According to the latest McAfee threat report, in the first quarter of 2019, ransomware attacks grew by 118%. Not only was there a significant rise in the number of attacks, but the year also saw new ransomware families appearing, and cyber criminals using more innovative techniques to cause chaos. It is, therefore, more important than ever that organisations know how to avoid becoming a victim of ransomware.
New ransomware families
Cybercriminals continue to come up with new and innovative ways to target and infect enterprises. Spear phishing tactics continue to be a popular choice by many threat actors. Still, the researchers at McAfee said, “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as remote desktop protocol (RDP) and virtual network computing (VNC).” Hackers are often able to access these credentials as enterprises often leave RDP client ports open to the internet – it easy to scan blocks of IP addresses for open RDP ports. Attackers will then attempt to brute-force the remote desktop login/password. Hackers can also obtain RDP credentials through underground markets and password leaks.
A discovery for 2019 was the ransomware Anatova. This new ransomware family disguises itself as the icon of a game or application to trick the user into downloading it. An extremely advanced form of malware, it adapts quickly and uses evasion and spreading techniques to prevent its discovery. Due to its modular design, it can embed additional functionalities allowing it to thwart anti-ransomware methods. Fortunately, the McAfee Advanced Threat Research team discovered this new ransomware family in early 2019 before it became a significant threat.
A variant of CrySiS, Dharma ransomware has been around since 2018, but cybercriminals continue to release new variants, which are impossible to decrypt.
A malicious ransomware that uses AES encryption and drops a file called ‘GandCrab.exe’ onto the system. GandCrab targets consumers and businesses with PCs running Microsoft Windows. On May 31st, 2019, the cybercriminals behind GandCrab sent an announcement saying they were stopping all further GandCrab ransomware attacks claiming they had made over $2 billion in ransom payments and they were taking a “well-earnt retirement.”
Emotet was originally a malware that targeted banks – it would sneak onto your computer and steal sensitive and private information. First, on the scene in 2014, Emotet has gone through a variety of versions, evolving into a ransomware that can evade detection even by some anti-malware products. Since its inception, Emotet has stolen banking logins, financial data, and Bitcoin wallets from individuals, companies and government entities across Europe and the USA.
Using worm-like capabilities to spread to other computers, hackers usually introduce Emotet by spam emails – made to look legitimate and with the use of tempting language to trick the victim into clicking on the link.
Emotet is one of the most costly and destructive malware – according to the Department of Homeland Security, the cost of the average Emotet attack is upwards of $1 million to clean up.
Ryuk specifically targets large organisations for a high-financial return. According to CrowdStrike, between August 2018 and January 2019, Ryuk netted over 705.80 bitcoins across 52 transactions totalling a value of $3,701,893.98. It first turned heads with its attack on Tribune Publishing’s operations over the Christmas period of 2018. At first, the company thought the attack was just a server outage, but it was soon clear it was the Ryuk ransomware.
Another term for ransomware such as Ryuk that targets large enterprises for high ROI is ‘big game hunting.’ These large-scale attacks involve detailed customisation of campaigns to best suit the individual targets, increasing the effectiveness of the attacks. ‘Big game hunting’ therefore requires much more work from the hacker; it is also a normally launched in phases. For example, phase one might be a phishing attack with an aim to infect an enterprises network with malware to map the system and identify crucial assets to target. Phases two and three will then be a series of extortion and ransom attacks/demands.
How to prevent ransomware
There are many things to consider when fighting ransomware. With so many different types of malware around these days, you should keep in mind the following three main tips and execute accordingly.
1. Email security is king
According to McAfee, spam email continues to be one of the main entries of ransomware viruses, especially in the case of targeted attacks. Therefore securing this main source of vulnerability is essential to everybody who runs a network or connects to the Internet.
Most individuals trigger a ransomware attack by opening, what looks like, a normal email that holds the virus in a document, photo, video or other type of file. Most hackers today don’t need much knowledge to insert a piece of malware into a file; there are numerous articles and YouTube tutorials with step-by-step instruction on how to do it.
With this in mind, you should always avoid opening an email from an unknown sender. If you receive an email from an unknown source, inform your company data security advisor or IT team immediately.
Remember: keeping your company’s IT systems and data secure is always the right decision.
2. Make your network and IT environment secure
Ransomware infecting a single computer is undoubtedly a serious problem. But, when it spreads all over the network, it can become not only a nightmare for the IT department but endanger the whole business.
Companies who have not already done so should consider implementing a data security software, which checks all incoming emails before the intended recipient receives them. Such a solution will dramatically reduce the risk that a virus spreads inside a company network. Additionally, IT administrators and management should consider implementing network security software, which automatically monitors the network and its files for threats. The solution will also alert administrators if a ransomware attack is trying to encrypt vast quantities of files over the network.
Last but not least: Always update your software and operating systems with the latest patches, as and when they are available. As pointed out so often, hackers are only successful with their attacks when the victim has gaps in their data security policies.
3. Make your employees smart
Even experienced computer users get into a panic when they realise they are facing a ransomware attack. It is therefore important that every employee in a company knows exactly what to do if a ransomware attack occurs, even high-level execs and IT Directors.
A ransomware attack should not only be part of a business continuity plan for higher management or IT experts but precise tips on what to do, when hit, should be visible and understood in every office. These can be simple, but effective, for example:
- Disconnect from the internet and internal network
- Try to shut down the device properly or immediately call IT security/IT administration
IT security and administration staff alike should continuously educate themselves on the latest developments in cybersecurity and hacking. Reading the most recent blog news, keeping up to date about new developments in this scene and loopholes in networks or software solutions should, therefore, be a necessity for these employees.
What should you do if you’re hit by ransomware?
If for one reason or another ransomware gets through your defence line, you should do the following:
- Never pay the ransom! Paying the criminals doesn’t guarantee that you will get your data back. In many cases (and most definitely, if it is a ‘ranscam’ or wiper malware) you will not get your data back, leaving you with no data and a lot less money!
- Do not try to decrypt the data by yourself. Some computer specialists may have the capabilities to recover lost data, but it is risky – if something goes wrong, you could destroy your data forever.
From the perspective of a data recovery specialist, every ransomware case is different. There is not only a big difference in how ransomware variants encrypt the data and spread through the network but also how they target different areas of data storage systems.
Some systems and data structures are more challenging and need more time to recover than others. As each case is different, it makes sense to contact a specialist and ask if they have seen your type of ransomware strain before. They will be able to advise you on whether it is worth sending in to attempt data recovery work and if they have been successful with similar cases already.
The attacks over the last few years show that ransomware continues to be a serious threat to both private individuals and companies. It, therefore, pays to revisit your data security, network policies, user training and backup procedures.
From a backup perspective, we recommend you store backups of your business-critical data on external storage devices that you do not connect to your network e.g. tapes. You should regularly test your backups for accuracy and functionality.
If your backups are not working or they are hit by ransomware, it is best to contact a professional data recovery service provider who can attempt to recover your information from the problematic backup media or work around the ransomware itself to get to the data.