Ransomware

Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. It’s estimated the global Ransomware damage costs will exceed £10 billion during 2019!

What is ransomware?

Ransomware can be defined as a type of malware that, once activated, blocks access to certain vital components of the victims computer until a ransom is paid.

Like all malware there is a large variance in destructive capacity. Some variants simply lock the victim’s screen while others encrypt specific files. A small group of super-destructive data-wiping variants, such as the GermanWiper strain, systematically search out and destroy all vital files within the victims machine.

Ransomware attacks are an immense threat to organisations. They can cause data loss, theft of intellectual property, and disruption of normal business. The last point usually being the most costly.

Unlike many other forms of malware, ransomware usually makes its presence known immediately. Instead of subtly stealing data from an unknowing victims machine, it leverages fear and panic to demand payment in return for it’s swift deactivation.

The motives of ransomware attackers are almost invariably instant monetary gain. Payments are most commonly demanded in the form of cryptocurrencies like Bitcoin and Monero. Using cryptocurrency enables ransomware attackers to easily conceal their identity while receiving payment.

Though the majority of Ransomware strains are designed for attacking Windows PCs, there are a few variants which target Mac computers and handheld devices.

In a typical ransomware attack, the malware is installed on the victim’s computer via social engineering techniques which trick the victim into clicking a link or opening an attachment. Once installed, the malware begins to encrypt as many of the victims files as possible, often extending into network drives the victim has access to.

Once the victim has realised their files are locked, panicked, then asked IT to deal with it (we all know that’s how it happens), the system admin will find the encrypted files and the instructions to pay the ransom (which they hope will decrypt the files).

As this threat landscape evolves, so do the criminals acting within it, always looking for new ways to bypass security technologies.

The business model of ransomware is still incredibly successful. As mentioned above, the costs of ransomware attacks in 2019 are projected to surpass £10 billion.

How bad is it?

Ransomware can be devastating to an individual or an organisation.

Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities.

Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.

Since 2016

Since the beginning of 2016, ransomware has been a growing global cyber security threat, and one which could affect any organisation that does not have appropriate defences.

Ransomware was profitable to criminal actors through an economy of scale; they were successful by indiscriminately targeting high volumes of users of vulnerable devices.

Even with only modest ransom demands the number of successful attacks was often enough to make the criminal actors a decent profit. 

More targeted attacks

Throughout 2018 and 2019, there appears to have been a trend for more targeted ransomware attacks, where criminal actors conduct a thorough analysis of the victim networks to understand the ‘value’ of the victim organisation and set a ransom demand based on that perceived value.

Through analysis of the victim network and lateral movement malicious actors look to ensure that their action has maximum impact on the victim organisation – potentially denying access to business critical files and systems, and preventing the operations of the victim organisation.

Windows, macOS​ & Linux

While ransomware against Windows operating systems has been commonplace for some years, attacks against Mac and Linux systems are also seen.

The methods for infecting systems with ransomware are similar to those used with other types of malicious software, as are the steps organisations can take to protect themselves.

Depending on your level of preparation, ransomware infection can cause wide-scale disruption.

This image is from the worldwide WannaCry ransomware attack, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the cryptocurrency Bitcoin.

It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack.

How does ransomware infect your system

Computers are infected with ransomware via a number of routes.

Sometimes users are tricked into running legitimate-looking software programs, which contain the ransomware. These may arrive via authentic-looking email attachments or links to apparently genuine websites (known as phishing).

More recently, ransomware infections have also been caused by unpatched vulnerabilities in software, and simply visiting a malicious website can be enough to cause a problem.

A range of attack vectors have been used, for example vulnerable web browsers, legacy protocols (such as SMBv1) or remote administration tools such as Remote Desktop Protocol (RDP).

Here, attackers have developed methods of identifying and exploiting vulnerable RDP sessions by stealing login credentials and other sensitive information so the use of an SSL VPN tunnel is recommended for all RDP connections.

Other attack vectors are propagated by the use of other malware such as trojans.

Although less common, data transfers between computers (such as via USB memory sticks) can also cause ransomware to spread.

5 ways to help prevent ransomware

Ransomware is one of many types of malware, and the methods for its delivery are common to most other types. With guidance included from the UK's National Cyber Security Centre, you can minimise the risk of being infected by ransomware by taking the same precautions necessary to guard against malware in general.

Defend Against Phishing

Defend against phishing attacks – phishing works by exploiting people’s natural instincts to be helpful and efficient.

A combination of technological, process and people-based defences will help organisations minimise their users exposure to phishing, recognise and report an attack, protect against attacks that slip through and respond to an incident.

Vulnerability Management & Patching

Some ransomware gains control by exploiting software vulnerabilities in operating systems, web browsers, browser plug-ins or applications.

Often these vulnerabilities have been publicly known about for some time and the software providers will have made patches available to mitigate them. Deploying these patches, or otherwise mitigating the vulnerabilities, is the most effective way of preventing systems being compromised.

However, as well as patching the devices used for web browsing and email, it’s important to patch the systems they are connected to, since some ransomware is known to move around systems, encrypting files as it goes. It is important to take steps to prevent an attacker from establishing a foothold in a network and gaining further access (lateral movement) as well as protecting system boundaries.

Controlling Code Execution

Consider preventing unauthorised code delivered to end user devices from running.

One common way that attackers gain code execution on target devices is to trick users into running macros. You can prevent these attacks from being successful in your organisation by preventing all macros from executing – unless you have explicitly trusted them.

It’s also good practice to ensure users do not have privileges to install software on their devices without the authorisation of an administrator. Remember that users may sometimes legitimately need to run code that you have not pre-authorised; consider how you will enable them to do this, so that they are not tempted to do it secretly, in ways you can’t see or risk-manage.

See our End User Device security guidance for recommended configuration of the platforms you are running.

Filter Web Browsing Traffic

It’s recommend to use a security appliance, such as a firewall, or service to proxy your outgoing web browsing traffic. Filter attempted connections based on categorisation or reputation of the sites which your users are attempting to visit.

Control Removable Media Access

To prevent ransomware from being brought in to an organisation via this channel.

What impact does ransomware have?

Ransomware will prevent access to systems or data until a solution is found. If systems are delivering critical services, this can have serious reputational, financial and safety impacts on affected organisations and their customers. Even if the victim has a recent backup of their system, it may still take considerable time to restore normal operations. During this time, organisations may have to invoke their Business Continuity processes. It is worth noting that if a criminal organisation has carried out a successful ransomware attack, questions should be raised about the possibility of more indirect and lasting impacts. For example, how many instances of the ransomware are still present in the system waiting to be activated? How should they be removed, and how should users be warned? Were other types of malware also deployed at the same time? What are they and what will they do? And when?

3 ways to limit the impact of a ransomware attack

The following measures can all help to limit the impact of a ransomware attack.

Good Access Control

The compartmentalisation of user privileges can limit the extent of the encryption to just the data owned by the affected user.  Understand the risks brought in by the system administration model that your IT architecture uses. Re-evaluate permissions on shared network drives regularly to prevent the spreading of ransomware to mapped and unmapped drives. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.

Ransomware doesn’t have to go Viral in your Organisation

Limit access to your data and file systems to those with a business need to use them. This is good practice anyway and, like many of the recommendations made here, prevents against a range of cyber attacks.

Backup your data

Organisations should ensure that they have fully tested backup solutions in place. Backup files should not be accessible by machines which are at risk of ingesting ransomware.

It is important to remember backups should not be the only protection you have against ransomware – the adoption of good security practices will mean not getting ransomware in the first place. 

or contact us for more information

Start Phishing & Security
Awareness Training Today!

 (no credit card required)

You have Successfully Subscribed!