What is Ransomware?
What is Ransomware?
Ransomware is malware that is designed to encrypt data, therefore denying a user or organization access to their files on their computers or servers. Once the malware has encrypted the files, the cybercriminal demands a ransom to be paid by bitcoin so it cannot be traced, and the user hopes that the decryption keys will be sent and will decrypt the unusable files.
Ransomware is surprisingly simple; cybercriminals look for weaknesses in an organization’s infrastructure or within its Human Firewall – their employees. It just takes one individual to click on a link for the damage to begin. Ransomware continues to be a big business, and it is very costly to organizations. It has become such a huge problem and so catastrophic that it is being compared to the 911 attack. The problem with most organizations is that they think ransomware will only happen to other organizations. WRONG! Any one of us is vulnerable to this attack.
Ransomware by the Numbers
Cybercrime has exploded, with 75% of organizations infected with ransomware claiming they were running up-to-date endpoint protection. According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center (IC3) received 2,474 complaints identified as ransomware, representing adjusted losses of over $29.1 million.
Ransomware criminals carry out more than 4,000 attacks per day, and 1 in every 3000 emails that pass through filters contain malware. It is almost impossible for organizations to stay one step ahead of cybercriminals. When they are hit with ransomware, there is an average of a 19-day downtime and an average payout of over $300,000. Globally, we are expecting the cost of ransomware to exceed $20 billion.
Ways Cyber Criminals Use Ransomware
Cybercriminals use numerous techniques to infect victims with ransomware. The most common means of infection include:
Email Phishing Campaigns
Cybercriminals will often send an email containing a malicious file or a link that can deploy the malware when a recipient clicks. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, although over time, they have matured to be more targeted and sophisticated attacks. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cybercriminal to use a victim’s email account to further spread the infection.
Remote Desktop Protocol
Remote desktop protocol (RDP) is a proprietary network protocol that allows individuals to control the resources and data of a computer over the Internet. While most organizations have (hopefully) disabled this feature because of security concerns, there are plenty of organizations and individuals that still have this feature enabled, as it comes as a default setting.
Cybercriminals have used both brute-force methods – a technique using trial-and-error to obtain user credentials – and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victims’ systems. Once they have RDP access, criminals can deploy a range of malware – including ransomware – to the entire system.
Cybercriminals have always taken advantage of security weaknesses in widely used software programs to gain control of victim’s systems and deploy ransomware. All successful ransomware has one thing in common: a delivery message that convinces the victim to pay the ransom.
Cyber-psychologist, Dr. Lee Haddington, suggests that these screens rely on common social engineering techniques such as urgency (“pay up before I raise the price of the key”), fear (“if you don’t pay, you’ll never see your data again”), authority (“pay because I said you have to”) and sometimes helpfulness (“let me know if you need help making the payment”).
Methods Are Evolving
Today, we see ransomware in the news almost daily. The Russian’s have made these types of attacks their favorite pastime. What are we to do to stop the innumerable number of attacks on our critical infrastructures that we deal with on a daily basis?
Some say the government should step in, but keep in mind these infrastructures are owned by the private sector. Look at the attack on the Colonial Pipeline; it caused chaos with fuel shortages and sent gas prices soaring. This company is privately owned, and it is tricky for the government to step in and tell them what to do when it comes to securing their organization.
Now, we are watching ransomware as a service (RaaS) explode. Keep in mind that just like software as a service (SaaS) products, RaaS gives cheaper and easier access to these types of malicious programs for a smaller fee than the cost of custom development.
Preventing a Ransomware Attack
Once you begin to understand “what is ransomware,” examining prevention methods is the next step. Best practices for preventing a ransomware attack address both humans and technology. One without the other will leave your IT infrastructure with undue risk.
Train All Staff
Training is the most effective way to combat the risks of downloading ransomware from phishing emails, social media, etc. Teach all employees how to spot suspicious messages, dangerous websites, and questionable links and attachments. If they know what to look for, they are more likely to ignore their sense of curiosity, as well as risky links and attachments, and to recognize false claims that should be reported.
Backup Everything and Protect Your Backups
The more barriers there are between your daily-use system and your backups, the better protected you will be. Having a reliable backup and tested restoration procedure is your best chance of restoring your data and getting your business up and running again.
Experts recommend maintaining multiple backup copies, with at least one kept off-site. Putting a backup copy in a bank vault every 6 to 12 months is a great strategy. In addition, set permissions so that your backup files have different authentication requirements and cannot be modified or deleted, and periodically test them to restore data.
Create An Incident Response and Recovery Plan (IR)
An essential component of any IT security program is to document measures beforehand that the organization will take to reduce the impact of a cybersecurity attack. The plan should outline details like roles and responsibilities, lines of communication, terms of escalation and response procedures, noting any details specific to the type of situation. The U.S.’s National Institute for Standards and Technology (NIST) has a Computer Security Handling Guide that is a good place to get ideas or a template if your organization has not yet drafted its own version.
What if You Get Attacked?
If you receive a ransomware demand message, the first step is to contact your IT department. They should have an incident response plan with directions for dealing with a malware or ransomware attack. Since there are multiple types of ransomware, they will be able to determine what type you have (actual encryption ransomware, screen-locking or just a fake message) and the best way to deal with it. Recognizing and not responding to these tactics is one step toward protecting yourself and your organization.
Once the IT staff has evaluated the situation, if necessary, they will take you through disconnecting your machine and peripherals from both wired and wireless networks and then removing the ransomware.
The most destructive types of ransomware can infect a computer or network and lie in wait for days, weeks or even months before deploying. Hidden copies on other machines and timers or lateral expansion settings can complicate the removal process. Therefore, it is critical for someone with training to evaluate the problem before attempting decryption or removal.
If you do suffer an attack, security experts still advise NOT to pay the ransom. It may seem to be the quickest and easiest solution, but there are numerous instances of authentication keys that did not work, leaving the victim out of the cash and still without their data.