What is ransomware and how do you prevent it?

Thursday, March 26, 2020 by Michael Nuncic

silhouette-of-man-1480690

Ransomware attacks are on the rise, but what is it? And what can you put in place to prevent your company from being a victim of this growing malware?

Over the last few years, ransomware has been increasing at an alarming rate. Unfortunately, the rise of technology comes hand in hand with an increase in cybercrime. But how much do you know about the ever-evolving ransomware threat? And do you know what steps to take to prevent an attack?

An increasing risk

Cybersecurity needs to be a top priority for businesses of any size to protect itself again from the ever-evolving threat network. According to ISACA, CMMI, and Infosecurity Group's "State of Enterprise Risk Management 2020" study, 53% of respondents stated that they had seen increased risk to their organization over the last 12 months. Additionally, 29% of respondents found that cybersecurity is the most critical risk category facing enterprises today, and 33% believe that information/cybersecurity risk will be the most crucial category of risk facing their organization in the next 18-24 months.

Increasing risk of cybercrime

Source - ISACA, CMMI and Infosecurity Group's "State of Enterprise Risk Management 2020

Ransomware definition 

Ransomware is a form of malicious software designed to either block access to a computer system or publishes a victim's data online. The attacker demands a ransom from the victim, promising – not always truthfully – to restore access to the data upon payment.

Around since the 1980s, the last decade has seen various ransomware Trojans crop up, but the real opportunity for attackers has ramped up since the introduction of Bitcoin. This cryptocurrency allows attackers to easily collect money from their victims without going through traditional channels.

Who is behind ransomware?

Those behind ransomware attacks are usually highly knowledgeable scammers with expertise in computer programming. Typically, ransomware will infect your computer via an email attachment, network, or infected browser.

How does ransomware work?

Phishing

The most common delivery system for ransomware is via phishing spam – attachments that arrive in a victim's email, masquerading as a file that they can trust. According to research from a security software firm, Trend Micro, 91% of cyber attacks and the resulting data breach begin with a spear-phishing email.

Once you download and open the attachment, the malware will take over the computer, encrypting some or all of the files. When this happens, the only way to decrypt the data is through a mathematical key only known to by the attacker.

There have also been cases where malware will display a message claiming that the user's 'Windows' is locked. The user is then encouraged to call a "Microsoft" phone number and enter a six-digit code to reactivate the system. The message alleges that the phone call is free, but this isn't true. While on the phone calling the fake 'Microsoft', the user racks up long-distance call charges.

Doxware

Another malware is called leakware or doxware; this is where the attacker will threaten to release sensitive data about the victim unless they pay a ransom. Often targeting emails and word documents, there have also been cases of mobile variants where private messages, pictures, and contact lists from users' phones have been released.

Doxware is known to be more effective than ransomware – in terms of getting the money from the victim. With ransomware, you can maintain separate backups of data that is no longer accessible. Still, with doxware, once an attacker has information that the victim doesn't want to be made public, there is little to be done apart from paying up.

What damage can ransomware do?

You would think that paying a ransom to gain access to your data was bad enough, but that can pale into comparison to the actual damage costs involved with an attack. Ransomware attacks can cause:

  • The damage and destruction (or loss) of data
  • Lost productivity
  • Post-attack disruption to the normal course of business
  • A forensic investigation
  • The restoration and deletion of hostage data and systems
  • Reputational harm
  • The need for employee training in direct response to the attacks

When you take the above into account, it is no wonder that ransomware attacks cost organizations an average of $36k!

Should I pay the ransom? 

When you speak to cybercrime experts, most urge you not to pay the ransoms as funding ransomware attackers will only help create more ransomware.

Although, many organizations go against this advice weighing up the cost of the encrypted data against the ransom. 2018 saw 45% of US companies hit with ransomware pay their attackers. But why?!

The general advice is not to pay ransomware attackers. However, refusing to pay may not be the best case of an action for many businesses, especially when there is a chance the company may permanently lose access to vital data, incur fines from regulators or go out of business altogether. For many companies, the choice between paying a relatively modest ransom or staying in business is a no brainer.

In some ransomware cases, the attacker will set the ransom demand at a point that it's worth their while but will ensure that it is low enough that it is often cheaper for the victim to pay rather than to reconstruct their lost data. Attackers will sometimes offer discounts if their victim pays within a specific timeframe, e.g., three days.

With that in mind, some companies are building up reserves of Bitcoin specifically for ransom payments.; this is mainly being seen in the UK, where organizations seem more likely to pay ransoms. According to Gotham Sharma, managing director at Exeltek Consulting Group, "About a third of mid-sized British companies report having Bitcoin on hand to respond to ransomware emergencies when other options can't be immediately exhausted."

How to stop ransomware 

If you find yourself infected by ransomware, first, you need to find out what kind of ransomware it is. For example, if you can't get past a ransomware note on your screen, then you probably have been infected by screen-locking ransomware. If you can browse through your apps but can't open your files, movies, etc. it's likely encrypting ransomware has affected your system – the worse of the two. If you can navigate your network and read all your files, then it's probably a fake that is just trying to scare you into paying.

How to prevent ransomware

-Ensure you have a good backup of all your files.; this way, if anything does happen, restoration of your files from a backup is the fastest way to regain access to your data.

-When answering emails, unsolicited phone calls, text messages, or instant messages do not provide any personal information. Phishers can try and trick employees into installing malware or gain intelligence by claiming they are someone from your IT department.

-Ensure you have reputable antivirus software and a firewall. There is a lot of fake software on the market, so your antivirus and firewall must be good enough to ensure you're safe from malware threats.

– Make sure you have content scanning and filtering on your mail servers. Scan every inbound email for known threats and block any attachment types that could pose a threat.

-If you are traveling for work, ensure that you inform your IT department beforehand, especially if you think you may be using public wireless internet points. Make sure you have a trustworthy Virtual Private Network (VPN) when accessing any public Wi-Fi spots.

– Make sure all your computer software is up to date; this includes the operating system, browser, and any toolbar plug-ins you use.

Read our previous blog about how to protect your company from cybercrime.

Find out more about the new ransomware families

Click the links below to find out more about some of the more prevalent ransomware types.

Ontrack and ransomware

At Ontrack, we are continually tracking 271 different types of ransomware. Ransomware changes and develops all of the time, so we want to make sure we are watching and studying the latest changes and advancements.

When it comes to inaccessible data, it is always best to contact a data recovery expert like Ontrack, who can help you gain access to your data after a ransomware attack.