It’s no secret that ransomware attacks continue to grow each year and can be devastating for small and mid-sized businesses. One simple security mistake can quickly result in ransomware spreading throughout your organization’s network.
Ransomware is particularly appealing to hackers of all skill levels due to its ease of use coupled with the fact that ransomware strains are readily available on the dark web for purchase.
One of the first steps to better protect your organization and your data is to understand the ransomware threat.
In this blog, we will break down the most common questions we receive when discussing ransomware:
What is Ransomware?
Ransomware is an ever-evolving form of malicious software that encrypts a victim’s information, rendering files and devices unusable. The cybercriminal holds data hostage, while demanding a ransom in exchange for decryption. Ransomware is often designed to spread across a network and target database and file servers, quickly paralyzing operations and bringing businesses to a sudden halt. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses.
Ransomware is different than your typical cyberattack in that the hackers are not primarily interested in stealing data from your business. Instead, they want to hold it hostage. For example, imagine a burglar for an analogy. A burglar will break into your home and take your TV. But in the case of ransomware, they’re going to break into your home, change your locks, put bars over the doors and windows, and tell you that you have to pay them in order to get back into your house again.
There are two main types of ransomware. The first type has the ability to lock a user out of the computer, making it inaccessible. The second type, and most common form, will encrypt files stored on the computer. In each instance, a ransom note will appear providing instructions on the cost associated with retrieving the data or unlocking the computer and a time frame for which to pay it. The ransom amount and consequences will vary depending on the type of ransomware that has infected the computer and the hacker deploying the script.
Who is Behind a Ransomware Attack?
State Sponsored/Criminal Enterprise
When most people think about who is behind ransomware attacks, they imagine a bored teenager behind a keyboard. The most brutal and far-reaching ransomware attacks, however, are really run like a business by cohorts of hackers working in tandem.
Much like a business, ransomware perpetrators work in a coordinated organizational hierarchy and are often backed by state-sponsored foreign adversaries. These groups delegate labor by skillsets and operate with the express intent of generating “revenue.”
Just like a business, they reinvest the “revenue” to further grow their criminal enterprise, enabling them to develop even more sophisticated ransomware. Cybercriminals continue to adjust and evolve their ransomware tactics over time.
Bad Actors
There’s an entire growing and evolving world of bad actors, lingering just below the surface of the internet. Bad actors of all levels and skillsets hang out in dark web forums. These forums are home to shady chat rooms where these bad actors exchange information, tips, and tricks from their latest conquests, oftentimes even bragging about their trophies.
But these forums also serve as malware bazaars where hackers are often hawking different forms of malware. Ransomware and the popularity surrounding Ransomware-as-a-Service (RaaS) makes it simple for hackers of all skill levels to gain access to and deploy attacks. The chilling fact is that just about anyone with $150 in a bitcoin purse can get their hands on RaaS, and with very little skill they too can launch attacks.
Who Are They Targeting?
Anyone with a computer connected to the internet is a target. Advancements in technology, including migration to the cloud, and an increased usage of phishing campaigns have drastically leveled the playing field between large corporations and SMBs in terms of their cybersecurity attack surface.
For bad actors that have invested time and money into ransomware, the enterprise is simply a numbers game. By purchasing lists on the dark web, they know that the more businesses they target, the higher chance hackers have of turning a profit. This means that everyone is a target.
Where is Ransomware Located?
Ransomware threats are lurking in almost every corner of the internet, including but not limited to: email links and attachments, online advertisements, smart phone and tablet apps, in the cloud, and through injection via system vulnerabilities.
- Phishing emails generally contain links that, once clicked, will reroute the user to an infected website. Unless the email is from a trusted source, or if there is any doubt, never click on the link or the attachment.
- Online advertisements connected to a ransomware attack are known as malvertising. By clicking on an advertisement, the user can unknowingly begin installing the malware. Or, the ads contain a script that checks the computer for vulnerabilities which will allow the download and installation of the ransomware.
- Smart phone and tablet applications are common targets, especially when downloading from a third-party. Unless the app is from a trusted source such as Google Play or the App Store, don’t download it. Once infected, if the phone or tablet is connected to a cloud-based file sharing platform, the ransomware can potentially spread from the infected device to the user’s other devices.
- Lastly, ransomware can enter a system the old fashioned way – through vulnerabilities. Externally facing systems that are unpatched can be easy targets. Without a patch management program, your computers and other systems are more vulnerable to attack.
How Can a Business Prevent Ransomware?
Ransomware is notoriously challenging to prevent entirely. Currently, there is no silver bullet to protect your business from ransomware, which means no business is immune.
Some of the most cautious and diligent companies still fall victim to these attacks. By implementing the following security best practices, the likelihood of being infected with ransomware drops precipitously. Safeguarding your business from ransomware with security best practices could save your business millions of dollars in losses due to interrupted operations, data loss, and other consequences.
It’s important to understand how ransomware infects computers before delving into prevention. One attack vector hackers use are malicious websites to lure unsuspecting victims to click infectious links. The preferred means hackers use to prey on you and your employees are phishing emails. Therefore, the most important security practice organizations can launch to avoid ransomware is training and education.
Security Awareness Training
Establish security awareness training for your employees to educate them on how to spot a phishing email. Then, regularly test their skills on detecting and avoiding infections. Bad actors often send phishing emails and text messages repeatedly, waiting for someone to be distracted and accidentally click a malicious link. They know that persistence pays off when they only have to find one weak link in the human firewall.
Backup Data Regularly
Backing up your data regularly is an extremely important safeguard in preparing to recover from a ransomware attack. “Do you have backups?” is one of the first questions that come up in the early stages of the incident response process. Furthermore, it is important to secure your backups, ensuring that your backup systems do not allow direct access to backup files.
Ransomware will look for data backups and encrypt or delete them so that they cannot be used to recover. We also highly suggest backing up your files with triple redundancy, meaning having three copies of your backups using two different formats, with one backup off-site.
Patch Your Systems
Ensure all operating systems, browsers, and programs are up-to-date. Technology manufacturers and software providers release patches on a regular basis to ensure their systems are secure from the latest security threats. Thus, it is essential to keep up with these system patches, as well as maintain updates for your browsers and other programs like Flash and Java.
For businesses, one of the best ways to identify unpatched systems and other vulnerabilities in their network is through penetration testing.
Use Security Software
Use security software such as end point protection, web filtering, and anti-phishing email software in order to greatly reduce the chances of a malware infection.
Limit Administrative Privileges
Once hackers are inside your network, they typically seek to gain control of an administrative account. The more users you have granted administrative privileges to, the more accounts bad actors have a chance to hack into and compromise. Once they gain administrative control, bad actors are able to move more easily throughout your company’s infrastructure.
Engage a Trusted Security Advisor
Ransomware threats are constantly changing so it is important to have a trusted security advisor help guide your organization on best practices. They can identify the security controls for mitigating the threat of an attack and assist in the event a breach does occur.
How Can an Incident Response Plan Help?
Organizations that create regular backups, train employees how to identify threats, patch, limit administrative privileges, and run anti-malware software will make it much harder for the attacker to succeed. Even with all these safeguards, no company is 100% protected from ransomware, which is why it is important to have an Incident Response Plan (IRP) in place, and to practice it with table top exercises.
Our best advice is to be prepared for the worst. Because it’s not if, it’s when. As Bogdan Salamakha, Senior Cybersecurity Analyst, stated in The Importance of an Incident Response Plan, “You can’t see the punches coming if you’ve never trained.”
Without an IRP, the response is often chaotic, emotional, and disorganized. This is why putting together an incident response plan is critical to mitigating cyber-risk for your business.
What Should Be Included in an IRP?
Developing an IRP is not an easy task that can be accomplished in a day. Some of the things you might include in your plan might be:
- Outline your main primary contacts.
- What an incident will look like?
- Does it require legal counsel?
- Who requires notification?
Responding to Ransomware
What is it Like After a Company Gets Infected with Ransomware?
“How could I have let this happen? … Why me?“
Bogdan Salamakha, Senior Cybersecurity Engineer with TCDI, said it’s common for businesses to panic in the early stages of an incident. As a first responder, his job is to help bring back calm and order amidst the chaos.
Business owners and IT personnel understand the severity of the situation and what’s at stake when a ransomware attack hits. Unless they have a clear and practiced Incident Response (IR) plan, decisions are often made from a panicked state of mind.
In this section’s video, Bogdan explains how he loves going on-site in these situations because he is able to help those organizations regain that control. Once they regain their composure, they can hit the ground running and get back to normal operations as soon as possible.
Nobody knows how they will react in a stressful situation until are they put in the middle of one. That is why practicing the Incident Response plan through table-top exercises is a crucial part of any cybersecurity program.
Can Ransomware Infect Backups?
Unfortunately, backups can become infected with ransomware. Ransomware will look for data backups and encrypt or delete them so that they cannot be used to restore data in lieu of paying the ransom. This is why we recommend making sure your backup systems are air-gapped from your backup files.
Unfortunately, many companies try to restore from backups without calling an Incident Response (IR) Investigation Service first. Without an IR Expert validating the backups before restoring them, many companies end up reintroducing the malware back into the environment each time they restore. Thus, it’s important to reach out to a third-party Incident Response (IR) Specialist as soon as an incident is identified. We will put fresh eyes on the environment to help ensure your backups are safe.
What Should I Do If I Get Hit With Ransomware?
If you suspect you’ve been hit with a ransomware attack, it’s important to act quickly. It is essential that you disconnect the affected device from the network, internet, and from other devices as quickly as possible. Then, reach out to a third-party Incident Response (IR) Investigation Team as soon as the device is disconnected.
Ransomware that affects one device is tolerable for most businesses. On the other hand, unchecked ransomware that is allowed to infect your company’s entire network is a major catastrophe. The difference between dealing with the inconvenience of one infected device versus a company-wide outbreak usually boils down to response time during the incident. For this reason, it is important to have an IR Team on hand and on speed dial.
Incident response plans vary based on the organization’s regulatory and compliance requirements, as well as the type of information the organization works with. An IR Team will be able to help you answer tough strategic questions when mapping out an incident response plan.
Moreover, the last thing you want to do is have IT staff accidently delete evidence. Depending on the severity, breaches are often evaluated by regulators, lawyers, management, customers, and other stakeholders. They will not only want to know how and why the breach occurred, but also the steps taken to gather evidence, determine the scope, secure compromised systems, and notify those who were affected. A seasoned IR Investigator will be able to forensically preserve evidence and perform an analysis in a secure sandbox environment to uncover important facts regarding the incident.
Is your business prepared for the future of ransomware?
Suspect you’ve been hit with ransomware?
TCDI’s team of experienced digital forensics and incident response investigators will contain and remediate a data breach.
Ready at a moment’s notice, our experts will forensically preserve evidence and perform an analysis in our secure sandbox environment to uncover important facts regarding the incident.
