The internet is fraught with peril these days, but nothing strikes more fear into users and IT security pros than the threat of ransomware.
A ransomware attack is about as bad as a cyber attack can get. It can shut down your business – in the case of healthcare organizations that can be life-threatening for patients – damage your reputation with customers and employees, and invite further attacks as cybercriminals view your organization as an easy mark.
Here, then, is a comprehensive look at ransomware, what it is, how to prevent it, and what to do if you become one of its unfortunate victims.
- What is ransomware?
- How ransomware works
- Preventing ransomware
- Ransomware attacks and costs
- Ransomware types
- Anti-ransomware products
- Ransomware response
What is ransomware?
You know you’re the victim of ransomware if your desktop has a message that reads something like:
“!!! IMPORTANT INFORMATION !!! All of your files are encrypted with RSA-2048 and AES-128 ciphers.”
Or you might see a readme.txt stating, “Your files have been replaced by these encrypted containers and aren’t accessible; you will lose your files on [enter date] unless you pay $2500 in Bitcoin.”
Ransomware is pretty simple: malware is installed covertly on a system and executes a cryptovirology attack that locks or encrypts valuable files on the network. Without a comprehensive network segmentation or microsegmentation policy, malicious actors can also move laterally within your organization’s network, infect endpoints and servers, and demand a ransom for access to your data.
How ransomware works
The most common way for criminals to infect an organization is by sending an email with a malicious link or attachment that an employee clicks on unwittingly to initiate an attack. These may be emails sent to millions of potential victims or targeted emails sent to a specific person in a particular organization.
Attackers will inform the victim that their data is encrypted. For access to the decryption key, the victim must make prompt payment, often in cryptocurrency shielding the attacker’s identity. If not paid within an initial period, usually 72 hours, attackers have no shame in increasing the ransom, and they often threaten to delete your data too. And since you cannot expect good faith negotiations, there is no guarantee the attacker supplies the key post-payment.
Ransomware frequently contains extraction capabilities that can steal critical information like usernames and passwords, so stopping ransomware is serious business. With vulnerabilities rooted in unsuspecting users, the task of preventing these attacks means both staff training and a robust email and network security system that includes a strong backup program so you have a recent copy of your data that you can roll back to.
Also Read: Best Encryption Tools & Software for 2021
Here’s an example of a ransom note you might find in encrypted folders if you’ve been a victim of a Ryuk ransomware attack (source: Symantec):
The email attack vector can make ransomware a difficult problem to stop. If the attacker is determined, it is almost impossible to prevent them from finding a way to entice an employee. Attackers can fool even sophisticated users into clicking on an invoice they are expecting, or a photograph that is ostensibly from someone they know, or a document that appears to have come from their boss. Organizations should prepare for the worst and take all necessary steps to minimize the potential impact.
There are many steps organizations can take to prevent ransomware with varying degrees of effectiveness. Below we outline 18 industry tips for actions you can take to reduce your risk of a ransomware attack:
|1||Staff Awareness||Raising awareness about ransomware is a baseline security measure. But it could only take one employee lowering their guard for an organization to be compromised. As training sessions have little influence over staff for every potential attack, it makes added security more imperative.|
|2||Spam Filter||Cybercriminals send millions of malicious emails to at-random organizations and users, but an effective spam filter that continually adapts alongside a cloud-based threat intelligence center can prevent more than 99% of these from ever reaching employees’ desktops.|
|3||Configure Desktops Extensions||Employees should be trained not to double-click on executable files with a .exe extension. However, Windows hides file extensions by default, allowing a malicious executable such as “evil.doc.exe” to appear to be a Word document called “evil.doc”. Ensuring that extensions are always displayed can go a long way to countering that kind of threat.|
|6||Restrict Use of Elevated Privilege||Ransomware can only encrypt files that are accessible to a particular user on their system – unless it includes code that can elevate a user’s privileges as part of the attack, which is where patching and zero trust come into play.|
|7||Promptly Patch Software||It’s a basic security precaution to ensure that all software is updated with the latest security patches, but it’s worth reiterating because breaches continue due to prolonging updating. Just in 2020, the SolarWinds hack could’ve been prevented for organizations that promptly patch software.|
|8||Zero Trust||Moving toward zero trust offers visibility and control over your network, including stopping ransomware. The next three actions: prioritize assets and evaluate traffic, microsegmentation, and adaptive monitoring are central steps of the zero trust architecture and greatly reduce your risks of an attack.|
|9||Prioritize Assets and Evaluate Traffic||With the use of inventory tools and IOC lists, an organization can identify its most valuable assets or segments. This full picture offers staff a look into how an attacker could infiltrate your network and gives needed visibility into traffic flows. This gives your team clear guidelines as to what segments need added protection or restrictions.|
|10||Microsegmentation||Microsegmentation is the ultimate solution to stopping lateral movement. By implementing strict policies at the application level, segmentation gateways and NGFWs can prevent ransomware from reaching what’s most important.|
|11||Adaptive Monitoring and Tagging||Once your micro-perimeters surround your most sensitive segments, there’s a need for ongoing monitoring and adaptive technology. This includes active tagging of workloads, threat hunting, and virus assessments, and consistent evaluation of traffic for mission-critical applications, data, or services.|
|12||Utilize a CASB||A cloud access security broker (CASB) can help manage policy enforcement for your organization’s cloud infrastructure. CASBs provide added visibility, compliance, data security, and threat protection in securing your data.|
|13||Rapid Response Testing||In the event of a successful breach, your team must be ready to restore systems and data recovery. This includes pre-assigning roles and ensuring a plan is in place.|
|12||Sandbox Testing||A common method for security analysts to test new or unrecognized files is by utilizing a sandbox. Sandboxes provide a safe environment, disconnected from the greater network for testing the file.|
|13||Update Anti-Ransomware Software||As noted, consistent updating of network software is critical. This is especially true for your existing intrusion detection and prevention system (IDPS), antivirus, and anti-malware.|
|14||Offline Backups||While virtual backups are great, if you’re not storing data backups offline, you’re at risk of losing that data. This means regular backups, multiple copies saved, and monitoring to ensure backups hold true to the original. Restoring data after an attack is often your best approach.|
|15||Update Email Gateway||All email for your network typically travels through a secure web gateway (SWG). By actively updating this server, you can monitor email attachments, websites, and files for malware. This visibility into attacks trending for your organization can help inform staff moving forward of what to expect.|
|16||Block Ads||All devices and browsers should have extensions that automatically block pop-up ads. With the extensive use of the internet, malicious ads pose a long-lasting threat if not blocked.|
|17||Bring-Your-Own-Device (BYOD)Restrictions||If you have a remote work staff or just a loose policy surrounding devices acceptable for network access, it might be time to crack down. Unregulated use of new or unique devices poses an unnecessary risk to your network. Enterprise mobility management (EMM) is one solution.|
|18||Forensic Analysis||After any detection of ransomware, there needs to be an investigation into its entry point, time in the environment, and confirm that it’s been fully removed from all network devices. From there, the task of ensuring it never returns begins.|
Ransomware attacks and costs
In the last decade, we’ve seen ransomware attacks increase exponentially. As organizations move toward cloud environments, vulnerabilities rooted in vast internet communications are coming to light.
Toward the end of 2020, Comparitech collected and shared dozens of insights into ransomware figures and trends over the last few years. To understand the extent of ransomware, we encourage you to review the following stats, facts, and recent attacks. We also look into the most dangerous strains today and predictions for 2021.
- Ransomware attacks increased by 130% in 2020 (Beazley Group)
- Almost 40% of victims pay the ransom (Malwarebytes)
- Only 38% of state and local government employees are trained for ransomware prevention, and only 29% of small businesses have experience with ransomware (IBM)
- Criminals fail to decrypt data after payment only 1% of the time (Sophos)
- Enterprise ransomware accounts for 81% of total infections, and by market segment, 62% are small to medium-sized businesses (Symantec)
- Healthcare and financial services are the most attacked industries
- Losses for business averaged $2,500 per incident, and ransom demands average $13,000 (Comparitech)
- The FBI estimates ransom payments per year exceed $1 billion (Datto)
- Others go further in estimating ransomware will cost as much as $6 trillion per year starting in 2021 (Cybersecurity Ventures)
- Ransomware is particularly threatening to MSPs as any downtime often leads to a loss in clients (NinjaRMM)
- In 2019, Danish company Demant paid $85 million after losing access to 22,000 computers in 40 countries.
- In 2019, the municipal government of New Orleans was forced to declare a state of emergency and paid over $7 million.
- In 2020, Travelex, the world’s largest money-exchange franchise, paid $2.3 million after its internal network, website, and app were taken offline by attackers.
- In 2020, the Baltimore city government lost over $18 million in value, and the Baltimore school system continues to struggle from the lockout.
- In 2020, California-based entertainment and media law firm Grubman Shire Meiselas & Sacks saw 756Bs of private documents threatened and a $42 million demand.
Through the years, we’ve seen several strains of ransomware make headlines: CryptoLocker in 2013, Locky in 2016, WannaCry and Hermes in 2017, GandCrab in 2018, and now, Ryuk joins the pack of notable names in criminal malware. In this new decade, the Ryuk ransomware remains the most dangerous strain.
The Ryuk ransomware family spawned in 2018 from a sophisticated Russia-based cybercrime group. Like Samas and BitPaymer ransomware, Ryuk targets large organizations with high ransom demands. But what distinguishes Ryuk’s deadliness is its military-grade levels of encryption, ability to delete shadow copies on the endpoint, and encrypt network drives and resources. Without external backups or rollback technology, recovery is impossible.
Ransomware attacks will only increase because of their success. Some predictions:
- Increased attacks of remote workers and personal devices
- Increased attacks on individuals with high net value and Internet of Things (IoT) devices (McAfee)
- Streamlined ransomware-for-hire services (Booz Allen Hamilton), also referred to as RaaS (Ransomware as a Service)
- More two-step ransomware attacks (Check Point)
- More attempts to lock down networks and accounts, not just integral files and folders (RSA Security)
In the battle against ransom-based malware, there is an industry of vendor solutions for anti-ransomware. Available software can play a critical role in supplementing your existing security infrastructure, but it is only one piece of the puzzle. Below we dive into the features to look for in solutions and note some of the current industry vendors.
Today, anti-ransomware tools play a vital role in any network. These solutions include next-generation firewalls (NGFWs), email gateway security software, data loss prevention (DLP), and endpoint security and antivirus software. When considering vendors, here are some critical capabilities and features that your anti-ransomware software should provide:
|Block malicious web pages||Before users visit websites, your software needs to be able to unmask URLs and note risk/reputation ratings and preview of the target page. Known malicious sites can then be blocked.|
|Block ransomware files||Cloud-based threat intelligence software can now block known malicious files. Unknown files can be intercepted and uploaded to the cloud to be sandboxed and analyzed, and then given a threat rating or blocked.|
|Prevent suspicious activity||Antivirus endpoint software blocks identifiable malicious files, but products also increasingly offer adaptive analysis to identify and stop unrecognized files. Because most ransomware uses a system’s own encryption DLLs, this capability can block or pause calls to these DLLs by untrusted applications.|
|Monitor for mass modifications||File integrity monitoring capabilities can detect changes to system files and the registry. This can be used to block applications that attempt to create or modify large numbers of files or change their names.|
|Detect anomalous behavior||DLP systems can create dummy files that should never be accessed or backed up. If these files are accessed, they can trigger an alarm that a possible ransomware attack is taking place.|
Many security vendors offer products covering everything from email and network security to intrusion detection and prevention systems (IDPS) and threat intelligence tools. While several anti-ransomware vendors are consumer-facing, here is a partial list of vendors and products for IT buyers to evaluate:
- Acronis: Acronis Ransomware Protection
- Bitdefender: Bitdefender Antivirus Plus
- Broadcom (Symantec): Symantec Endpoint Protection
- CheckPoint: Check Point ZoneAlarm Anti-Ransomware
- Cisco: Cisco Ransomware Defense
- Heilig: Heilig Defense RansomOff
- Malwarebytes: Malwarebytes Anti-Ransomware Beta
- NeuShield: NeuShield Data Sentinel
- Trend Micro: Trend Micro RansomBuster
While the above vendors present mostly pre-attack protection tools, additional vendors are starting to offer rapid response to ransomware. For example, Connecticut-based Coveware offers free remediation options, threat actor negotiations, ransom settlement, and promises to restore data and end downtime sooner.
Also Read: Top Threat Intelligence Platforms for 2021
If you’re already a victim of ransomware, you probably came to this section first, but once you’ve solved your immediate problem, you need to consider the steps and tools you will need to prevent a recurrence. Fool me once, as they say. Here are some steps that might help if you are a ransomware victim:
Backups. The primary way that organizations recover after being hit by ransomware is by restoring systems from backups. However, restoring all systems can take days, and changes since the last backup before the attack will be lost. Investigate to know when your data was tampered with so you can make sure you restore from an unaffected backup instance.
Version restores. It may be possible to restore files on individual systems using a built-in file versioning service in some cases. This approach keeps the version history of all files on a drive and makes it possible to “go back in time” to restore them to their unencrypted state. With newer ransomware variants enabled to block this capability, it has lost some of its luster.
Decryption tools. In some ransomware variants, the encryption process isn’t competently implemented, providing an opportunity for recovering data. If there is a flaw in how the encryption key is generated, you could potentially derive the decryption key from a file’s timestamp. Security vendors and government agencies actively release decryption tools that automatically generate the keys and decrypt files for breakable ransomware.
Also Read: Anti-Ransomware Decryption Toolkit Grows
Pay the ransom: The elephant in the room during any discussion about ransomware is whether an organization may face the least disruption and financial loss by giving in to the criminals’ demands and paying the ransom. In some cases, it may seem like the only option to prevent a company from going out of business. And after all, 99% of all ransomware payments result in the needed decryption key and recovery of all data.
It’s a decision that can only be made by organizations on a case by case basis, but keep in mind: 1) Paying criminals emboldens their actions, making future attacks more likely, and 2) There is no guarantee paying the ransom will lead to all (or indeed any) files decrypted, and a return to normalcy.
If you’re the victim of ransomware, you’ve hopefully taken steps to end your nightmare and prevent future attacks. For those who’ve yet to have their data kidnapped for ransom, there’s undoubtedly more you or your business can be doing to manage the threat. We strongly encourage you to note any preventative steps mentioned that your organization isn’t currently doing. Make a plan to beef up your defenses against ransomware.
As ransomware keeps at its current pace, we see a boom in cyber insurance sales (see Ransomware Insurance: Cyber Insurance May Be the Best Protection). So while high-integrity data backups and a healthy security posture may be your first line of defense, having an insurance policy to help minimize the damage is excellent secondary protection.