What is Ransomware?
There are many types of malware floating around – one being ransomware. Ransomware is a malware that encrypts all the files on your workstations and servers. Without access to your files, your business is dead in the water.
How Ransomware Infects Your Systems
Ransomware can gain access to your computer using one of a number of common techniques.
- Illegally downloading music and films. Often the downloads are seeded with malware.
- Phishing emails. Scam emails that try to lure the victim into visiting a fraudulent website or to open a malicious, infected attachment.
- Exploiting perimeter weaknesses. For example, Remote Desktop Protocol (RDP) is a technology that allows staff to access the IT facilities at the office when they’re either at home or on the road. Vulnerabilities in the RDP implementation have been discovered in the past. These vulnerabilities have been duly exploited and used to spread ransomware.
The Size of the Problem
Exploiting RDP vulnerabilities is one of the techniques that the NotPetya ransomware uses. NotPetya is probably the most globally harmful example of ransomware yet seen. In 2017 it was crippling companies across the globe, from SMEs to giant corporations.
A. P. Moeller-Maersk is the world’s largest container ship and supply vessel operator. They have other interests, such as supply chain management, operating ports, and drilling for oil. But on 27 June 2017, over the space of about four hours, they lost operational capability in 130 countries. Maersk didn’t pay the ransom. They had the reserves to be able to roll out new laptops, computers, servers, and IP-based telephony systems and to rebuild their systems.
The final price tag was in excess of £300 million.
Norsk Hydro lost practically all ability to manufacture aluminum because of an infection of the LockerGogo ransomware. They, too, refused to pay the ransom and ended up footing a bill in excess of $40 million. Spanish food giant Mondelez was also hit by NotPetya in 2017 and suffered losses and damages of $100 million.
It’s worth mentioning that cyber insurance is designed to cover the costs of dealing with a security incident, such as bringing in specialist incident handling teams, replacing hardware, cleansing compromised systems, handling the media, and running hotlines for affected data subjects. They don’t usually cover damages from loss of trading.
And as Mondelez has found out, if the incident is classed as “cyber warfare,” the insurers can trot out the “act of war” exemption and not pay anything at all. The UK, the US, Australia, and Canada have all examined the source code of NotPetya and attributed it to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (the GU), the military intelligence service of the Russian Federation.
These are the big headline-worthy victims. There were untold numbers of small to medium enterprises, small organizations, and corporate entities that were affected by NotPetya. And this is just one strain of ransomware.
The KeRanger ransomware was the first one to be seen specifically designed to attack Macs. It was released in 2016. Mobile devices and cell phones are at risk too. The ransomware completely locks you out of the device and won’t let you back in until the ransom has been paid.
Most cell phone infections are the result of installing malicious apps.
What Does Ransomware Do?
All ransomware causes (or mimics) a problem and demands payment to remove the problem. As with all malware, there are different levels of sophistication displayed by this class of malware.
What are the Types of Ransomware?
With scareware, a message pops up declaring you have something wrong with your computer, or it is infected, or hackers have hacked into your computer. You are told that to correct the issue, you must pay the ransom and that if you do so, the computer will be disinfected, and the hackers will leave you alone. Sometimes these messages masquerade as IT or tech support packages, or even Microsoft support.
Your files are not affected by this type of attack. If the computer can be disinfected to remove the pop-up message, it will return to normal operation.
This type of attack puts up a full-screen window that you can’t bypass and can’t close. The message it displays is a variation of some common themes.
• You have been hit by ransomware, pay the ransom. Plain and simple.
• The FBI or another law enforcement agency has detected illegal downloads, pirated software, criminal pornography, etc., on your computer. Pay the fine to restore your machine to a working condition. Of course, if any of these were true due process would be followed, and you’d get a knock on the door–not a message on your laptop.
This is the real deal. These really do encrypt your files. Often they sit in your network for weeks before triggering to ensure they have infected as many computers as possible. They wait until mobile staff are likely to have visited the head office so that their laptops can be infected too. By waiting like this, the ransomware will have been included in your backups.
If you decide to rebuild your systems instead of paying the ransom, you’ll restore the infection along with your data. It will trigger again in a few weeks.
A common control technique is for the ransomware to gather information and send it back to command and control servers. It is in these servers that the intelligence lies. The ransomware itself is pretty dumb. It reports back to base, receives new instructions from the automated software on the server, and acts on those instructions. This cycle repeats.
However, there have been a few cases where the remote intelligence wasn’t a command and control server, it was a human being. Steering the malware like a remote drone, the threat actor made sure over a period of weeks that they had infected all of the IT infrastructure, local backups, and off-site backups before they triggered the encryption.
Who are the Common Ransomware Targets?
Some attacks are targeted, and others are random infections from phishing emails sent out to millions of email addresses to infect as many victims as possible.
- The 2019 attacks on the essential services of cities such as Baltimore, MD, Riviera Beach, FL, Wilmer, TX, and New Bedford, MA, were targeted, researched, and designed to be as impactful as possible.
- Hospitals are frequently targeted because, with lives in the balance, systems must be restored as fast as possible. Ransoms are often paid for by hospitals.
- Another sector commonly targeted is the financial sector, simply because they have the funds to afford tremendous ransoms.
However, most attacks hit victims that the threat actors don’t even know exist – until the ransomware triggers.
How to Protect Yourself Against Ransomware
These steps are cyber security best practices and should be adopted and followed as the norm.
- Keep all of your workstation, laptop, and server operating systems patched and up-to-date. This reduces the number of vulnerabilities your systems harbor. The fewer vulnerabilities, the fewer possible exploits.
- Don’t use administrative privileges for anything other than administration. Don’t give programs and processes administrative privileges either.
- Install centrally managed end-point protection software, which includes antivirus and antimalware functionality, and keep it up-to-date. Make sure users are unable to refuse or defer signature updates.
- Make frequent backups to different media, including off-site backups. This won’t prevent infection, but it will aid in recovery. Regularly test your backups.
- Create a disaster recovery plan, get senior buy-in, and implement everything you can to increase the ability of your business to function if you are stricken by an attack.
- Create a cyber incident handling policy, and rehearse it.
- Provide cyber awareness training for your staff. If they find an unidentified memory stick in the car park at lunchtime, are they going to plug it into one of your computers straight after lunch? Will they know not to open unsolicited email attachments? Are they working in a diligent and cautious way, and do you foster a security-minded culture?
Should You Pay the Ransom?
Most law enforcement and government agencies involved in cyber security advise you not to pay the ransom and urge you to report the attack. Paying the ransom means the threat actors are encouraged to continue their attacks. If no one pays them, the theory goes, ransomware will be pointless and will die out.
In the heat of the moment, when you’re trying to weigh up the cost of the ransom versus the costs associated with not paying the ransom, it’s a tough call. You have to consider the overall price of cleansing or replacing equipment, rebuilding and restoring your line-of-business systems, and the loss of revenue while you do so.
Few organizations have the financial clout to weather an attack the way Maersk did.
Sometimes it is the fear – and cost – of the reputational damage that drives companies to pay the ransom. They wish to protect their standing in the eyes of clients and the wider marketplace by putting the short hiatus down to some technical issues.
It’s worth pointing out that there are cases where the ransom was paid, but it still took over a month for the key to be delivered to the victim. There’s no feasible way to keep that quiet.
It’s difficult to put a figure on it, but estimates suggest that 65 percent of ransomware attacks are not reported, and the ransoms are paid. Ransoms of over $5 million have been seen, but in nearly all cases, the ransoms are pitched much lower. This makes them affordable to the average SME and cheaper than the costs associated with not paying the ransom.
Some ransomware is even geographically-aware and adjusts its price according to the economy of the country of the victim.
And the big question is, do you get your data back?
Estimates say that in 65 to 70 percent of cases, the data is decrypted successfully. Sometimes the decryption routines haven’t even been written – the threat actors take the money and run. You’re dealing with criminals, after all. But that sort of ransomware has a short shelf life.
Once word gets around that you’re not going to get your data back, no one is going to pay the ransom. So it makes economic sense for the threat actors to decrypt the victim’s files whenever they can.
Sometimes the decryption routines simply don’t work. All software is prone to bugs. The threat actors devote more development time and effort to the infection, replication, and encryption routines than to the decryption routines. They may have intended them to work, but they sometimes don’t.
It’s easy to take the moral high ground and say don’t pay, it’s something else to be in the middle of an incident that could bring your business down and not be tempted by the “easy” way out.
As the saying goes, I’m not a doctor, but I do know prevention is better than a cure.