A type of malware that makes data or systems unusable until the victim makes a payment.
What is ransomware?
Ransomware can be defined as a type of malware that, once activated, blocks access to certain vital components of the victims computer until a ransom is paid.
Like all malware there is a large variance in destructive capacity. Some variants simply lock the victim’s screen while others encrypt specific files. A small group of super-destructive data-wiping variants, such as the GermanWiper strain, systematically search out and destroy all vital files within the victims machine.
Ransomware attacks are an immense threat to organisations. They can cause data loss, theft of intellectual property, and disruption of normal business. The last point usually being the most costly.
Unlike many other forms of malware, ransomware usually makes its presence known immediately. Instead of subtly stealing data from an unknowing victims machine, it leverages fear and panic to demand payment in return for it’s swift deactivation.
The motives of ransomware attackers are almost invariably instant monetary gain. Payments are most commonly demanded in the form of cryptocurrencies like Bitcoin and Monero. Using cryptocurrency enables ransomware attackers to easily conceal their identity while receiving payment.
Though the majority of Ransomware strains are designed for attacking Windows PCs, there are a few variants which target Mac computers and handheld devices.
In a typical ransomware attack, the malware is installed on the victim’s computer via social engineering techniques which trick the victim into clicking a link or opening an attachment. Once installed, the malware begins to encrypt as many of the victims files as possible, often extending into network drives the victim has access to.
Once the victim has realised their files are locked, panicked, then asked IT to deal with it (we all know that’s how it happens), the system admin will find the encrypted files and the instructions to pay the ransom (which they hope will decrypt the files).
As this threat landscape evolves, so do the criminals acting within it, always looking for new ways to bypass security technologies.
The business model of ransomware is still incredibly successful. As mentioned above, the costs of ransomware attacks in 2020 are projected to surpass £10 billion.
How bad is it?
Ransomware can be devastating to an individual or an organisation.
Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities.
Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
Since the beginning of 2016, ransomware has been a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences.
Ransomware was profitable to criminal actors through an economy of scale; they were successful by indiscriminately targeting high volumes of users of vulnerable devices.
Even with only modest ransom demands the number of successful attacks was often enough to make the criminal actors a decent profit.
More targeted attacks
Throughout 2018 and 2019, there appears to have been a trend for more targeted ransomware attacks, where criminal actors conduct a thorough analysis of the victim networks to understand the ‘value’ of the victim organisation and set a ransom demand based on that perceived value.
Through analysis of the victim network and lateral movement malicious actors look to ensure that their action has maximum impact on the victim organisation – potentially denying access to business critical files and systems, and preventing the operations of the victim organisation.
Windows, macOS & Linux
While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.
The methods for infecting systems with ransomware are similar to those used with other types of malicious software, as are the steps organisations can take to protect themselves.
Depending on your level of preparation, ransomware infection can cause wide-scale disruption.
This image is from the worldwide WannaCry ransomware attack, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the cryptocurrency Bitcoin.
It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack.
How does ransomware infect your system
Computers are infected with ransomware via a number of routes.
Sometimes users are tricked into running legitimate-looking software programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (known as phishing).
More recently, ransomware infections have also been caused by unpatched vulnerabilities in software, and simply visiting a malicious website can be enough to cause a problem.
A range of attack vectors have been used, for example vulnerable web browsers, legacy protocols (such as SMBv1) or remote administration tools such as Remote Desktop Protocol (RDP).
Here, attackers have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information so the use of an SSL VPN tunnel is recommended for all RDP connections.
Other attack vectors are propagated by the use of other malware such as trojans.
Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.
Defend Against Phishing
Defend against phishing attacks – phishing works by exploiting people’s natural instincts to be helpful and efficient.
A combination of technological, process and people-based defences will help organisations minimise their users exposure to phishing, recognise and report an attack, protect against attacks that slip through and respond to an incident.
Vulnerability Management & Patching
Some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications.
Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised.
However, as well as patching the devices used for web browsing and email, it’s important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes. It is important to take steps to prevent an attacker from establishing a foothold in a network and gaining further access (lateral movement) as well as protecting system boundaries.
Controlling Code Execution
Consider preventing unauthorised code delivered to end user devices from running.
One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing – unless you have explicitly trusted them.
It’s also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can’t see or risk-manage.
See our End User Device security guidance for recommended configuration of the platforms you are running.
Filter Web Browsing Traffic
It’s recommend to use a security appliance, such as a firewall, or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.
Control Removable Media Access
To prevent ransomware from being brought in to an organisation via this channel.
Good Access Control
The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user. Understand the risks brought in by the system administration model that your IT architecture uses. Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
Ransomware doesn’t have to go Viral in your Organisation
Limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations made here, prevents against a range of cyber attacks.
Backup your data
Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware.
It is important to remember backups should not be the only protection you have against ransomware – the adoption of good security practices will mean not getting ransomware in the first place.
or contact us for more information