Ransomware

What is Ransomware and How to Avoid it – The Complete Guide

Introduction to this Guide

We hope with this guide to provide you useful information to protect your business against Ransomware. It is today one of the most dangerous methods of cybercrime for businesses that rely on technology. Luckily, with a robust cyber security strategy it can be avoided and its damage reduced to a minimum.

Our Guide covers all that a business owner or director must know about Ransomware. Click on the links below to skip straight to where you want to go. We hope you enjoy your reading.

Should you also prefer to download the entire guide as a PDF, simply click the button below.

Download Button

Attitudes to Ransomware

A successful ransomware attack can be devastating to a business. Organisations caught unprepared could be left with the choice between paying a ransom demand and writing off the stolen data entirely.

In our day-to-day cyber security practice, we perform a lot of assessments with new and potential clients. Among this wide variety of professional companies, we find very differing understanding of the threat Ransomware poses to their businesses.

There are the unknowledgeable optimists that believe to will never happen to them. Clearly this is not a recommended stance.

There are also the informed optimists that believe they have all angles of protection covered. That may or may not be the case. Assumptions can be dangerous.

Finally there are the affected pessimists – have suffered from a Ransomware attack and for whom it may be too late. We receive calls from complete strangers asking how they deal with a Ransomware hit. We always ask the same two questions – do you have a backup and do you carry Cyber Liability Insurance. The silence at the end of the phone can be deafening.

Whichever camp that you belong to it is important to become informed and engage with preventative measures and plan for the worst outcomes so your business can continue to thrive after such an attack.

The purpose of this guide is to provide that information and to provide some of the measures required to both prepare and recover if your business is impacted by a ransomware attack.

What is Ransomware and How does it work?

Ransomware is multibillion euro criminal enterprise executed by Cyber Criminals to disrupt access to your systems, business, and personal information. It is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Once infected the attacker then demand a ransom (normally in Bitcoin) to liberate access to your data and critical business systems. Worryingly this activity is on the rise at an exponential rate. Research suggests that in 2020 a new organisation will be hit by a ransomware attack every 14 seconds and that Ransomware incidence increased 50% in Q3 in 2020 alone. Adding insult to injury, the Cyber Criminals are leveraging the current Covid crisis to target vulnerable remote workers and infect vulnerable organisations.

Once systems are compromised, cryptocurrency, credit card, or untraceable gift cards will be required as a ransom. However, payment doesn’t ensure that you regain access. Even worse, victims who do pay are frequently targeted again. Just one infection can spread ransomware throughout an entire organisation, crippling operations. As a result, the solution is often costly as you require a complete rebuild of your core infected systems

Ransoms range from hundreds of euro to the millions Garmin had to pay after their systems were compromised in 2019. Consequently, billions have been extracted by cyber-criminals in recent years. Cybersecurity Ventures predicts that ransomware damage will exceed €20 billion by 2021. It is so effective because it takes many guises. You must be aware of all of them to effectively protect your data and your entire network.

How Bad Can it Get – The NHS Example

NHS Example

A famous example of ransomware is the WannaCry attack of May 2017. This was a piece of malware that infected over 230,000 computers across 150 companies within a single day. It encrypted all files it found on a device. Following that, users must pay €300 worth of bitcoin payments to restore them.

WannaCry mainly affected large organisations. The National Health Service in the UK being one of highest profile targets affected. Surprisingly, the attack’s impact was lower than it could have been. Due to the fact it was stopped quickly, and it did not target extremely critical infrastructure, like railways or nuclear power plants. However, economic losses from the attack were still in the millions of pounds.

Recently, 22 cities in Texas were hit with ransomware in September 2019. The attackers demanded €2.5 million to restore encrypted files, leading to a federal investigation. Moreover, ransomware is an especially prevalent in financial and healthcare organisations. With cyber-criminals targeting 90% of these businesses last year.

The threat posed by Ransomware has never been greater. Microsoft also revealed in their 2020 Digital Defence Report that the time in which it takes to gain command and control of an organisation’s network has dropped significantly. As a result, now cyber criminals can go from initial entry to ransoming the entire network, in just 45 minutes.

How Does Ransomware Work?

Ransomware begins with malicious software being downloaded by an unwary person through an infected email or link onto their computer or smart device.

One common method of distributing malware is through phishing attacks. Where an attacker attaches an infected document or URL to an email, disguising it as being legitimate (i.e., a well-crafted but fake Amazon Delivery or banking notification). By opening the infected link or attachment the first phase of the attack is complete. As a result, Malware is now installed on their device.

How to identify a Phishing email? Find out in this article.

Another popular method of spreading ransomware is using a ‘trojan horse’ virus. This involves posing ransomware as legitimate software online, which then infects the device once installed.

Encrypting Files at Light Speed

Once Ransomware infects an endpoint it will run freely wherever it has access. In seconds, the malicious software will take over critical process on the device. Then search for files to be encrypted, meaning all the data within them is inaccessible.

The ransomware will then infect any other hard-drives, network attached devices etc, taking out everything in its path – including backups.

This entire process happens extremely quickly. In just a few minutes the device will display a message that looks like this:

wana

This is the message that displayed to users who were infected with the WannaCry ransomware attack. As you can see, it’s a ‘cyber blackmail’ note. Users are informed that they have been locked out of their files, and they must pay to regain access.

Should you pay the Ransom?

Backups are the last port of call during a ransomware attack. Backups are also targeted by the attacker. If your backups are infected, you may have no other choice but to pay the ransom. It is estimated that the Sportswear manufacturer Garmin paid out a multimillion-euro ransom to get their system back online in 2019.

Payments are requested through bitcoin, a cryptocurrency that cannot be traced. Followed by a countdown, threatening to permanently delete the encrypted files should time run out. For smaller businesses performing a Disaster Recovery may be viable however for larger companies with thousands of core systems, the cost of recovery may simply exceed the ransom.

The Origins of Ransomware

As mentioned, Ransomware is the most prevalent form of cyber-crime as of 2020. However, it has been with us for over a decade. First sightings of this attack date back to around 2005. Although conditions for it to be devastatingly effective have only been met with the rise of Bitcoin.

In the 2000s, ransomware was not very sophisticated. The early methods used by attackers to encrypt or block data were easy to remediate. Services that allowed untraceable payments were lacking also. As a result, few victims ended up willing to pay the ransom due to these blockers.

Download Button

The more successful enterprise for cyber-criminals was in supplying phony anti-virus and computer cleaning software (scareware). By operating under a thin veil of legitimacy, cyber criminals were able to avoid detection. As the internet became a larger part of society around 2008, legislation caught up to this method of attack. Which significantly increased the risk and cost of operation.

The risk gap between scareware and ransomware was closing. While ransomware remained a less costly venture. In the early 2010s, ransomware scams became more prevalent utilising different avenues of payment, such as through prepaid cash cards or gift vouchers. Then something happened that would significantly change the trajectory of ransomware as a cyber-crime: the rise of cryptocurrency.

Cryptocurrency – The Enabler of Ransomware

Enabler of Ransomware

In 2012, the Bitcoin Foundation was formed and Bitcoin Central was recognised as a European Bank. Cyber-criminals were waiting for this exact form of currency since 2005; a simple, untraceable, method of extracting ransoms from their victims. The risk gap between scareware and ransomware began growing again, however this time, ransomware was the less risky, and less costly option for cyber-criminals.

Then came Crypto Locker in 2013, a revolutionary new form of ransomware. Combining Bitcoin integration and much more advanced methods of data encryption. Victims of this attack would be unable to decrypt their files without a special key encryption unless they paid out roughly €300 worth of bitcoin. The Gameover Zeus banking trojan became a delivery method for Crypto Locker. It was shut down in an operation led by the FBI. Within months researchers discovered numerous Crypto Locker clones across the globe from criminals looking to hitch a ride on the new wave of modern ransomware.

Eventually, cyber-criminals realised that profits being as they were from attacking individuals, they could aim bigger. Targeting businesses who possess more sensitive and valuable data and would pay accordingly. This was the advent of ‘Big Game Hunting’. Where cyber-criminals specifically target larger organisations through their users. This is the state of ransomware today, the biggest cyber-security risk, which is only growing.

Why is Ransomware so effective?

Ransomware causes massive damage to business, impacting companies financially and their productivity.

Most apparent is the loss of files and data, which represents years’ worth of work and intellectual property, or customer data that is critical to the smooth running of their organisation. Loss of productivity comes as machines will be unusable. According to Kaspersky it takes even smaller organisations a minimum of a week to recover their data in most cases.

Once a victim of a successful ransomware attack, downtime is only the beginning of the problem. The loss of data and productivity can have tremendous impact on a business financially. After that, professionals need to be hired to remediate the damage caused and put protections in place to stop such an attack from happening again. Many businesses do not survive.

Ransomware Exploits your Greatest Weakness – People

Greatest Weakness

Attackers most successful vector of attack is using email phishing attacks, which can bypass traditional security technologies. Email is a weak point in many businesses’ security infrastructure. Hackers exploit this by using phishing emails to trick users into opening malicious files and attachments.

Another approach is to use trojan horse viruses where hackers also target human error by causing them to inadvertently to download malicious files. These files can remain dormant in your systems for a long time before they become active. Once active they implement Control and Command tools giving the hacker free reign to run ransomware throughout your organisation.

The major issue here is a lack of awareness and staff education about security threats Many people are unaware of what threats look like, and what they should avoid downloading leaving you open to risk.

This lack of security awareness helps ransomware to spread with great efficiency.

Reasons Why Ransomware is so Successful

Ransomware attacks grew by as much as 715% in 2020 with attackers making off with increasingly high average payouts that have tripled from circa €80k to €239 (source Sophos 2021 Threat Report) . Many businesses do not have the strong defences needed in place to block and detect these attacks, because they can be expensive as well as complicated to deploy and use. It’s often hard for IT teams to convince company executives that they need strong security defences until it’s too late and systems have already been compromised.

Out of Date Hardware and Software

Organisational security policies often overlook hardware and software that is out of date. This can be down to legacy systems support needed to drive the business.

Over time, attackers discover the security vulnerabilities that are widely released by larger corporations. Technology companies often push out security updates, but for many organisations they have no way to verify that users are installing these updates. Many organisations rely heavily on older computers that are no longer supported, meaning they are open to vulnerabilities.

This is one of the main reasons the WannaCry virus was so successful. It targeted many large organisations such as the NHS, which used decades old machines on operating systems that no longer received regular updates.

The exploit WannaCry used to infect systems was discovered two months before the attack took place and was patched by Microsoft. However, the attack rapidly spread due to these devices running old software.

As discussed, the rate of growth in Ransomware attacks on businesses large and small is out of control. The risk is high, which is why you must be proactive. Ransomware thrives in a climate where businesses are unaware of where their risks lie. In the next section we will cover ransomware avoidance, and the need for a layered approach to cyber security. To allow your business to protect, detect, and recover from a Ransomware attack.

Addressing the Ransomware Risk

Addressing the Ransomware Risk

Reducing the risk and damage of a Ransomware requires a mix of frameworks, policies, training, and technology. The best companies perform a detailed GAP analysis using a Cyber Security framework such as the NIST CSF in conjunction with security controls such as the CIS 20 controls. This approach leads to better outcomes, period. Below we list some of the key components in your Ransomware protection arsenal.

Learn more about the NISC CSF in this practical Guide.

Here are some tips for the best protections to put in place to stop ransomware attacks:

Strong, Reputable Malware and Ransomware Protection

One of the most important ways to stop ransomware is to have a strong endpoint security solution. One that blocks malware from infecting your systems when installed on your endpoint devices (phones, computers, etc.). Industry leaders include Sophos, Trend Micro and Bitdefender. Just be sure that Ransomware protection is included as many traditional Anti-Virus products are not equipped to defend against modern Ransomware attacks.

The best solutions will also provide real time alerting if unusual behaviour is noted on your networks and help lock down that behaviour if it looks suspicious. Better still many modern providers can also supply real time alerting and remediation services.

Download Button

These solutions help protect against malicious downloads, and alert users when they are visiting risky websites. However, they are not guaranteed to be 100% effective as cybercriminals are always trying to create new pieces of malware that can get around the security tools. Still, endpoint security is a crucial step in strong protection against malware.

Email Security, Inside and Outside the Gateway

As ransomware is commonly delivered through email, email security is key in preventing ransomware. Secure Email Gateway technologies, such as Mimecast and Barracuda, filter email communications with URL defences and attachment sandboxing to identify threats and block them from being delivered to users. This stops ransomware from arriving on endpoint devices. While blocking users from inadvertently installing malicious programs onto their machines.

Ransomware is also commonly delivered through phishing. Secure email gateways can block phishing attacks using Advanced Threat Protection (ATP) capabilities. Also, there is Post-Delivery Protection technologies, which use machine learning and AI algorithms to detect phishing attacks. After that, they then display warning banners within emails to alert them that the content may be suspicious. This helps users to avoid phishing emails which contain a ransomware attack.

Web Filtering & Isolation Technologies

DNS Web filtering solutions stop users from visiting dangerous websites and downloading malicious files. Blocking ransomware that is spread through viruses downloaded from the internet, including trojan horse software. DNS filters also block malicious third-party adverts. Additionally, web filters should be configured to aggressively block threats, to stop users from visiting dangerous or unknown domains.

Isolation technologies are a valuable tool to stop ransomware downloads. They completely remove threats away from users by isolating browsing activity in secure servers and displaying a safe render to users. Therefore, preventing ransomware as any malicious software is executed in the secure container. Moreover, Isolation does not affect the user experience. Delivering high security efficacy and seamless browsing.

Security Awareness Training

The people within your organisation are often your biggest security risk. There has been a huge growth in Security Awareness Training platforms such as KnowBe4. Which train users about the risks they face online, at work, and at home. Awareness Training teaches users what a suspicious email looks like, and the best security practices to follow to stop ransomware. Such as ensuring their endpoints are updated with the latest security software.

Security Awareness Training solutions typically also provide phishing simulation technologies. Meaning admins create customized simulated phishing emails, and send them out to employees to test how effectively they detect attacks. Phishing simulation is an ideal way to help view your security efficacy across the organisation. It is also a useful tool to identify users that need more security training to stop the spread of ransomware.

Multifactor Authentication

It may not seem obvious, but identity theft lies at the core of a lot of backdoor Ransomware attacks. Hackers use administrative and other accounts to gain a foothold in your core systems. Adding MFA makes the possibility of elevating privileges and giving the attacker the keys to run ransomware without barriers. MFA comes free with most Microsoft 365 packages and more in-depth solutions also exist with companies like DUO that extend more granular protection to all devices in the organisation.

Software Patching

Keep your operating system and 3rd party applications patched and up to date to ensure you have fewer vulnerabilities to exploit.

Data Backup and Recovery

Data Backup and Recovery

Once a ransomware attack succeeds and your data is compromised, the best protection for your organisation is to restore your data quickly and minimize the downtime. The most effective way to protect data is to ensure that it is backed up in multiple places. Including; in your main storage area, on local disks, and in a cloud continuity service. In the event of a ransomware attack, backing up data means you will be able to mitigate the loss of any encrypted files and regain functionality of systems.

The best Cloud Data Backup and Recovery platforms will;

  • Allow businesses to recover data in the case of a disaster.
  • Are available anytime.
  • Are easily integrated with existing cloud applications and endpoint devices.
  • Have a secure and stable global cloud infrastructure.

Cloud data backup and recovery is a crucial tool in remediating against Ransomware.

Learn more about Business Continuity and Disaster Recovery.

Cyber Liability Insurance and Extortion Coverage

If the worst comes to pass, it can be very costly to rebuild your business or to pay of the cyber criminals. If it comes to this, Cyber liability Insurance can assist.

Cyber extortion is a coverage option under many cyber liability policies. It protects your business against losses caused by ransomware and other types of cyber extortion.

What’s Covered

Many cyber liability policies cover three types of costs:

  • Ransom Money. This is money you pay to a cybercriminal in response to a threat. Some policies also cover property (other than money) you relinquish to an extortionist.
  • Extortion-Related Expenses. These are expenses you incur because of the extortion threat. Examples are travel expenses you incur to make a ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
  • Repair Costs. Payment of a ransom does not guarantee your computers and data will be undamaged after their release, or that they will be released at all. Most cyber liability forms cover losses you sustain as a result of damage, disruption, theft, or misuse of your data. Policies cover the cost to restore, replace or reconstruct programs, software, or data.

Most cyber policies require you to secure permission from your insurer before you pay a ransom. If you make a ransom payment and then tell your insurer about it later, the payment may not be covered. The same rule applies to extortion-related expenses. If you want to hire a consultant to help you negotiate with the extortionist, you’ll need to notify your insurer in advance. Otherwise, the consultant’s fee may not be covered.

Most cyber liability policies provide reimbursement for a ransom payment and related expenses. They do not pay these costs upfront.

Cyber Risk Management

Some cyber liability insurers provide risk management services through a web portal such as eRiskHub. Policyholders can use these websites to learn about cyber exposures and how they can protect themselves from losses.

Covered Threats
Cyber extortion insurance covers ransom payments you make and extortion-related expenses you incur in response to a threat. The meaning of this term is important because it determines what types of acts are covered. The definition varies, but often includes threats to do some or all of the following:

  • Alter, damage or destroy your software, programs, or data
  • Infect your computer system with a virus or other malicious code
  • Release your data or sell it to someone else
  • Make your website or computer system inaccessible by initiating a cyber-attack, such as a denial-of-service attack
  • Transfer funds using your computer system

Ransomware is experiencing a boom as the perfect conditions for its rise to prominence have been met in recent years, and dedicated cyber-criminals are actively working on methods to ensure it is more effective. This game of cat-and-mouse will continue to evolve as the gains are large and the payouts continue.

Preventing Ransomware – Get in Touch

Preventing Ransomware

If you feel uncertain or do not have the skills to determine your current cyber security risk, contact us to discuss our Cyber Security GAP analysis service. This will that help expose any current issues and build a risk-based roadmap to address any gaps in your approach. We are always here and happy to help any company looking to improve their cyber security maturity profile.

If you are looking for a new IT partner to provide faster response, times, enhanced security and better business outcomes – get in touch today.

Contact Spector IT

Have a question? Get in touch!

Whether your query is big or small, we’d be delighted to help.

Contact Spector IT