As an IT and cybersecurity vendor, we often use jargon and acronyms to discuss technology.
While we use these words to be precise, it doesn’t help explain the concepts to a non-technical audience.
CEOs, and other executives, often must use every-day English to explain technology to non-technical board-of-director members. To help, we created this guide to ransomware.
It covers the following topics:
- What is ransomware?
- How do we get it?
- How do we recover from it?
- How do we mitigate it?
So, next time you walk into a meeting, and you need to talk about your cybersecurity plan around ransomware, you’ll be able to do so in a way that appeals to a much broader audience.
What is Ransomware?
Ransomware combines two malicious cyber attacks.
First, it uses a malicious software called malware to lock user files with encryption. Second, the attackers attempt to extort a ransom from the victim in order to restore the files.
Within this category, there are both simple and sophisticated versions of a ransomware attack.
Ransomware operates from a local device…usually a PC, a Mac, a server, etc. The most basic attack targets a single computer. However, sophisticated attackers deliver the malware throughout entire networks prior to triggering the ransomware.
Once the computer files are encrypted, a ransom message appears. Simple ransomware triggers immediately, and encrypts files on the local machine. More complex programs involve a series of steps.
For example, the ransomware might execute a reboot into safe mode to bypass endpoint security.
How Do We Get Ransomware?
Basic ransomware often begins with phishing emails that trick users into opening malicious files.
Sometimes the file will appear to be a Microsoft Office file type or PDF, but instead it’s an executable file – one that can’t be read and performs various functions on a computer. Other times, the file is truly a Microsoft File type or PDF, and the malware is triggered by a macro.
Fortunately, most simple ransomware is detected by antivirus, endpoint protection software, email security, and trained employees. However, as defenses improve, so too do ransomware attacks.
Related Article: Ransomware off to Aggressive Start in 2020
A more complex ransomware combines a computer worm — a malicious software program — with malware. These attacks, such as WannaCry, rapidly seek out and infect other vulnerable computers on the network automatically.
The most sophisticated attacks don’t rely upon software at all. Instead, ransomware gangs, such as Maze, Ryuk, and Sodinokibi, actively hack each victim.
These gangs usually select targets capable of paying large ransoms. They’re responsible for many prominent attacks, including a ransomware attack on the city of Atlanta which cost taxpayers over $2.2 million in recovery costs.
While phishing remains a common attack point, these attackers have used fake web sites, VPN vulnerabilities, remote desktop exploits, password stuffing, and many other methods.
The most recent examples have been using the TrickBot trojan, preying upon people looking for a mobile coronavirus tracking app, and using IQY files.
Once a sophisticated team of cyber criminals gains entry into the network, the attackers carefully escalate their permissions and access.
They then explore the environment to locate and delete backup data, both on premise or in a cloud. Once those attackers gain enough access, they trigger the ransomware on a large scale.
Recently, attackers began stealing the data before triggering the ransomware. That sort of attack puts additional pressure to victims to pay the ransom, due to the threat of publicly releasing stolen data. These attacks continue to increase in both sophistication and quantity, and they’re highly effective.
In March, the Sodinokibi ransomware team threatened to release a company’s financial data. While that’s not unusual, the attackers also claimed that the documents showed evidence of illegal financing. If true, that’d certainly motivate the victims to pay quickly.
The number of ransomware attackers threatening data leaks continues to increase. Nefilim, CLOP, and Sekhmet each created data leak sites in order to publish stolen data when victims don’t pay.
How to Recover
As we noted in the past, those who pay ransoms might recover up to 98% of their data.
However, some groups don’t provide effective decryption keys. For that reason, and the recent spike in ransom cost ($41k to $84k in Q4 2019), some companies hesitate to pay.
The FBI discourages ransom payment, but organizations often don’t have much choice. They can try to recover from backups, but that’s a painfully slow process. And, wiping and rebuilding computers takes a lot of both time and money.
Atlanta’s recovery started with a $52,000 ransom. By the time it recovered, the city ended up paying nearly 43 times that amount.
But, the ransom cost is not the only factor. Hospitals in Indiana, Alabama, and New Jersey all paid ransoms to recover faster and thus minimize the disruption to patient services.
Related Article: Ransomware Attacks on Government Organizations
Many cyber criminals actively search for and delete backup files to make recovery more difficult. And sometimes, automated systems do that job for them.
Typically, disaster recovery protocols use automated data backups. Many of them back up the “delta,” or changed files, periodically during the day and overwrite previous backups.
Unfortunately, for those who rely on only a single backup, if the automatic backups aren’t shut down immediately during an attack, critical recovery files will be replaced with encrypted ransomware files.
How to Mitigate Ransomware?
Fortunately, to reduce the risk of ransomware, you don’t need any special software or tools.
In fact, you’ll use the fundamental security principles that apply to many malware scenarios, including:
- User training;
- multi-factor authentication (MFA);
- network segmentation;
- defense in depth; and
- active monitoring.
Let’s break those down a bit.
User training for phishing attacks and other types of malware isn’t perfect.
A user might still click the malware link and cause an issue. However, training typically reduces the number of incidents, while also helping in other way. For example, users will recognize that they’ve triggered an attack and promptly contact IT.
Some attackers don’t send malicious files. Instead, they use phishing emails or fake websites to steal employee credentials. Once stolen, those credentials are used to gain network system access.
Multifactor authentication often limits the effectiveness of stolen credentials.
While MFA isn’t foolproof, the friction caused by several authentication factors often deters many attackers.
For the attacks that do obtain machine access, network segmentation adds another degree of difficulty. By segregating the network, each segment provides new hacking challenge.
Think of your corporate network as a castle – segmentation creates castles within that castle, so that a single breach doesn’t mean there’s been a total breach.
Defense in depth deploys multiple layers of defense for the IT environment.
For example, firewalls and email security are backed by network security, which, in turn, is backed by endpoint security. This defense assumes that a breach will happen. So, the corporate network castle uses multiple walls…each of which provides an additional layer of defense.
Zero Trust takes the same concept, and extends it from being a castle to becoming a modern city by way of facial recognition. Zero trust grants rigidly defined permissions for each user and application to narrowly restrict their access.
While limited resources might not allow for every layer of defense, it’s still essential to add as many as possible. With each layer of defense, you add more friction, which provides cybersecurity teams more time to detect and counter attackers.
This leads us to our last suggestion: monitoring for attacks. While ransomware is a software, many modern ransomware teams actively hack corporate networks instead of relying on software.
Research incident investigations between 2017 and 2019 found that 75% of all ransomware incidents took as many as three days before they executed.
Additionally, 78% of malware was deployed after hours on weekdays or during the weekends when activity was less noticeable. That timing and infection speed provide very little time for internal teams to catch the attackers.
Many tools, such as anti-virus, focus on malware detection. Between 2017 and 2018, 60% of all attacks used malware.
But, in 2019, malware-free attacks occured 51% of the time. Active cybersecurity monitoring is most effective way to fill gaps between the various internal defenses.
Final Thoughts
Ransomware attacks cost organizations a lot of time, and a great deal of money.
Despite that, all too many organizations remain vulnerable.
Some believe that they don’t have sufficient resources for cybersecurity, while others just don’t think that their companies are at risk for cyber attacks.
However, neither of those opinions are true – all organizations with internet connection are at risk, and there are cost-efficient ways to secure your data.
With your budget and needs in mind, at Ideal Integrations, we maximize your return on IT by providing solutions unique to your organization with 24/7/365 support.
We work with the industry’s top vendors to give you a comprehensive cybersecurity defense that’s designed completed to fit your specific needs.
Ready to get started and create your solution? Complete the form below, or call us at 412-349-6680.
Building networks and partnerships, we are by your side!