How to protect your business from a growing threat
Ransomware attacks are on the rise, having increased by 500% over the last year with estimated costs of over $10 billion per year according to a report from Malwarebyte Labs. Cybersecurity firm Coveware estimates the average price of a single attack now approaches $100,000.
Here, in question and answer form, we provide essential information on ransomware and what you can do to protect your organisation:
What is ransomware?
It’s software that restricts access to your computer or data until you pay a ransom.
Is all ransomware the same?
No, there are three main types of ransomware:
1. Screen Lockers – Locks your screen on startup
In this case, your normal startup process will be replaced with a message informing you that you must pay a ransom to move past the lock-screen.
2. Scareware – Slightly threatening
Here attackers steal your data and threaten to release it if the ransom is not paid.
3. Encrypted Ransomware – Encrypts your data
This is now the most common, and worst, a form of ransomware. With encrypting ransomware, you’ll likely find yourself locked out of your computer and unable to view any of your data.
What is scareware?
In a nutshell, this is fake ransomware. In a scareware attack, you’ll be bombarded with messages through channels ranging from email to popup notifications directly from your home screen. In the messages or popups, you’ll typically be threatened with lockout or data encryption if you don’t pay a ransom by a specified deadline.
Ninety-nine per cent of the time, however, these are entirely idle threats. After all, why would the hacker bother to threaten you like this if he did have the capacity to lock you out of your computer and encrypt your data? Scareware can therefore be safely disregarded in most cases. However, if the scareware can’t be removed via anti-malware software, you’ll still want to restore your computer to a previous checkpoint to wipe the offending program from your device.
How is ransomware transmitted?
The most common method of transmission (accounting for nearly 60% of ransomware attacks in 2019, according to Coveware) is through a compromised Remote Desktop Protocol. Here an attacker gains access to an organisation’s entire network by learning a single weak password.
The next most common transmission method is phishing, with a typical form of attack being the impersonation of family, colleagues, or an acquaintance.
You might get an email that appears to come from someone you know but with the actual name or address slightly changed. In a more sophisticated attempt, the attacker may even have hacked your acquaintance’s email account, enabling him to send you a message from the legitimate account. In all cases, there will be an attachment, perhaps enticingly labelled, that if you click on, will secretly install the malware on your device.
Other ransomware attack vectors include infected software (by far the most vulnerable would be pirated software), external hard drives that have interacted with an infected device, and websites that prompt you to install mislabeled software.
What can I do if my device is infected with ransomware?
1. Attempt to restore or reset your device.
If you can boot in safe mode, you may be able to restore to a saved checkpoint that reinstalls your OS to a state before your device was infected. Note, you’ll lose any data created after the restore point.
2. Reboot using a complete image backup.
If you’re lucky enough to have created a carbon-copy of your system which can be restored to an empty hard drive, you’ll be able to go back in time, so to speak, before your device became infected. This the best way to wipe ransomware from your system but again, you’ll lose any data created after the image was made.
3. Decrypt your data.
We’ve listed this here because technically it’s still an option, but it rarely works. Only a few of the oldest versions of ransomware have been reverse engineered to provide the password needed to decrypt affected data. As long as the attackers use a modern encryption program, it’s virtually impossible to decrypt.
4. Should you pay the ransom? – Proceed with caution
Coveware estimates that in 97% of cases where the ransom was paid, all data was successfully decrypted.
The Australian Government and CERT Australia recommends that you do not pay the ransom. Doing so can lead to further ransomware attacks, and there is no guarantee that files will be recovered. Paying ransom also identifies an organisation as one that is willing to pay, which can lead to an increased risk of further attacks.
If you do choose to pay any ransom to make sure it is legal. If you suspect the ransom is being made to a terrorist organisation or as part of money laundering operations, you could be subject to criminal sanctions. Example part 5.3 of the Criminal Code Act 1995. if your organisation provides ‘designated services’ within the meaning of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, your organisation is required to report to AUSTRAC ‘suspicious transactions’ you encounter in the course of providing a designated service.
If you proceed with paying the ransom, you should inform law enforcement. There’s a good chance the police will be able to track down the criminals via the ransom payment method. Thanks to the emergence of increasingly effective chain analysis companies, it’s often possible to track down even payments made with cryptocurrencies like Bitcoin.
What precautionary measures can I take against ransomware?
1. Backup your data and programs.
This is by far the most effective way to ensure you’ll always have access to your data and applications. The best strategy is to create complete backup images regularly. Next would be doing regular backups of your essential data. You should store backups in both the cloud and on physical hard drives.
2. Setup automated restore points.
This is less effective than complete backup images because some ransomware can compromise restore points. Still, it’s easy to set up and can’t hurt.
3. Install ransomware protection software.
An increasing number of anti-virus packages include protection against ransomware.
4. Employ a multi-layered approach to your remote desktop protocol.
At a minimum, you should be used Two-Factor Authentication and least privilege principles to access critical security systems.
5. Reduce your reliance on VPNs
Many businesses rely on VPNs to provide remote access, not only are VPNs a gateway to corporate infrastructure but they are the gateway to infections. If a remote user has an infected PC, the infection can quickly spread remotely via VPN.
Newer trustless solutions and virtualisation technology are paving the way to enable mote access that is secure by nature. Microsoft’s Windows Virtual Desktop (WVD) and Citrix Remote access, are paving the way insecure remote access. Talk to your local virtualisation specialist to see your options.
6. Stay updated.
Most malware takes advantages of security loopholes that only remain open in outdated software. Regularly installing updates is essential for reducing your risk of exposure.
7. Practice good computer hygiene.
It should go without staying that installing pirated software on your device is risky, but you should also think twice about anything you install on your computer. Take the time to look into the trustworthiness of the developer before installing simple tools like screen dimmers and file converters.
Finally, don’t connect unknown devices via USB.
8. Beware of public WiFi.
When you’re on public WiFi, don’t type in or make new passwords as attackers may be able to track your keyboard strokes.
9. Think before you click.
Since an easy point of infection is people unwittingly clicking on files that install the malicious software, it’s up to each individual to be vigilant.
Security training is an excellent place to start; we recommend that you talk to your security advisor about establishing a cyber aware culture with performance leaderboards, monthly security champion awards, and offer certificates on course completion.