Today, if there is one thing that CISOs dread most about is a ransomware attack. The scare of a possible ransomware attack and its consequences are disastrous not only for the enterprise but can adversely affect the position of the CISO too. Even the board rooms start resembling a war-room soon after a ransomware attack is detected.
Let us look at what is so scary about ransomware, how they have been casing a havoc and more importantly what needs to be done to ward off the threat effectively and what should be done in the event of an attack.
What is Ransomware
Ransomware, is a malicious software or malware program that hunts and encrypts an enterprise’s files and storage. Falling into traps like phishing emails or social engineering, users inadvertently allow the attackers into their organization.
Cybercriminals make of use this malware to demand and extort large sums of money from their victim organizations, which usually have no option but to pay an unreasonably high ransom to decrypt the data.
Early variants of Ransomware were seen in the late 1980s, and ransom was to be sent via regular mail. But today, ransomware creators demand that the payment be made via cryptocurrency. The victims are provided instructions on how to pay a fee to receive the decryption key.
Ransomware attackers also pursue production systems, backup files and documents from all sorts of storages. Encrypting all the data, the attackers leave the organization no choice but to meet the cybercriminals’ demands. The ransom demands can range from a few hundred to several thousands to millions of dollars payable to cybercriminals in Cryptocurrency or Bitcoin.
There are two main types of ransomware –
This ransomware encrypts valuable files on computers so that users cannot access them. Cybercriminals execute Crypto ransomware attacks and demand that victims pay a ransom to get their files decrypted.
This ransomware does not encrypt the files. It locks the victim out of their device and then demand a ransom to unlock the device.
Its targets and geographic regions
When ransomware first appeared, its victims were individual systems or common computer users. Soon ransomware was spread out to business users and larger businesses, tapping its full potential. Ransomware turned out to be so successful against businesses, resulting in productivity losses and lost data and revenue. By the end of 2016, more than 12% of detections among global enterprises was ransomware, while less than 2% percent of detections among individual users. 35% of small and mid-sized businesses had experienced a ransomware attack by 2017.
Western markets account for the majority of the attacks with US, UK and Canada. Ransomware authors focus on where big money lies. As others markets like Asia catch up on economic growth, it will be no surprise that these regions too will see an unprecedented number of attacks
How you can identify a ransomware
We all have read about different instances of ransomware attacks that individuals and businesses have become victims to in recent months and years.
Most of the targets in the ransomware attacks fell prey because they readily followed links in phishing emails, or have opened malicious attachments. Easiest way to identify a ransomware email is to check the sender. If it is not from a person or business you do not know, always exercise restraint. Strictly avoid clicking on links in emails from untrusted sources, and never open email attachments in emails from senders you do not trust.
Be extremely cautious if the email attachment asks you to enable macros. This is a very common way ransomware is spread.
Some Ransomware examples
Let’s explore a few significant ransomware examples to help you realize how dangerous each type is.
Locky spreads via phishing email attachments, installs itself targeting a variety of file types that are used by designers, developers, engineers, and testers. It can encrypt over 160 file types. This type of ransomware that was first released in a 2016 attack by an organized group of hackers.
Engineered to exploit a vulnerability in Windows and affected 230,000 computers globally. WannaCry is ransomware attack that spread across 150 countries in 2017.
The attack hit one third of healthcare organizations in the UK, with the NHS losing an estimated £92 million. With users locked out of their system, a ransom was demanded in the form of Bitcoin. The attack brought to light the problematic use of outdated systems, leaving a vital health service defenseless to attack and an estimated $ 4 billion in financial losses globally.
Ryuk ransomware, which started spreading in Aug 2018, disabled the Window’s System Restore option, making it impossible to restore encrypted files without a backup. It also encrypted network drives. Leaving crippling effect, several organizations targeted in the US paid the demanded ransoms. August 2018 reports estimated funds raised from the attack were over $640,000.
There had been a huge rise in ransomware related payments. Ryuk reportedly demands in excess of $200,000 per incident, double the amounts demanded by other ransomware authors.
Ryuk resumed activity this year, and has been leaving a long trail of victims. A report from Check Point mentioned in October that the gang was attacking, on average, 20 companies every week in the third quarter of 2020.
As per some reports, the average payment received by this particular group is close to $750,000 and they are reported to have made at least $150 million since 2018. In another report, the largest confirmed payment they got was 2,200 bitcoins, which is close to $34 million.
When you are attacked!
Just in case you become the victim of a ransomware attack, do not pay the ransom.
There are no guarantees that your data will be returned or the decryption keys are made available to you after meeting the demands of the ransom seekers. These are hardened criminals. By paying the ransom, you end up encouraging the ransomware business, making future attacks more likely.
If your data is backed up outside of your networks or in a cloud environment, you will be able to restore the data that is being held from you. But in the case, you do not have a backup of your data, it is recommended contacting your internet security vendor <Cymune Microsite>, to see if they have a decryption tool for the ransomware that has attacked your network.
What lies in future
Unfortunately, the number of ransomware attacks is only going to keep climbing up with digital transformation accelerating, remote working being encouraged. It is important to note that despite expert advice against paying up, most victims of ransomware attacks – large percentage of victims in Australia, Singapore and India have paid the ransom. This will prove to the shot in the arm of ransomware authors. Did the attackers win this battle?
Protect your assets from ransomware
- Have layered protection technology deployed
- Have a robust backup mechanism in place
- 24/7 Security monitoring and leveraging with threat intel & advanced threat hunting supported by AI/ML capabilities is highly desirable
- Have a tested and proven breach response plan (CERT)
Finally, keep yourself well informed. Social engineering is one of the most common ways Ransomware will try to enter your networks. Educate yourself, your employees and partners on how to detect emails that carry malicious attachments, suspicious websites, and other scam methods. Most importantly, exercise common sense. Tell yourself, if something is suspect, it perhaps is.