Crowdstrike Ransomware Protection

What are Ransomware Attacks?

Ransomware is often distributed today via targeted phishing emails and social engineering schemes. Most ransomware is spread by the victim clicking on a malicious link that installs the ransomware version on their device.

Ransomware immediately begins to attack infected devices and systems to encrypt their files. To unlock files, you will need a decryption code after the encrypted data is removed. To obtain the decryption keys, the victim will need to follow the instructions on the ransom note. These instructions usually include how to pay the attacker in Bitcoin.

Threat actors believe that individuals and enterprises will be so desperate to regain timely access to their data that they will pay a large ransom to obtain the decryption keys necessary to unlock it.

Ransom letter demanding payment in bitcoin

Different types of Ransomware

Encrypting Ransomware This ransomware systematically encrypts files stored on the system’s hard disk. It is difficult to decrypt these files without paying the ransom. BitCoin and MoneyPak are used to pay the ransom.

Screen Lockers – Lockers completely lock out your computer system or computer. This means that your files and applications cannot be accessed. The ransom demand is displayed on a lock screen, sometimes with a countdown clock that increases urgency and drives victims to act.
Fearware: Fearware uses popups to convince victims that they have a virus. The trick then directs them to download fake programs to fix the problem

Malvertising is a technique to inject malicious code into digital ads

Ransomware: History

The First Attack: By the late 1980s criminals had already taken encrypted files hostage to exchange for cash via the post office. The AIDS Trojan (PC Cyborg Virus), which was first documented in ransomware attacks, was released via floppy disc in 1989.

Monetization Ransomware criminals began to recognize cryptocurrencies as the way to extract the monetary money they were looking for. Bitcoin exchanges offered adversaries the ability to receive instant payments and keep their anonymity.

CryptoLocker Appears: This revolutionary ransomware combined the power of Bitcoin transactions with advanced encryption in 2013. It used 2048-bit RSA key pair pairs that were generated by a command and control server. The key was delivered to the victim to encrypt the files. Victims had to pay a sum of $300 to get the key.

The Advent of Big Game Hunting Ransomware operators decided to shift away from the “spray-and-pray” attacks that were dominating ransomware and instead focus on “big games hunting (BGH). BGH is a combination of ransomware and the tactics, techniques, and procedures (TTP), that are common in targeted attacks against larger organizations.

Who is Ransomware aimed at?

Ransomware can target organizations of any size. While big game hunting is increasing, ransomware is often directed at smaller and medium-sized organizations, as well as state and local governments, who are more susceptible to attacks.

Many reasons small businesses are targeted include money, intellectual property (IP), customer data, and access. Access may be the primary driver because an SMB could be used to attack a larger parent company or the supply chains of a larger target.

Ransomware attacks against small businesses are a result of the unique challenges that smaller organizations face as well as the more universal challenges faced by larger organizations: the human component. Although a computer from work is expected in larger companies, it’s not uncommon for smaller ones to have their computers.

These devices can be used for both work-related activities, such as accessing and storing confidential documents, and personal activities like browsing and searching. These machines can store a lot of personal and business information. They include credit card information, personal photos, and information from social media platforms.

Universities (for example ) often have smaller security teams and engage in a lot more file sharing. This makes it easier to penetrate defenses. Some medical organizations could also be targeted as they may need access to their data immediately. Their lives may be at risk, so they may pay the ransom right away. Due to the sensitive nature of their data, law firms might be more likely than financial institutions or law firms to pay the ransom and to keep it quiet to avoid negative publicity.

Targeted Industries During COVID-19

Ransomware actors have taken advantage of certain industries due to the global pandemic. Healthcare organizations are one of their main targets. The 2021 CrowdStrike global threat report shows over 100 healthcare organizations were targeted by Big Game Hunters in COVID-19.

After Big Game Hunters like TWISTED SPIR claimed that they would not infect medical institutions until the pandemic is over, this comes as a surprise. It turns out that TWISTED SPIDER was responsible for at most 26 successful healthcare ransomware infections with their Maze- and Egregor families.

Another interesting trend is the increase in attacks using data extortion tactics. CrowdStrike’s Ransomware in 2020 Infographic summarizes this trend. CrowdStrike Intelligence detected 1,430 data extortion attacks according to the 2021 CrowdStrike global threat report. Below are the details of how the industry has broken these attacks:

In 2020, 229 data extortion incidents occurred in the engineering and industrial sectors. Manufacturing (228 incidents), technology (135 incidents), retail (142 incidents), and healthcare (97 incidents) were close behind.

Targeted countries during COVID-19

The 2020 CrowdStrike Security Attitude Survey has revealed that these countries were most affected by ransomware attacks in 2020.

India is the country with 74% of respondents who reported at least one ransomware attack by 2020. Australia (67%), France (60%), Germany (59%), U.S. (58%), closely follow.

There is an American bias in data extortion. CrowdStrike Intelligence and the 2021 CrowdStrike global threat report showed that 947 incidents were identified in this region, which is 117% more than Europe’s second-place (342 incidents).

Similar trends are expected for 2021. 72% of cybersecurity experts surveyed in the 2020 CrowdStrike Global Attitudes Survey said that they are more concerned about ransomware attacks because of COVID-19.

Do You Have to Pay the Ransom?

The FBI doesn’t support the payment of a ransom to stop ransomware attacks. They claim that a ransom is not only an incentive to the business model but also may be used to fund terrorist organizations, money launderers, and rogue nation-states. Even though few ransom-paying organizations are openly admitted to it, the dark Web will allow adversaries to make that information public, making it easy for others looking for a new target.

The ransom payment does not guarantee a speedy recovery. The ransom may not guarantee a faster recovery or a guaranteed recovery. Less than half of ransomware victims were able to restore their systems successfully.

How to Protect against Ransomware Infection

Ransomware encryption can make it difficult to retrieve data once ransomware has occurred. Proactive prevention is the best way to protect yourself against ransomware.

Ransomware is always evolving and can make it difficult for organizations to protect themselves. These best practices will help you keep your operations safe.

1. All employees should be trained on cybersecurity best practices.

Your employees are the first line of defense for your security. You must ensure that your employees follow good hygiene habits, such as strong password protection, secure Wi-Fi connections and not clicking on links in an unsolicited email.

2. Make sure your operating system is up-to-date.

Cybercriminals are always looking for backdoors and holes to exploit. You can minimize your vulnerability to known vulnerabilities by updating your systems regularly.

3. Implement and enhance email security

CrowdStrike recommends that you implement an email security system that performs URL filtering as well as attachment sandboxing. An automated response capability is available to automate these processes. It allows retroactive quarantining of emails delivered before users interact with them.

4. Monitor your environment for suspicious activity and IOAs.

CrowdStrike (r) Falcon Insight (TM) endpoint response (EDR), acts as a surveillance camera across all devices. It captures raw events to automatically detect malicious activity that has not been detected by prevention methods and provides visibility for proactive threat hunt.

CrowdStrike provides Falcon OverWatch(TM),managed threat hunt, which is a team of highly skilled hunters that proactively searches for threats for you 24/7.