored. As you consider your organization’s situation, vulnerabilities, and security protocols, take the time to consider these points. Ultimately, network security is only as good as the weakest link, and prevention is much easier than dealing with the consequences. Give us a call or visit our website to learn more about how we can help you brave this internet-driven business world. To learn more about how SDG can help your organization secure its cyber assets, visit www.sdgc.com.

As you consider your organization’s situation, vulnerabilities, and security protocols, take the time to consider these points. Ultimately, network security is only as good as the weakest link, and prevention is much easier than dealing with the consequences.