Understanding Ransomware and How to Prevent It
Ransomware is one of the fastest-growing and most dangerous threats to organisational and individual data security, and it’s essential that all businesses have barriers in place to prevent these attacks. Here’s a useful guide to what ransomware is and how your organisation can prevent it.
What is Ransomware?
This is a malicious software attack that blocks you out of your computer system or network until an amount of money is paid to the attackers to unblock the system. It essentially holds you and your organisation to ransom. These types of attacks started by targeting individuals, but has moved on to higher-value targets like businesses and even branches of government.
Some examples of ransomware attacks include:
- The NHS – In May 2017, hospitals on the United Kingdom’s NHS were targeted with WanaCrypt0r 2.0, moving through ha vulnerability in EternalBlue (an exploit developed by the US National Security Agency for accessing older Windows systems). In the end, the attack affected around 200,000 computers in 150 countries, causing untold damages in sums ranging up to billions of dollars, compromising healthcare and patient safety, and making sensitive information vulnerable for misuse. It is so far the biggest ransomware attack in history.
- City of Atlanta, USA– In March 2018, City of Atlanta officials reported that ransomware had taken down several public portals, including bill payment applications, with attackers demanding US$51,000 to release the system. The mayor refused, and estimates for recovering the system were reported to be at least US$17 million.
- Rayuk – Currently one of the biggest ransomware threats, Rayuk is spread through malicious emails and phishing attacks, with ransom amounts for different systems exceeding US$300,000. It has hit newspaper operations, engineering companies and legal firms, costing more than US$60 million in damage worldwide in combined attacks according to the FBI.
While these numbers and events are frightening, the real cost of ransomware is not usually the ransom that attackers demand. Instead, the real cost for organisations lies in:
- Loss and damage to data
- Operational downtime and lost productivity
- Lasting disruption post-attack
- Damage to their reputation
- Increased insurance as a result of attacks
- Expensive forensic investigations
- Restoration of lost or damaged data
- Compliance and regulatory fines as a result of finds from the forensic investigation
How is Ransomware Spread?
Ransomware is spread through well-known attack vectors like phishing emails, compromised desktop protocols and even vulnerabilities in software. Once a victim is deceived into installing the ransomware file onto their computer, the entire system becomes vulnerable. The malware searches for files on the infected computer and starts identifying what is important. The malware may even lie dormant for a long time while it studies internal communications and files. These files are then encrypted – and only the attackers have the key.
Only once the system is encrypted is the victim informed – usually with demands and instructions on how to pay the attackers in Bitcoin. The attackers promise to deliver instructions for restoring the system once payment is made, but this doesn’t always happen.
As our organisations and cities become more digitised, and as we move onto cloud-based systems, so our risks of contracting ransomware increase. There are countless types, including:
- WannaCry – This attack wasn’t only the biggest, it was the most unnecessary. Microsoft had developed a patch for the vulnerability that this attack exploited – all users had to do was install the patch when it was released.
- CryptoLocker – By using a domain generation algorithm, this ransomware produces thousands of domains in order to locate, infiltrate and infect command-and-control centres.
- Bad Rabbit – This is known as a drive-by attack, where insecure but legitimate websites are compromised. All the visitor has to do is visit that website and browse it, downloading a file that looks legitimate but contains the malware.
- KillDisk – This ransomware encrypts local hard drives and network-mapped folders, including Linux workstations and servers.
Prevention is Better Than a Cure
As you have picked up from the article, once a system or computer is infected with ransomware there really isn’t much you can do. It is almost impossible to decrypt locked files without a key and the best you can hope is limiting the damage and accepting the losses or paying the ransom and hoping they publish the key. In this case, prevention and disaster recovery solutionsare essential, including:
- Active monitoring – Your IT partner should be actively monitoring your system for ransomware and other types of malware, scanning for unusual behaviour and picking up on attacks before computers become infected. These anti-malware solutions have to be kept up-to-date.
- Creating awareness – The majority of ransomware attacks rely on human error, so it’s critical to teach your staff, across the board, how to recognise potential attacks, spot threats, and report suspicious communications. Have a policy in place that tells them exactly who to contact and what to do in the event of suspicious activity or an attack.
- Update systems – System updates often contain the latest security patches and protections as the nature of these threats evolve. Attackers are always looking for new ways in and your software providers are looking for new ways to counter them. This is no guarantee, but it is effective for countering most attacks.
- Backup and recovery – With a properly configured backup and recovery solution, you can restore your system without paying the ransom. This system should be regularly tested, and backups should happen on a regular basis.
An experienced IT security provider like Otto IT has the experience, expertise and solutions in place to provide clients with comprehensive security against malware and ransomware attacks. For more information, please contact us today.