By Eleanor Barlow
Think of ransomware and the first thing that often comes to mind is the extortion of multimillion-dollar corporations. The association of ransomware with high-profile organizations, such as the National Health Service in the UK, FedEx and Nissan, is largely shown in the news.
But ransomware comes in all shapes and sizes. And the malware that accompanies a ransomware attack is the cause of constant concern for many IT departments of varying sizes.
What is ransomware?
So, what is ransomware, exactly? Ransomware is any type of malicious software designed to block access to a computer system until a sum of money is paid.
Ransomware has become a scary fact of life, particularly for marketers and customer operations departments that are often charged with the responsibility of the flow of data between the company and its clients. Data and its channel of flow between marketing and IT can be a particularly vulnerable pipeline that, if attacked, can lead to measurable damage to both clients and customers.
The term ransomware is relatively new. Added to the Oxford English Dictionary only three years ago, it signifies the branch of malware that demands payment after infecting a computer.
But since then ransomware has increased dramatically both in terms of the number of attacks, but also in terms of the range of methods used to conduct said attacks. And because there are now many varying methods of incidents, we know, and can guarantee, that it is not just large organizations that are being targeted.
“Ransomware maintains its reign as the most widespread and financially damaging form of cyber-attack,” Europol director Catherine De Bolle recently declared.
Ransomware began to emerge in the early 2010s. This was mainly due to rapid improvements in the performance of PCs. Computers are now so powerful that they can encrypt their own files in a matter of hours.
This means that areas including cryptocurrency have also developed. That progress makes it relatively easy for threat actors to blackmail and receive payments without getting caught. As a public security breach would cause mass panic and potential lawsuits, organizations will often pay off cybercriminals into anonymous cryptocurrency accounts rather than suffer the loss of client data.
How an attack works
First of all, for a ransomware attack to be possible, a breach needs to be made. To create a breach, bad actors need to target an organization or individual, and send out phishing emails.
Once a phishing email attack is successful, then through this breach, and without the victim knowing, a malicious payload is dropped. A malicious payload is the element of the attack which causes the actual harm to the victim and contains the malicious code.
Once the attacker has access to the victim’s network, this leads to data exfiltration. Which is what the victim is being held to ransom to. Following this the payload is deployed. The payload is activated over time: sometimes staying inactive for months at a time. A threat is meaningless without proving that the data is actually stolen/accessible.
So, the bad actor needs to exfiltrate the victim’s data, and threatens to make this data public. By shutting down systems, or reducing access, the victim then knows that the threat is not a bluff. This usually is the catastrophic moment when the target recognizes the gravity of the situation.
Who’s experiencing attacks?
In a word…everyone. The end goal of the majority of cyberattacks is to gain access to personal and private data and, using this information, to extort money or assets of value from the victims.
Every business, no matter the size, holds something valuable that an attacker could use to their advantage, which makes every business sector a target, from finance to charities, and from education to healthcare services.
In a recent ransomware attack on London’s Hackney Borough Council, the BBC reported how ransomware attacks “are a growing problem for public services, from councils to hospitals. In such attacks, hackers take control of computer systems and data and demand payments in order to unlock them.”
The concerning issue is, when it comes to ransomware attacks, no one knows the true number of attacks, as many victims do not report them for fear of losing money, their business or personal or private data. This means that the number of attacks is actually far greater than those provided by Statista who recorded 187.9 million cases worldwide in 2019 alone.
New York Times journalist Nathaniel Popper recently noted that “The frequency of ransomware attacks – among the scariest and most costly online assaults – has been hard to pinpoint because many victims quietly pay off their attackers without notifying authorities.”
What makes an organization vulnerable?
The statistics provided by Statista, sourced from leading managed service providers around the world, gives some indication. They show the percentage of respondents which reported that:
• 67 percent of infiltrations happened via spam/phishing emails;
• 36 percent due to a lack of cybersecurity training;
• 30 percent because of weak passwords and access management;
• 25 percent due to poor user practices;
• 16 percent because of malicious websites and ads; and
• Clickbait (16 percent).
What is evident from these statistics is that more training is required, across all organizations, in cybersecurity procedures and policies, especially when it comes to insider threats.
Many employees are completely unaware that they are a threat in the first place. Take, for instance, an employee working remotely. This employee may be sitting at a local café where they decide to work on a company-owned device. If this device was unknowingly hacked while using a different Wi-Fi connection, the user may be completely unaware that they are spreading malicious malware via their device throughout the company.
To pay or not to pay?
This is purely a business decision. But it is crucial to remember, whatever the business decision is, that there is no honour amongst thieves.
Attackers are extremely sophisticated. Once they have your data, there is no guarantee that if you pay them off that your data will be given back or decrypted. There is also no guarantee that you will not be a target a second time around.
Often, once an attack is made, the bad actor will sell the details on to their associates to come after the victim again after deployment, because the payload can still be there, and be activated and deactivated.
The ironic thing is, there are state-of-the-art helplines, run by the criminals behind attacks, offering help with the logistics of an attack 24/7.
Traditionally, bitcoin is used to pay these ransoms. But lots of people don’t know how to procure bitcoin, so they need the criminal helpline services to guide them through the payment process.
Money or time?
Monetary loss is the number one concern for the majority of businesses affected by ransomware. But it all comes down to business priorities and financial calculations. For many, the greatest cost in the event of a successful ransomware attack is downtime. The cost of retrieving the encrypted data and making it accessible again can add up quickly and, for a large business, downtime can prove to be more costly than the initial ransomware payment itself.
Sometimes victims speak out, but this does not always end well. Take Travelex, the currency exchange company, for instance. Following an attack by a Sodinokibi ransomware, $6 million was demanded in exchanged for 5GB of personal data. Since the attack, Travelex has fallen into bankruptcy, with PwC saying that the “foreign exchange firm was acutely impacted by COVID and the recent cyber-attack.”
We can debate the merits and drawbacks of paying a ransom, based upon the cost of the attack, at length. But at the end of the day, the chief concern of the organization will either be the cost of restoration or the ransom amount demanded. Which is why the methods used to react to a ransomware attack will differ between each organization.
In the end, the best way to respond to a ransomware attack is to avoid having one in the first place. Backup data regularly. Scan the network infrastructure for vulnerabilities and patch the latest security updates to avoid ransomware infection. That way, if attacked, you can ensure that your downtime and data loss will be minimal.
Here your employees are key. Educate them on the latest email phishing scams and social engineering. Give your staff the right training, so that they are aware of their security, the security of the devices and data they process and the procedures and policies they need to maintain.
Eleanor Barlow is the content manager at SecurityHQ, an advanced managed security service provider delivering engineering-led solutions to clients around the world.
How to Avoid Being a Ransomware Target
• Back up your computers and servers regularly;
• Secure mapped network drives with a password and access control restrictions;
• Avoid handling files or URL links in emails, chats or shared folders from untrusted sources;
• Update your anti-virus solutions with the latest virus definitions;
• Keep your operating systems, networks and security devices at the current release patch update;
• Run software with the least privileges;
• Monitor your endpoints 24/7 by deploying endpoint detection and response (EDR) technology to detect advanced cyberattacks;
• Have business continuity plan in place to endure user downtime;
• Align with better IT security practices and tools; and
• Associate insurance policies that cover cost in case of an attack.