Ransomware attacks threaten businesses worldwide. But don’t panic! Learn some ways to reduce the threat to your agency’s network.
A ransomware attack works by secretly deploying its encryption right on your computer before you’re even aware of it. The malicious process runs in the background as you continue your everyday activities, suspecting nothing.
Out of the blue, a message appears, usually something like:
“Your files are encrypted. Don’t worry! You can get them back. If you want your data decrypted, send 1 BTC to the following Bitcoin address: [Wallet address].
After you pay, send the payment details to [email].”
How should you respond to the attack? To pay or not to pay? That is the question.
You may end up negotiating a paid decryption with the ransomware operators or run a data recovery campaign. The latter is preferable, but it requires some IT security skills. Many companies have resorted to the former.
Industry professionals have been fighting ransomware for years. Their key suggestion is that panic never helps, but knowledge can. By learning some basics about the threat, business owners can formulate strategies for securing their data and responding if an attack does occur.
Encryption for ransom isn’t going away anytime soon.
Ransomware evolved to a major threat back in 2013, when hackers realized they could apply sophisticated (yet quite accessible) encryption and collect a lot of money for the decryption key. According to CNBC, in 2020, cybercrooks operating ransomware campaigns collected $350 million from their victims.
Ransomware deploys two basic strategies. One targets the files likely to be the most critical for their holder. This saves time and helps the attacker evade early detection. The other approach does not bother with any selection — it simply encrypts all the files it can reach. This takes longer but means that all your critical data gets locked and most likely grinds your business operations to a halt. And removing the ransomware doesn’t necessarily recover your data.
Common Ransomware Infection Vectors
The extorters are constantly refining their methods for spreading the malware that encrypts computer data for ransom. Many cyber attackers lure users into infecting their own systems with ransomware, often by using social engineering email scams. Other techniques resort to OS and software vulnerabilities and require no human intervention at all.
Sometimes, ransomware authors may hack you using poorly protected Remote Desktop Protocol (RDP)s. RDP is the standard rules your computer sticks to in communicating with other computers on the Internet. If there were no RDP, computers would not understand each other; it would look like Chinese to a person who speaks English only.
Phishing Messages
Email attachments are common sources of ransomware infections. A spoofing email looks like a routine message. A user does not suspect any fraud and either downloads the content attached or follows the link included — thus initiating a ransomware installation that begins to execute its encryption payload. Demands quickly follow.
Highly targeted phishing campaigns are becoming more and more popular among these scams. Also known as spear phishing, such fraudulent practices avoid spamming and mass-mailing. They target specific people by impersonating somebody they know and trust. To increase the credibility of their messages, the phishers use data available through open-source intelligence (OSINT). LinkedIn, Facebook, and other social accounts tell a lot about their owners, and the hackers take advantage of that.
Attackers design their email to look exactly like something your friend or client would send you.
Ransomware Coming from the Pages you Visit
Certain pages host a malicious script that exploits your browser and other software vulnerabilities. Hackers may use a variety of drive-by download tactics, enticing users to enable ransomware installation. themselves
Misleading letters circulated by fraudsters may contain links to such websites. Your browser gets redirected to the corrupted web pages as you click hyperlinks, banner ads, or pop-ups.
Vulnerabilities in data sharing and networking
No single operating system is flawless. Network bugs and security issues with protocols provide various pathways for viruses and trojans to penetrate and propagate, without any user participation whatsoever. A recent example is Qlocker ransomware exploiting vulnerabilities in QNAP apps to compromise Network Attached Storage (NAS) devices.
An attack on a vulnerable network can scale up quickly and catastrophically. A malicious executable can spread across computer systems and networks, infecting many devices in a very short time.
Best Practices for Preventing Ransomware Attacks:
1. Help your employees acquire cybersecurity skills.
Phishing and other prevailing methods of ransomware propagation exploit the “human factor.” A rule of thumb is to provide security awareness training to your staff that would include insights into ransomware and other cyber threats.
Teach every person in your company to examine contents and links in emails and websites before opening them. Pay special attention to training your staff how to deal with messages that look like spam or anything sent by unknown people. This will help mitigate the risks of ransomware attacks originating from contaminated email attachments and spear phishing.
2. Stay current with apps and OS updates.
Did you know that some of the most successful ransomware attacks exploited already patched security flaws? Ransomware campaigns called NotPetya and WannaCry wreaked havoc on computers and networks worldwide, beginning in 2017. But even after Microsoft created a patch for the vulnerability, businesses still fell victim to attacks. A simple Windows update could have prevented losses in the billions.
So the best practice here is not to reinvent the wheel. Just enable automatic updates for your apps and OS. Yes, I also hate those update alerts and forced relaunching. But this is a minor annoyance compared to the damage a cyberattack can cause.
3. Back up all your data — OFTEN.
Maintaining backups is an excellent way to avoid transferring funds to ransomware owners, even if they encrypt every bit of data on your computer. If there’s no truly critical data to encrypt (because everything you need is backed up), there is no truly critical encryption.
Of course, backing up all your data is not always feasible. And even if you have your data available in backup copies, restoring all the files might take a very long time and still result in significant outages and losses.
Still, backing up is always better than not backing up. Make sure you at least secure your critical files, the ones your business can’t operate without.
4. Consider restricting staff data access.
Many companies are hesitant to do this, but it can dramatically reduce your company’s exposure to data breaches. Ask yourself: Does this particular employee need all the data available for the account?
Perhaps you can limit the amount of data available to everyone without your staff really even noticing, so they’re still able to do their jobs without any inconvenience — and without getting the sense that you don’t trust them.
5. Employ encryption yourself.
Lately, some cyber gangs specializing in ransomware operations have moved away from the encryption model. Instead, after penetrating your network, they just copy all data and send it to their servers. They then demand money for not disclosing that information.
To avoid your important data being stolen and made public, keep it encrypted. That includes both static files and data in transit. Malefactors won’t be able to extort you if all files they get are already encrypted.
6. Prepare an incident response plan.
Just like a pilot’s emergency checklist, written instructions help your staff react strategically when a breach occurs — instead of panicking, which can do even more harm.
Outline all steps that employees should take in case of a ransomware attack. These should include immediate actions once something strange is detected, like collecting all pieces of evidence, reporting to tech support, prevention of malware propagation, recovering data, investigation, etc.
Dealing with Ransomware: Takeaways
If you have your data backed up and response measures implemented, you can quickly recover from a ransomware attack.
In the aftermath, it’s time to learn your lessons: Why and how did the malware infect your system and encrypt your data? Did employees handle an infected message without due caution? Did a staff member visit a website that contained a malicious redirect? Have you checked your software for bugs and vulnerabilities?
This checklist is not exhaustive. But applying the best practices laid down above can help you minimize the threat of successful ransomware attacks on your firm’s computers.
Malware exploits human error — a user’s oversight or lack of awareness opens a portal into your system. That’s why cybersecurity training is a must-do. But if an attack does occur, don’t blame the person who clicked. As a business owner, the buck stops with you if your staff lacks the IT skills and cybersecurity awareness required to keep your systems safe.
About the author:
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.