Ransomware attacks: All you need to know
Over the last few years, cybercrime has been increasing at an alarming rate. Unfortunately, the rise of technology comes hand in hand with the rise of cybercrime.
According to the Cyber Security Breaches Survey, 43% of businesses were a victim of some form of cyber-security breach in 2018. While in the previous year, the US state of California lost more than $214 million through cybercrime alone.
It was only last month that we were writing about the latest hack to hit the headlines, Collection #1. And, with it being estimated that last year alone, Cybercrime generated at least 1.5 trillion dollars, it’s no wonder this is becoming a big concern.
There are many forms of cybercrime, ranging from phishing scams, internet fraud to cyberstalking. In this blog, we are going to concentrate on ransomware.
What is ransomware?
Ransomware is a form of malicious software designed to either block access to a computer system or publishes a victim’s personal data online. The attacker demands a ransom from the victim, promising – not always truthfully – to restore access to the data upon payment.
Around since the 1980s, the last decade has seen various ransomware Trojans crop up, but the real opportunity for attackers has ramped up since the introduction of Bitcoin. This cryptocurrency allows attackers to easily collect money from their victims without going through traditional channels.
Where does ransomware come from?
Ransomware is created by highly knowledgeable scammers that are experts in computer programming. Ransomware can enter through your computer from an email attachment, via your network or through your browser if you visit a website that is infected with this type of malware.
How does ransomware work?
The most common delivery system for ransomware is via phishing spam – attachments that arrive in a victim’s email, masquerading as a file that they can trust. According to research from a security software firm, Trend Micro, 91% of cyber attacks and the resulting data breach begin with a spear phishing email.
Once the attachment has been downloaded and opened, the malware can take over the victim’s computer, encrypting some of the user’s files. When this happens, the only way the files can be decrypted is through a mathematical key only known to by the attacker.
There have also been cases where malware will display a message claiming that the user’s ‘Windows’ is locked. The user is then encouraged to call a “Microsoft” phone number and enter a six-digit code in order to reactivate the system. The message alleges that the phone call is free, but this isn’t true. While on the phone calling the fake ‘Microsoft’, the user racks up long-distance call charges.
Another malware is called leakware or doxware. This is where the attacker will threaten to release sensitive data on the victim’s hard drive unless a ransom is paid. Often targeting emails and word documents, there have also been cases of mobile variants where private messages, pictures and contact lists from users’ phones have been released.
Doxware is known to be more effective than ransomware – in terms of getting the money from the victim. With ransomware, you can maintain separate backups of data that is no longer accessible, but with doxware, once an attacker has information that the victim doesn’t want to be made public, there is little to be done apart from paying up.
It’s not just the ransom that is costly!
You would think that paying a ransom to gain access to your data was bad enough, but that can pale into comparison to the actual damage costs involved with an attack. This can include:
- Damage and destruction (or loss) of data
- Lost productivity
- Post-attack disruption to the normal course of business
- Forensic investigation
- Restoration and deletion of hostage data and systems
- Reputational harm
- Employee training in direct response to the attacks
When you take the above into account, it is no wonder that ransomware damages are predicted to climb to $11.5 billion this year, with an attack projected every 14 seconds by the end of this year, up from every 40 seconds last year.
To pay or not to pay
When you speak to cybercrime experts, most urge you not to pay the ransoms as funding ransomware attackers will only help create more ransomware.
Although, many organisations go against this advice weighing up the cost of the encrypted data against the ransom being asked. Last year, in the US, 45% of companies hit with ransomware paid their attackers. But why?!
While refusing to pay ransomware is suggested for the wider business community, refusing to pay may not be the best case of action for the business itself. Especially when there is a chance the business may permanently lose access to vital data, incur fines from regulators or go out of business altogether. The choice between paying a relatively modest ransom and staying in business or refusing to pay to help the wider business community is a no brainer for most.
In some ransomware cases, the ransom demanded is often set at a point that it’s worth the attacker’s while, but low enough that it is often cheaper than a victim paying to reconstruct their lost data. Discounts are also sometimes offered if the victim pays within a certain timeframe e.g. 3 days.
With that in mind, some companies are actually building up reserves of Bitcoin specifically for ransom payments. This is particularly being seen in the UK, where organisations seem more likely to pay ransoms. According to Gotham Sharma, managing director at Exeltek Consulting Group, “About a third of mid-sized British companies report having Bitcoin on hand to respond to ransomware emergencies when other options can’t be immediately exhausted.”
What to do if you’re infected by ransomware
If you find yourself infected by ransomware, first you need to find out what kind of ransomware it is. If you can’t get past a ransomware note on your screen, then you probably have been infected by screen-locking ransomware. If you can browse through your apps but can’t open your files, movies etc. you have been hit with encrypting ransomware – the worse of the two. If you can navigate your system and read all your files, then you have probably hit with a fake that is just trying to scare you into paying.
There is a great blog that goes into detail about what to do when you’re hit with both screen-locking and encrypting ransomware here.
How do you prevent ransomware?
-Ensure you have a good backup of all your files. This way, if anything does happen, restoration of your files from a backup is the fastest way to regain access to your data.
-When answering emails, unsolicited phone calls, text messages or instant messages do not provide any personal information. Phishers can try and trick employees into installing malware or gain intelligence by claiming they are someone from your IT department.
-Ensure you have a reputable antivirus software and a firewall. There are many fake software’s on the market, so it’s vital your antivirus and firewall are strong to ensure you’re safe from malware threats.
- Make sure you have content scanning and filtering on your mail servers. Every inbound e-mail should be scanned for known threats, and block any attachment types that could pose a threat.
-If you are travelling for work, ensure that you inform your IT department beforehand, especially if you think you may be using public wireless internet points. Make sure you have a trustworthy Virtual Private Network (VPN) when accessing any public Wi-Fi spots.
- Make sure all your computer software is up to date. This includes the operating system, browser and any toolbar plug-ins you use.
Ontrack and Ransomware
At Ontrack, we are constantly tracking 271 different types of Ransomware. Ransomware changes and develops all of the time, so we want to make sure we are watching and studying the latest changes and advancements. Studying ransomware and its ever-changing forms mean it’s more likely that we will be able to recover data that has been lost in result of an attack.
We currently have encryption abilities on 138 types of ransomware. Only a couple of years ago this figure was only 6, so we have come a long way!
When it comes to inaccessible data, it is always best to contact an expert. If you find yourself under attack from ransomware contact an expert like Ontrack who potentially has the capability to help you gain access to your data.