How to Prevent or Recover From an Attack
It’s already late at night. Perhaps you checked your email on your laptop “one last time.” But, there is something wrong.
It is slow. Files won’t open. Files won’t open.
The phone rings. The phone rings. It’s your IT team. You hear the words you prayed to the IT gods to not hear: “We’ve been compromised.”
Your laptop is there in black and red, as you look down at it.
Ransomware has infected you. You have lots of company.
This article was first published in April 2019 and then updated in October 2020. Ransomware has become increasingly common since then. This post has been updated to reflect current ransomware trends and help businesses and individuals protect their data.
In 2020, the FBI’s Internet Crime Complaint Center received 2,474 ransomware complaints, and those are just the ones that got reported. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.
Ransomware attacks have become more common and more dangerous over the years. Ransomware attacks on corporate networks can result in companies being hit with thousands to even millions of dollars. In 2020, the total number of global ransomware reports increased by 485% year-over-year according to the latest Threat Landscape Report 2020 by Bitdefender.
The trend is compounded by the fact that more people work remotely due to the ongoing global pandemic. Cybercriminals take advantage of this opportunity to attack those working outside the corporate firewall. Scams and phishing attempts on all platforms increased, indicating that attackers used COVID-19 issues to exploit fear and misinformation. Bitdefender observed that attacks were focused on COVID-19-related messaging in the first half of 2020, before moving to impersonate banking, delivery, and travel services in half two.
Ransom payments are reaching new heights. Attempts have gone as high as $50 million–the largest attempted ransom ever. Many companies refused to pay the ransom due to the astronomical demands. Cover’s Q4 2020 Quarterly Ransomware Report noted that average payments decreased 34% to $154,108 from $233,817 in Q3 of 2020. The decrease is due to decreasing trust that hackers will not delete sensitive data. Many reports have been released after payments have been made.
Ransomware can affect all industries: tech, healthcare, oil and gas, higher education, and more. Cover found that ransomware was most prevalent in the healthcare sector, followed closely by public and private sectors, even during a global pandemic. If there is an expectation that a business’ mission and/or service to the globe might deter malicious actors then that assumption should be left in the past.
Ransomware is still a serious threat to all businesses, but it has been particularly damaging to those in education and healthcare. In 2020, 1,681 schools were affected by ransomware as well as 560 healthcare facilities according to a report from Emsisoft, a security solutions provider.
In March of 2021, attackers demanded an astronomical $40 million from Broward County Public Schools, the nation’s sixth-largest school district. In August and September of 2020, 57% of ransomware attacks reported to the federal Multi-State Information Sharing and Analysis Center involved schools, compared to 28% of all reported ransomware incidents from January through July.
Hackers have an easy target in the education sector, particularly since schools with tight budgets and old IT equipment experienced unprecedented levels of IT-reliant remote learning. Schools store sensitive student data that they are vested in protecting. This makes them more likely than others to pay ransoms and have their data made public.
In healthcare, since 2016, 270 ransomware attacks have targeted 2,100 clinics, hospitals, and other health-related businesses, with an estimated overall cost of $31 million.
Attacks on the healthcare system and the public sector can cause serious problems. Fabian Wosar, Emsisoft’s CTO, stated that “ransomware-related deaths were not reported in the United States last year.” Before that luck runs out, and lives are lost, security must be strengthened across the public sector.
Understanding ransomware and how to protect your company or organization from it is the first step to bolstering security. Learn how to protect yourself against ransomware.
What is Ransomware?
Ransomware is typically spread via spam, phishing email, and social engineering. To infect an endpoint or penetrate the network, it can also be spread via drive-by downloads and websites. There are many ways that technology can be infected. Infection methods change constantly. See section 6, “How to Prevent Ransomware Attacks”. Ransomware locks files that it can access with strong encryption once it is in place. The malware then demands payment in Bitcoin to unlock the files and restore normal operations to affected IT systems.
Cryptoware, or encryption ransomware, is the most popular type of ransomware. You might also encounter the following types:
- Non-encrypting Ransomware (or lock screens) restricts access to files, but not encrypts them.
- Ransomware encrypts the Master Boot Record of a drive (or Microsoft’s NTFS) to prevent victims’ computers from being booted in a live OS environment.
- Extortionware, also known as leakware, is a program that steals sensitive or harmful data and threatens to release it if the ransom is not paid.
- Ransomware for mobile devices (infects cell phones through drive-by downloading or fake applications).
The Latest Trends in Malware
Social distancing has allowed people to shop online, work from home, and learn in new ways over the past year. This increase in online activity has created more security threats, with the targets being government and healthcare institutions. Cybercriminals don’t seem to be deterred, even though these institutions are vital during a pandemic. They are constantly evolving their attack strategy, focusing on the areas that offer the best payback with the least effort.
Cybercriminals are no longer required to be extremely savvy to launch an attack, thanks to ransomware as a service (RaaS). Cybercriminals can find affiliate software through the dark web, where they get a cut of the profits. Oleg Skulkin, the Lead Digital Forensics Specialist at Group-IB, a cybersecurity firm, shared with ZDNet that, “Affiliate programs make this kind of attack more attractive for cybercriminals. These attacks have become so popular that almost all companies, no matter their size or industry, are potential victims.
It’s not the question of “When will the next ransomware strike occur?”, but “Has there been a breach already today?” There is no evidence that ransomware attacks are slowing down, so companies should be prepared. Organizations large and small should understand the importance to have backups and be secure.
Steps in a Ransomware Attack
These are the steps that you should follow to prevent a ransomware attack:
- 1. Infection: Once it is delivered to the system via email attachments, phishing emails, infected applications, or any other method, ransomware takes over the endpoint and all network devices it can access.
- 2. Secure Key Exchange: Ransomware contacts the command-and-control server used by cybercriminals to attack the system to generate cryptographic keys that can be used locally.
- 3. Encryption: The ransomware begins to encrypt any files it finds on local computers and the network.
- 4. Extortion: After encryption is complete, ransomware contains instructions for ransom and ransom payment. If payment is not made, data will be destroyed.
- 5. 5. Unlocking: Organizations have two options. They can pay the ransom to the cybercriminals and hope they decrypt the files. Or, they can try to recover the files by deleting infected files from the network and restoring data using clean backups. Unfortunately, negotiating with cybercriminals is often a lost cause as a recent report found that
- 42% of organizations
- who paid a ransom did not get their files decrypted.
Who gets attacked?
Ransomware attacks can affect all businesses, regardless of size. Approximately 5% of the top 10 industries have been targeted. Attacks on all sizes of businesses and every sector are increasing.
Also, the phishing attempt that targeted the World Health Organization (WHO), though unsuccessful, proves that attackers show no sense of “out of bounds” targets when it comes to choosing their victims. These attacks show that weaker controls and undeveloped IT systems can lead to data breaches.
The United States ranks highest in ransomware attacks. France and Germany are close behind. Windows computers are the most common targets. However, ransomware strains for Macintosh or Linux are also available.
Ransomware is so common that most companies will be affected by it at some point. The best they can do is to be prepared and understand the best ways to minimize the impact of ransomware.
Phishing emails, malicious email attachments, and visiting compromised websites have been common vehicles of infection (we wrote about phishing in “Top 10 Ways to Protect Yourself Against Phishing Attacks”), but other methods have become more common recently. Cryptoworms have been spreading because of weaknesses in Microsoft’s Server Message Block and Remote Desktop Protocol. Infected desktop applications, including an accounting package, and even Microsoft Office (Microsoft Dynamic Data Exchange (DDE), have been used as agents.
Ransomware strains like WannaCry, CryptoLocker, and Petya have recently included worms that spread themselves across networks. This earned them the nickname “crypto worms”