Ransomware: A Security Guide 

Ransomware: A Security Guide


Directors Report: This Premium article is exclusive to premium  subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.


When it comes to security challenges, businesses of all sizes are alarmed by the abundance and gravity of ransomware attacks, but these attacks are now part of an organisation’s life. Cyber criminals are now targeting every industry with specialised malware, collecting untold amounts in ransom. Worse, they are developing more and more sophisticated threats. 

This results in organisations losing access to their data, potentially putting their entire business at risk. 

Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. 

The probability that an organisation will experience a ransomware attack is rapidly increasing. In the first half of 2021, the FBI's Internet Crime Complaint Center experienced a 62 percent year-over-year surge in reports, with nearly 2100 complaints. 

More than a third of organisations worldwide suffered an attack in 2022, with ransomware attacks occurring roughly every 11 seconds.

Given the potential damage to corporate systems and workflows should a ransomware attack shut down access to data or applications, it is not surprising that many companies elect to pay ransoms. Typical ransom demands range from hundreds of dollars to well into the millions. The average ransom paid is approaching $250,000.

Increasing Ransomware Attacks

Ransomware is the fasted-growing category of cybercrime. It’s estimated that over 4k daily ransomware attacks.
Given the sheer volume of these attacks and the deep attack surface connections between organisations and their vendors, there’s a high likelihood that some of your employee credentials have already been compromised in a ransomware attack. 

Leaked credentials mean the keys to your corporate network could be immediately published on a ransomware gang’s data leak site. Without a strategy for mitigating ransomware attack success and a process for rapidly detecting compromised employee credentials, your sensitive data is at critical risk of compromise. 

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system.
A ransomware attack occurs when an attacker gains access to an organisation’s computer systems and delivers malicious software into the network. This software, or ‘payload,’ then makes the data unavailable through encryption or deletion. 

Ransomware is often designed to spread from device to device to maximise the number of files it can encrypt.
The ‘ransom’ element comes from the ransom note left by the attacker requesting payment in return for restoring the data. This is usually done by a decryption key that only the attacker can access.

Where personal data is encrypted as the result of a ransomware attack, that constitutes a personal data breach because you have lost timely access to the data.

Different Types of Ransomware

There are many different types of ransomware that malicious actors use to extort ransoms. The traditional types are crypto and locker and two newer types are double extortion and ransomware as a service that have been gaining popularity among malicious actors.

  • Locker blocks access to computers, and attackers require payment to unlock access.
  • Crypto encrypts all or some files on a computer, and attackers require payment before handing over a decryption key.
  • Double extortion occurs when cyber criminals demand one payment to decrypt the files and another not to make them public.
  • Ransomware as a service (RaaS) occurs when cybercriminals can access malicious code for a fee.
  • Scareware attempts to scare users into buying unnecessary software. In some cases, pop-ups will flood the screen, forcing the user to pay to remove them.

Ransomware is often known by its malware strain code names, such as AIDS Trojan, which first appeared 30 years ago. Since then, names such as GPcode, Achievus, Trojan WinLock, Reveton and CryptoLocker have made headlines for the havoc they caused. In the past decade, LockerPIN, Ransom32, WannaCry, Goldeneye and Petya emerged. 

Backup Your Data

Unless you have a backup of the data, you will not usually be able to recover it unless you decide to comply with the attacker’s demand for payment. Even if you decide to pay the ransom fee, there is no guarantee that the attacker will supply the key to allow you to decrypt the files. Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.

Hacking Access:   Attackers gain access to your network. They establish control and plant malicious encryption software.  They may also take copies of your data and threaten to leak it.

Activation:   The malware is activated, locking devices and causing the data across the network to be encrypted, meaning you can no longer access it. 

Ransom Demands:   Usually you will then receive an on-screen notification from the
cyber criminal, explaining the ransom and how to make the payment to unlock your computer or regain access to your data. 

Payment is usually demanded via an anonymous web page and usually in a crypto currency, such as Bitcoin. It is important to try and establish how the attackers gained access to your network in the first place so you can prevent future ransomware attacks.

Ransomware Prevention Practices

Keep All Systems And Software Updated

Always keep your operating system, web browser, antivirus, and any other software you use updated to the latest version available. Malware, viruses, and ransomware are constantly evolving with new variants that can bypass your old security features, so you'll want to make sure everything is patched and up-to-date.Many attackers prey on larger businesses that rely on outdated legacy systems that have not been updated for some time. 

Perhaps the most famous ransomware attack occurred in 2017 when the malicious software WannaCry crippled major corporations around the world. It even forced NHS hospitals in Great Britain, Spanish telecommunications company Telefónica, and Apple chip supplier Taiwan Semiconductor Manufacturing Co. (TSMC) to shut down operations for four days. In total, over 230,000 computers globally were affected. The attack targeted computers with outdated versions of Microsoft Windows. Despite a recently released patch that would have prevented the spread of malware, many users and organisations were slow to update and, as a result, became victims of the scam. 

Since this incident, security experts worldwide have urged companies to update their systems as soon as possible.

Install Antivirus Software & Firewalls:   Comprehensive antivirus and anti-malware software are the most common ways to defend against ransomware. They can scan, detect, and respond to cyber threats. However, you'll also need to configure your firewall since antivirus software only works at the internal level and can only detect the attack once it is already in the system.

Firewalls are often the first line of defence against any incoming, external attacks. It can protect against both software and hardware-based attacks. Firewalls are essential for any business or private network because they can filter out and block suspicious data packets from entering the system. Be careful of fake virus detection alerts! Many fake alerts pretend to be from your antivirus software, especially through emails or website pop-ups. Do not click on any links until you verify through the antivirus software directly.

Network Segmentation:   Because ransomware can spread quickly throughout a network, it's important to limit the spread as much as possible in the event of an attack. Implementing network segmentation divides the network into multiple smaller networks so the organisation can isolate the ransomware and prevent it from spreading to other systems. Each individual subsystem should have its own security controls, firewalls, and unique access to prevent ransomware from reaching the target data. 

Not only will segmented access prevent the spread to the main network, but it will also give the security team more time and identify, isolate, and remove the threat.

Email Protection:   Historically, email phishing attacks are the leading cause of malware infections. In 2020, 54% of managed service providers (MSP) reported phishing as the top ransomware delivery method. 
Another Report released by the Federal Bureau of Investigation (FBI) listed phishing scams as the top cybercrime in 2020, resulting in over $4.2 billion in loss or theft. There are a couple of different ways that ransomware can infect a user through email:

  • Downloading suspicious email attachments
  • Clicking on links that lead to infected websites
  • Social engineering, which is aimed at tricking users into exposing sensitive information

In addition to antivirus software, you can take additional precautions by using practices or technologies, including:

  • Don't open emails from unknown senders - Avoid clicking on attachments, files, or links from unknown addresses or unauthorised sources.
  • Keep email client apps updated - Don't allow cybercriminals to take advantage of security vulnerabilities from out-of-date technology.
  • Sender Policy Framework (SPF) - Email authentication technique to designate specific email servers from which outgoing messages can be sent.
  • DomainKeys Identified Mail (DKIM) - Provides encryption key and digital signature to verify the email was not spoofed, forged, or altered.
  • Domain Message Authentication Reporting & Conformance (DMARC) - Further authenticates emails by matching SPF and DKIM protocols.

Application Whitelisting:   Whitelisting determines which applications can be downloaded and executed on a network. Any unauthorized programme or website that is not whitelisted will be restricted or blocked in the case an employee or user accidentally downloads an infected program or visits a corrupted site. Using whitelisting software like Windows AppLocker, you can also "blacklist" or block specific programmes and websites.

Endpoint Security:   Endpoint security should be a priority for growing businesses. As businesses begin to expand and the number of end-users increases, this creates more endpoints (laptops, smartphones, servers, etc.) that need to be secured. Each remote endpoint creates a potential opportunity for criminals to access private information or, worse, the main network.

Whether you're running your business from home or working as part of a larger company, look to install endpoint protection platforms (EPP) or endpoint detection and response (EDR) for all network users. These technologies allow system administrators to monitor and manage security for each remote device. EDR is slightly more advanced than EPP, focusing on responding and countering immediate threats that have infiltrated the network.

EPPs and EDRs typically include a suite of protection tools, including:

  • Antivirus & anti-malware
  • Data encryption
  • Data loss prevention
  • Intrusion detection
  • Web browser security
  • Mobile & desktop security
  • Network assessments for security teams
  • Real-time security alerts and notifications

Limit User Access Privileges:   Another way to protect your network and systems is limiting user access and permissions to only the data they need to work. This idea of least privilege limits who can access essential data. By doing so, you can prevent ransomware from spreading between systems within a company. Even with access, users may encounter limited functions or resources. 

Least privilege typically involves a zero trust model that assumes any internal or external users cannot be trusted, which means that they will require identity verification at every level of access. Verification usually requires at least 2 factors or multi-factor authentication to prevent access to target data should a breach occur.

Run Regular Security Testing:   Implementing new security measures should be a never-ending task. As ransomware tactics continue to evolve, companies need to run regular cyber security tests and assessments to adapt to changing environments. Companies should continually: 

  • Re-evaluate user privileges and access points
  • Identify new system vulnerabilities
  • Create new security protocols

Sandbox testing is a common strategy to test malicious code against current software in an isolated environment to determine if security protocols are sufficient.

Security Awareness Training:   Because end-users and employees are the most common gateway for cyber attacks, one of the most important trainings a company can provide is security awareness training. Phishing and social engineering tactics can easily take advantage of unsuspecting, ill-equipped users.

Having even a basic cybersecurity knowledge can greatly affect and even prevent attacks at the source. Some basic security training practices to provide are: 

  • Safe web surfing
  • Creating strong, secure passwords
  • Using secure VPNs (no public Wi-Fi)
  • Recognising suspicious emails or attachments
  • Maintaining updated systems and software
  • Confidentiality training
  • Providing an emergency reporting channel for suspicious activity

Should You Pay The Ransom?

Law enforcement does not encourage, endorse nor condone the payment of ransom demands. If you do pay the ransom:   

  • There is no guarantee that you will get access to your data or computer
  • Your computer will still be infected
  • You will be paying criminal groups
  • You're more likely to be targeted in future

For this reason, it is important that you always have a recent offline backup of your most important files and data.

Prevent & Protect Against Ransomware

Attackers will likely threaten to publish data if payment is not made. To counter this, you should take measures to minimise the impact of data theft. Employees are the primary attack vector for ransomware. Poor password hygiene, overly permissive access policies, and susceptibility to phishing scams, which remain the primary source of most attacks. 

These scams expand an organisation's attack surface, making it easy for cyber criminals to insert ransomware files. Unfortunately, many organisations enable these bad practices because they fear employee complaints if they institute stricter policies.

Organisations must properly train their employees to be vigilant for the signs of an attack and to defend against attacks proactively. 

For example, keeping employees from clicking on links in suspicious emails (e.g., ones with odd capitalisation or misspellings) can go a long way towards a better security posture. Just as importantly, organisations must make their employees understand the need for strict security policies. While employees may find it inconvenient to use strong passwords that they must change frequently, it would be far more inconvenient if they suddenly cannot do their work due to a successful attack. 

You should also consider the rights and freedoms of individuals in totality. For example:  

  • Does the lack of availability impact on any individual rights, such as right of access to the personal data?
  • Have individuals lost control of their personal data?
  • Can you restore the personal data in a timely manner? If not, what does this mean for individuals?
  • To what degree was the personal data exposed to unauthorised actors and what are their likely motivations?
  • How confident are you in your detection and monitoring controls, could you have detected personal data being uploaded if it had occurred? 

If you do not have appropriate logs to make an informed decision, it may be helpful to determine if the attacker had the means, motivation and opportunity to exfiltrate the data. You can then use this assessment to make a risk-based decision.

Cyber Insurance

In a world where cyber threats are varied (and constantly changing), cyber insurance can help your organisation to get back on its feet, should something cyber-related go wrong. Managing cyber incidents, such as ransomware, data breaches, may require in-depth technical knowledge. 

As well as minimising business disruption and providing financial protection during an incident, cyber insurance may help with any legal and regulatory actions after an incident.

However, before considering any cyber insurance, you can help protect your organisation by ensuring you have fundamental cyber security safeguards in place, such as those certified by Cyber Essentials.

References: 

NCSC:      NCSC:    CommVault:   CISA:

Techtarget:     NI Cyber Security Centre:

Upguard:    FBI:    IC3:   ICO:    Blackberry

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

« Imminent: Cybersecurity Regulations For US Financial Services
New Webinar: Next-generation Firewalls »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Social-Engineer Inc

Social-Engineer Inc

Social-Engineer is a consulting and training company specializing in the science of social engineering in the context of digital security.

ThreatConnect

ThreatConnect

ThreatConnect is an enterprise threat intelligence platform by Cyber Squared bridging incident response, defense, and threat analysis for InfoSec & DFIR teams.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

Payload Security

Payload Security

Payload Security's VxStream Sandbox is a fully automated malware analysis system.

Heimdal Security

Heimdal Security

Heimdal Security provides proactive protection against cyber threats including ransomware, exploit kits and financial malware.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

HKCERT

HKCERT

HKCERT is the centre for coordination of computer security incident response for local enterprises and Internet Users in Hong Kong.

Build38

Build38

Build38 provides the highest levels of security for mobile applications.

Lepide

Lepide

LepideAuditor is a powerful Data Security Platform that enables you to reduce risk, prevent data breaches and prove regulatory compliance.

About Cyber Security.

About Cyber Security.

About Cybersecurity provides a galaxy-wide knowledge base of cybersecurity tactics and techniques derived from actual experience.

Emtec

Emtec

Emtec’s cyber security team provides advisory, assessment, & managed security services that help you build the cyber security policies, toolsets & best practices to elevate your cyber security posture

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

Royal United Services Institute (RUSI)

Royal United Services Institute (RUSI)

The Royal United Services Institute is an independent think tank engaged in cutting edge defence and security research. Areas of research include cyber security and resilience.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.