Ransomware is a hot topic in both information security and mainstream news these days. It has affected a large number of individuals and enterprises over the past few years with the average cost of a ransomware attack, not including the actual cost of the ransom itself, being recorded at USD 4.62 million in 2021 alone according to IBMs Cost of a Data Breach report. Additionally, in 2021, the European Union Agency for Cybersecurity (ENISA) noted ransomware as being the prime cybersecurity threat across the EU. They also projected that the ransomware business model is projected to cost more than USD10 trillion by 2025. These facts and figures show that ransomware is rising as a threat vector and should be on the radar of all information security professionals and board of directors now and in the foreseeable future. Taking a spotlight on the financial services industry as an example, there was a 62% rise in financial services organisations that were hit by ransomware in 2021 when compared to 2020 according to Sophos’ report on The State of Ransomware in Financial Services 2022.
I could quote sources on why ransomware is something to take seriously until I’m blue in the face, but I would prefer to use this article to help people understand what ransomware is, how it works (in a nutshell) and what we can do to protect ourselves from it.
What is Ransomware?
Without going into too much detail, ransomware is essentially the act of a malicious actor taking an individual or organisation’s data hostage and only returning access to that data once a ransom has been paid, hence the name.
This is done by:
- First gaining a foothold into the target network, usually achieved via phishing and/or social engineering attacks (see my previous article on Phishing for more details);
- Once access to the network is obtained, further work is done to elevate privileges within the environment, usually making use of built-in vulnerabilities;
- When privileges are elevated and access is granted to enough of the data in the environment and/or the right kind of data, the attack begins;
- All relevant data is encrypted using a proprietary algorithm for which decryption requires a key that only the attacker has;
- The attacker may also exfiltrate some of the sensitive data to ask for additional funds (or a second ransom) in order for them not to disclose or sell said sensitive data;
- Once the encryption and exfiltration are complete, the attacker will send or push a notification to the affected party stating that their data has been encrypted and if they would like to regain access to the data, they should pay a pre-defined amount, usually in some form of cryptocurrency such as Bitcoin, to a specified wallet address.
The above is a very simplified explanation but I hope it paints a helpful picture of what a ransomware attack would look like. The good people at Harvard University have created a useful infographic to explain how ransomware works, so I thought to include it below for reference.
How can you protect yourself?
They say that prevention is better than cure, and there are a number of things everyone can do to protect themselves from a ransomware attack itself, as well as from the effects of a possible ransomware attack.
The first level of protection is Information Security Awareness Education. Articles such as this, as well as internal security awareness campaigns using widely available tools are essential in equipping your employees and users to be knowledgeable about what the threats are and how to look out for them. As stated in my previous article on Phishing, most attacks and breaches start with phishing attacks, and ransomware attacks are no different. Therefore, teaching and training your employees to watch out for these attacks is the first great step to take.
Next step is to ensure regular and secure Backups are taken of all sensitive and critical data. It is important that these backups are logged and stored separately to the rest of your infrastructure. When working with backups, many are fans of the 3-2-1 rule whereby we take 3 copies of data, on 2 different types of media, with at least 1 backup stored off-site. This isn’t always relevant in our cloud infrastructure era, but elements of it can be retrofitted to fully cloud-based enterprises.
Malware Protection and Vulnerability Management are two others factors to consider as protection against all attacks, including ransomware. This involves installing and monitoring anti-malware solutions on all devices as well as running and reviewing regular vulnerability scans. Once scans are run, regular Patching should be performed to eliminate or mitigate as many vulnerabilities as possible. Malware protection technologies might also include File Integrity Monitoring features, which are key to detecting typical ransomware attacks and stopping them in their tracks. This technology monitors changes to data and alerts if any abnormalities are detected, such as mass encryption.
The use of Strong Passwords and Multi-Factor Authentication are also great protections to put in place in order to make it harder for malicious actors to gain access to your environment.
It’s also important to keep “common sense” approaches in mind for protection, such as never clicking on unknown links or opening suspicious attachments in emails, and never using unknown USB sticks or, even better, if you are a sysadmin at an organisation, outright blocking USB storage access on all endpoint devices.
What if I have been hit with a Ransomware Attack?
In the unfortunate event that you have become the victim of a ransomware attack, there are a number of things to consider. Firstly, although the reality is scary it is important not to panic as that is what the attackers expect.
There are a number of resources available to assist in the event of a ransomware attack, and if the aforementioned protections had been implemented prior to the attack, then there is less cause for concern. The first course of action (after not panicking) is to ensure that all backups are unaffected by the encryption caused by the attack, thereby making sure that you can recover most, if not all, of your data.
If you have cybersecurity insurance, it would be a good idea to get in touch with your insurance broker. Additionally, if you are a regulated entity, you will need to gather all the necessary information and report this to the relevant regulator in your jurisdiction.
Most importantly, it is recommended practice to NOT PAY THE RANSOM. There are various reasons for not paying, the main one being to not fund these ransomware groups, enabling them to grow their operations and better their tools, resulting in additional and more complex attacks. The payment of ransoms may also be illegal in some jurisdictions, especially where sanctions are in place, so this is important to keep in mind.
A useful initiative to note is the No More Ransom project. Set up by a public-private partnership of law enforcement and security service providers, this project provides guidance and advice, as well as decryption tools for a host of ransomware strains. ENISA and the European Commission also provide guidance via the Cyber First Aid map, which provides a list of contacts and resources based on your location which will come in handy in the event of an attack or security incident.
In conclusion, Ransomware is high on the agenda of information security professionals, corporations and even governments across the world. So much so, that in November 2022, after a successful first meeting, the White House organised the Second International Counter Ransomware Initiative Summit, bringing together 36 countries and the EU, as well as a host of private sector partners to discuss actions that can be taken to tackle the issues associated with ransomware as a whole. This and other projects and initiatives, as well as safeguards implemented by individuals and organisations, will help to reduce the impact of ransomware on a global scale.