What is ransomware and how should I defend against it?

  • Home
  • /
  • Blog
  • /
  • What is ransomware and how should I defend against it?
October 6, 2020

Ransomware encrypts files on the infected system or network. It then demands a ransom to decrypt the infected files. It often charges in bitcoin. What often happens is that instead of the malware releasing a file, the ransom actually goes up.  

What is ransomware?  

Ransomware is a malicious software that infiltrates systems to find data on the device and hold it hostage. Once held, the ransomware threatens to destroy it unless a victim pays a ransom.  

In recent times, ransomware has attracted a lot of attention due to its use in a number of high profile cyber attacks. The WannaCry attack in 2017 caused a storm when it created havoc with NHS systems that had not updated their security settingsIn the same year, Bad Rabbit attacks spread “drive-by” attacks via a fake Adobe Flash update across Eastern Europe. When a victim clicked on the link, it locked the infected computer and demanded a payment in return for its unlocking.   

More recent examples have been even more virulent. CryptoLocker uses strong encryption algorithms, and so without paying the ransom, it is often impossible to decrypt the files.  

The quarterly report from Talos in summer 2020 found that ransomware comprised the majority of threats affecting IT systems today.  It can often cost a company millions to respond to a ransomware-related incident.   

There have been some large companies that have fallen prey to Ransomware attacks: 

  • A recent example of a victim of a ransomware attack is the University of Utah. In 2020, the hackers forced the university to pay roughly $500,000. This was to avoid hackers leaking private information about its students online. This came about following an attack on part of its network.   
  • In the same year, Brown-Forman was also a victim of ransomware. Attackers infiltrated the company's network, which owns well-known brands such as Jack Daniels. They collected one terabyte of data as part of the attack. The attackers then encrypted the data and demanded that Brown-Forman pay a fee to decrypt them.   
  • Recently, an employee of the US car manufacturer Tesla, was approached by a group of hackers. They asked the employee to distribute malware that would exfiltrate the company’s data. This malware would steal sensitive information. Once stolen, the group would then threaten to release the data unless Tesla paid a ransom.    

These examples show that many different industries can fall victim to a ransomware attack. So, all companies should be wary of these types of attacks and how to defend against them.   


Why should I be worried about ransomware?  
 

As these examples of malware show, ransomware is an extremely dangerous type of malware. Victims are at risk of losing files on sensitive information. They can also lose money through paying a ransom. You also have to consider the lost productivity and the cost of updating security systems.   

Usually, ransomware spreads through user-initiated actions. Clicking on a link in an email where the sender is unclear is an example of this. This can initiate a drive-by attack. A victim has clicked a link to a website which a hacker wants him/her to visit. Once visited, information about a device is immediately transmitted and used.    

Attackers can initiate ransomware via “malicious insiders”. This is where an employee of a target company launches a malicious software on its own systems for financial gain. Below, we have some further examples of where ransomware has been deployed.  


Five tips when dealing with ransomware.  

  1. The general advice on countering this type of malware revolves around prevention. Don’t click on links from suspicious origins that are not encrypted. This is a good initial step, but to properly defend against ransomware, there are other preventative steps your company must take.   
  2. You should also use a backup system, allowing files to be saved. That way, in the event of a file being stolen or encrypted by a malicious actor, it can be accessed. This should be routinely tested and updated appropriately. However, this is still not enough. It is a well-known fact that attacks are becoming more and more sophisticated. Social engineering applied by hackers is getting better and better. Once your network has been infected, a preventative strategy is useless.   
  3. You must have a robust incident response plan which includes what to do in a ransomware event. Once you have discovered the ransomware, you should implement a response immediately. As part of this response, you must determine which part of the network is affected and disconnect it immediately. Depending on what data is compromised will determine how you respond. As part of your response, you should see if there are decryptors available. This is so that your data can be returned to you without having to pay a ransom. We talk more about incident response here.  
  4. If you can avoid it, don’t pay the ransomIt almost goes without saying, but you should be hesitant about paying money to a malicious actor that could compromise more sensitive information about your company. As we’ve already seen, paying a ransom doesn’t necessarily release the files. Instead, it could mean that you are paying more.  
  5. Alert the authoritiesCompanies often attempt to hide the fact that they have been a victim to a cyberattack, for the simple reason that it can affect business. Depending on the lengths you go to keep an attack quiet, you may be subject to further legal action incurred by not reporting an attack immediatelyIf you report the attack, it is much more likely that it can be resolved and can save you money in the long term. IBM has found that the average cost of a data breach in 2020 was between $3 million and $4 million. The longer a breach lasts, the more money it is likely to cost.  


Summary   
 

Ransomware is becoming more and more prevalent. Your company must ensure that it has proper levels of protection in place. This should include both a preventive strategy and a response strategy. You must regularly back up files, and immediately enact incident response plans in the event of an attack. You should report the attack immediately and attempt to find a decryptor to save you having to pay a ransom.   

Patrick Osborne 

> Read more content about vendor and third-party 

> Get in touch with C2

__CONFIG_group_edit__{}__CONFIG_group_edit__
__CONFIG_local_colors__{"colors":{"8b2fd":"Snuff","edb1a":"White Lilac","83d40":"Ship Cove","20090":"Scampi","4f35b":"Rose White","b98f0":"Turquoise","772bd":"Turquoise"},"gradients":{}}__CONFIG_local_colors__