Ransomware: A Security Guide 

Uploaded on 2023-04-03 in Education & Research

Ransomware: A Security Guide

Directors Report: This Premium article is exclusive to premium  subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.

When it comes to security challenges, businesses of all sizes are alarmed by the abundance and gravity of ransomware attacks, but these attacks are now part of an organisation’s life. Cyber criminals are now targeting every industry with specialised malware, collecting untold amounts in ransom. Worse, they are developing more and more sophisticated threats. 

This results in organisations losing access to their data, potentially putting their entire business at risk. 

Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. 

The probability that an organisation will experience a ransomware attack is rapidly increasing. In the first half of 2021, the FBI's Internet Crime Complaint Center experienced a 62 percent year-over-year surge in reports, with nearly 2100 complaints. 

More than a third of organisations worldwide suffered an attack in 2022, with ransomware attacks occurring roughly every 11 seconds.

Given the potential damage to corporate systems and workflows should a ransomware attack shut down access to data or applications, it is not surprising that many companies elect to pay ransoms. Typical ransom demands range from hundreds of dollars to well into the millions. The average ransom paid is approaching $250,000.

Increasing Ransomware Attacks

Ransomware is the fasted-growing category of cybercrime. It’s estimated that over 4k daily ransomware attacks.
Given the sheer volume of these attacks and the deep attack surface connections between organisations and their vendors, there’s a high likelihood that some of your employee credentials have already been compromised in a ransomware attack. 

Leaked credentials mean the keys to your corporate network could be immediately published on a ransomware gang’s data leak site. Without a strategy for mitigating ransomware attack success and a process for rapidly detecting compromised employee credentials, your sensitive data is at critical risk of compromise. 

Ransomware is a type of malware that attempts to unlawfully encrypt files on a host computer system.
A ransomware attack occurs when an attacker gains access to an organisation’s computer systems and delivers malicious software into the network. This software, or ‘payload,’ then makes the data unavailable through encryption or deletion. 

Ransomware is often designed to spread from device to device to maximise the number of files it can encrypt.
The ‘ransom’ element comes from the ransom note left by the attacker requesting payment in return for restoring the data. This is usually done by a decryption key that only the attacker can access.

Where personal data is encrypted as the result of a ransomware attack, that constitutes a personal data breach because you have lost timely access to the data.

Different Types of Ransomware

There are many different types of ransomware that malicious actors use to extort ransoms. The traditional types are crypto and locker and two newer types are double extortion and ransomware as a service that have been gaining popularity among malicious actors.

  • Locker blocks access to computers, and attackers require payment to unlock access.
  • Crypto encrypts all or some files on a computer, and attackers require payment before handing over a decryption key.
  • Double extortion occurs when cyber criminals demand one payment to decrypt the files and another not to make them public.
  • Ransomware as a service (RaaS) occurs when cybercriminals can access malicious code for a fee.
  • Scareware attempts to scare users into buying unnecessary software. In some cases, pop-ups will flood the screen, forcing the user to pay to remove them.

Ransomware is often known by its malware strain code names, such as AIDS Trojan, which first appeared 30 years ago. Since then, names such as GPcode, Achievus, Trojan WinLock, Reveton and CryptoLocker have made headlines for the havoc they caused. In the past decade, LockerPIN, Ransom32, WannaCry, Goldeneye and Petya emerged. 

Backup Your Data

Unless you have a backup of the data, you will not usually be able to recover it unless you decide to comply with the attacker’s demand for payment. Even if you decide to pay the ransom fee, there is no guarantee that the attacker will supply the key to allow you to decrypt the files. Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.

Hacking Access:   Attackers gain access to your network. They establish control and plant malicious encryption software.  They may also take copies of your data and threaten to leak it.

Activation:   The malware is activated, locking devices and causing the data across the network to be encrypted, meaning you can no longer access it. 

Ransom Demands:   Usually you will then receive an on-screen notification from the
cyber criminal, explaining the ransom and how to make the payment to unlock your computer or regain access to your data. 

Payment is usually demanded via an anonymous web page and usually in a crypto currency, such as Bitcoin. It is important to try and establish how the attackers gained access to your network in the first place so you can prevent future ransomware attacks.

Ransomware Prevention Practices

Keep All Systems And Software Updated

Always keep your operating system, web browser, antivirus, and any other software you use updated to the latest version available. Malware, viruses, and ransomware are constantly evolving with new variants that can bypass your old security features, so you'll want to make sure everything is patched and up-to-date.Many attackers prey on larger businesses that rely on outdated legacy systems that have not been updated for some time. 

Perhaps the most famous ransomware attack occurred in 2017 when the malicious software WannaCry crippled major corporations around the world. It even forced NHS hospitals in Great Britain, Spanish telecommunications company Telefónica, and Apple chip supplier Taiwan Semiconductor Manufacturing Co. (TSMC) to shut down operations for four days. In total, over 230,000 computers globally were affected. The attack targeted computers with outdated versions of Microsoft Windows. Despite a recently released patch that would have prevented the spread of malware, many users and organisations were slow to update and, as a result, became victims of the scam. 

Since this incident, security experts worldwide have urged companies to update their systems as soon as possible.

Install Antivirus Software & Firewalls:   Comprehensive antivirus and anti-malware software are the most common ways to defend against ransomware. They can scan, detect, and respond to cyber threats. However, you'll also need to configure your firewall since antivirus software only works at the internal level and can only detect the attack once it is already in the system.

Firewalls are often the first line of defence against any incoming, external attacks. It can protect against both software and hardware-based attacks. Firewalls are essential for any business or private network because they can filter out and block suspicious data packets from entering the system. Be careful of fake virus detection alerts! Many fake alerts pretend to be from your antivirus software, especially through emails or website pop-ups. Do not click on any links until you verify through the antivirus software directly.

Network Segmentation:   Because ransomware can spread quickly throughout a network, it's important to limit the spread as much as possible in the event of an attack. Implementing network segmentation divides the network into multiple smaller networks so the organisation can isolate the ransomware and prevent it from spreading to other systems. Each individual subsystem should have its own security controls, firewalls, and unique access to prevent ransomware from reaching the target data. 

Not only will segmented access prevent the spread to the main network, but it will also give the security team more time and identify, isolate, and remove the threat.

Email Protection:   Historically, email phishing attacks are the leading cause of malware infections. In 2020, 54% of managed service providers (MSP) reported phishing as the top ransomware delivery method. 
Another Report released by the Federal Bureau of Investigation (FBI) listed phishing scams as the top cybercrime in 2020, resulting in over $4.2 billion in loss or theft. There are a couple of different ways that ransomware can infect a user through email:

  • Downloading suspicious email attachments
  • Clicking on links that lead to infected websites
  • Social engineering, which is aimed at tricking users into exposing sensitive information

In addition to antivirus software, you can take additional precautions by using practices or technologies, including:

  • Don't open emails from unknown senders - Avoid clicking on attachments, files, or links from unknown addresses or unauthorised sources.
  • Keep email client apps updated - Don't allow cybercriminals to take advantage of security vulnerabilities from out-of-date technology.
  • Sender Policy Framework (SPF) - Email authentication technique to designate specific email servers from which outgoing messages can be sent.
  • DomainKeys Identified Mail (DKIM) - Provides encryption key and digital signature to verify the email was not spoofed, forged, or altered.
  • Domain Message Authentication Reporting & Conformance (DMARC) - Further authenticates emails by matching SPF and DKIM protocols.

Application Whitelisting:   Whitelisting determines which applications can be downloaded and executed on a network. Any unauthorized programme or website that is not whitelisted will be restricted or blocked in the case an employee or user accidentally downloads an infected program or visits a corrupted site. Using whitelisting software like Windows AppLocker, you can also "blacklist" or block specific programmes and websites.

Endpoint Security:   Endpoint security should be a priority for growing businesses. As businesses begin to expand and the number of end-users increases, this creates more endpoints (laptops, smartphones, servers, etc.) that need to be secured. Each remote endpoint creates a potential opportunity for criminals to access private information or, worse, the main network.

Whether you're running your business from home or working as part of a larger company, look to install endpoint protection platforms (EPP) or endpoint detection and response (EDR) for all network users. These technologies allow system administrators to monitor and manage security for each remote device. EDR is slightly more advanced than EPP, focusing on responding and countering immediate threats that have infiltrated the network.

EPPs and EDRs typically include a suite of protection tools, including:

  • Antivirus & anti-malware
  • Data encryption
  • Data loss prevention
  • Intrusion detection
  • Web browser security
  • Mobile & desktop security
  • Network assessments for security teams
  • Real-time security alerts and notifications

Limit User Access Privileges:   Another way to protect your network and systems is limiting user access and permissions to only the data they need to work. This idea of least privilege limits who can access essential data. By doing so, you can prevent ransomware from spreading between systems within a company. Even with access, users may encounter limited functions or resources. 

Least privilege typically involves a zero trust model that assumes any internal or external users cannot be trusted, which means that they will require identity verification at every level of access. Verification usually requires at least 2 factors or multi-factor authentication to prevent access to target data should a breach occur.

Run Regular Security Testing:   Implementing new security measures should be a never-ending task. As ransomware tactics continue to evolve, companies need to run regular cyber security tests and assessments to adapt to changing environments. Companies should continually: 

  • Re-evaluate user privileges and access points
  • Identify new system vulnerabilities
  • Create new security protocols

Sandbox testing is a common strategy to test malicious code against current software in an isolated environment to determine if security protocols are sufficient.

Security Awareness Training:   Because end-users and employees are the most common gateway for cyber attacks, one of the most important trainings a company can provide is security awareness training. Phishing and social engineering tactics can easily take advantage of unsuspecting, ill-equipped users.

Having even a basic cybersecurity knowledge can greatly affect and even prevent attacks at the source. Some basic security training practices to provide are: 

  • Safe web surfing
  • Creating strong, secure passwords
  • Using secure VPNs (no public Wi-Fi)
  • Recognising suspicious emails or attachments
  • Maintaining updated systems and software
  • Confidentiality training
  • Providing an emergency reporting channel for suspicious activity

Should You Pay The Ransom?

Law enforcement does not encourage, endorse nor condone the payment of ransom demands. If you do pay the ransom:   

  • There is no guarantee that you will get access to your data or computer
  • Your computer will still be infected
  • You will be paying criminal groups
  • You're more likely to be targeted in future

For this reason, it is important that you always have a recent offline backup of your most important files and data.

Prevent & Protect Against Ransomware

Attackers will likely threaten to publish data if payment is not made. To counter this, you should take measures to minimise the impact of data theft. Employees are the primary attack vector for ransomware. Poor password hygiene, overly permissive access policies, and susceptibility to phishing scams, which remain the primary source of most attacks. 

These scams expand an organisation's attack surface, making it easy for cyber criminals to insert ransomware files. Unfortunately, many organisations enable these bad practices because they fear employee complaints if they institute stricter policies.

Organisations must properly train their employees to be vigilant for the signs of an attack and to defend against attacks proactively. 

For example, keeping employees from clicking on links in suspicious emails (e.g., ones with odd capitalisation or misspellings) can go a long way towards a better security posture. Just as importantly, organisations must make their employees understand the need for strict security policies. While employees may find it inconvenient to use strong passwords that they must change frequently, it would be far more inconvenient if they suddenly cannot do their work due to a successful attack. 

You should also consider the rights and freedoms of individuals in totality. For example:  

  • Does the lack of availability impact on any individual rights, such as right of access to the personal data?
  • Have individuals lost control of their personal data?
  • Can you restore the personal data in a timely manner? If not, what does this mean for individuals?
  • To what degree was the personal data exposed to unauthorised actors and what are their likely motivations?
  • How confident are you in your detection and monitoring controls, could you have detected personal data being uploaded if it had occurred? 

If you do not have appropriate logs to make an informed decision, it may be helpful to determine if the attacker had the means, motivation and opportunity to exfiltrate the data. You can then use this assessment to make a risk-based decision.

Cyber Insurance

In a world where cyber threats are varied (and constantly changing), cyber insurance can help your organisation to get back on its feet, should something cyber-related go wrong. Managing cyber incidents, such as ransomware, data breaches, may require in-depth technical knowledge. 

As well as minimising business disruption and providing financial protection during an incident, cyber insurance may help with any legal and regulatory actions after an incident.

However, before considering any cyber insurance, you can help protect your organisation by ensuring you have fundamental cyber security safeguards in place, such as those certified by Cyber Essentials.

References: 

NCSC:      NCSC:    CommVault:   CISA:

Techtarget:     NI Cyber Security Centre:

Upguard:    FBI:    IC3:   ICO:    Blackberry

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

« Imminent: Cybersecurity Regulations For US Financial Services
New Webinar: Next-generation Firewalls »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

Information Network Security Agency (INSA)

Information Network Security Agency (INSA)

INSA's vision is to realize a globally competent National Cyber capability which plays a key role in protecting the national interests of Ethiopia.

Mako Networks

Mako Networks

The Mako System is an award winning networking and security service designed specifically for SMEs and branch offices of larger organisations.

Virgil Security

Virgil Security

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users.

Khipu Networks

Khipu Networks

Khipu Networks is an award winning Cyber Security Company delivering a wide range of network, wireless and security solutions, technologies and services across multiple sectors.

Avatao

Avatao

Avatao is an online training platform for building secure software, offering a rich library of hands-on IT security exercises for software engineers to teach secure programming.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Braintrace

Braintrace

Braintrace’s services include Managed Detection and Response (MDR), Managed SIEM, SIEM-as-a-Service, SOC-as-a-Service, Advisory Services, and Incident Response.

Taoglas

Taoglas

Taoglas Next Gen IoT Edge software provides a pay as you go platform for customers to connect, manage and maintain their edge devices in an efficient and secure way.

Glilot Capital Partners

Glilot Capital Partners

Glilot Capital Partners is an Israeli seed and early-stage VC. We specialize in businesses which disrupt enterprise technology, mainly in the fields of AI, big data and cybersecurity.

Secberus

Secberus

SECBERUS creates cloud security technology to help organizations stay secure & compliant in the public cloud.

Contechnet Deutschland

Contechnet Deutschland

Contechnet Deutschland started as a specialist in the area of IT disaster recovery and has since broadened its portfolio into information security and data protection.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

Codean

Codean

The Codean Review Environment automates mundane software analysis tasks, so security experts can focus on finding vulnerabilities.

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Amazon Web Services is the world’s most comprehensive and broadly adopted cloud platform, offering fully featured services from data centers globally.

Telarus

Telarus

Telarus is a Technology Services Brokerage that holds contracts with the world's leading cloud voice, contact center, cybersecurity, mobility and IoT providers.