Previous
Endpoint Security: An Important Key to Corporate Business Continuity
What is Ransomware
Ransomware is a type of malicious software (malware) that is used to encrypt files, drives or entire computer systems. This includes mobile devices, laptops, desktops, servers, etc.
In addition to blocking the user from accessing their now encrypted data, there is also a demand to pay a ransom using untraceable cryptocurrency. Attackers promise that once payment is made, they will provide the affected user with a decryption key that will restore their files to an unencrypted state.
Do not take the threat of ransomware lightly. While historically not as prevalent as other forms of cyber-attacks, global numbers are on the rise. The impact of a successful attack on a business or individual goes beyond the cost of the ransom itself. For example, individuals and companies may experience loss of productivity due to system downtime, the cost of replacing compromised devices, permanent loss of critical customer/personal data as well as classified or proprietary data, and data privacy fines associated with regulations such as the GDPR and others.
The very first recorded ransomware attack was known as the AIDS Trojan which demanded payment of US$189 to US$378. This attack occurred in 1989 and was executed using 20,000 infected floppy disks. This attack was spearheaded by Dr Joseph L. Popp, PhD, as an attack on the healthcare industry which today ranks amongst the top targets for ransomware attacks.
Ransomware attacks have evolved since that time and are far more sophisticated and mainly rely on remote attacks which typically combine exploitations of one or more platform-specific vulnerabilities. What this means is that present-day ransomware is capable of spreading faster through the ever-connected Internet of Things (IoT), enable obfuscations to combat reverse-engineering, evade detection, change system configurations and permanently delete encrypted data.
Cryptolocker - affected up to 500,000 devices through an email attachment which demanded a payment of US$400 be made within 72 hours or have their encrypted files be permanently destroyed. Attackers are estimated to have received upwards of US$3 million from victims before they were finally brought down by law enforcement efforts.
Wannacry – this was one of the largest attacks which spread to over 100 countries in less than 24 hours. The ransomware attack was said to be spread through an SMB exploit which affected various Microsoft Windows operating systems including Windows Server 2003 & 2008. Although attackers were only able to collect an estimated US$140,000 in bitcoin the estimated global damage reached upwards of US$4 billion.
NotPetya - while not as widespread in the public domain, this attack affected organizations such as shipping giant Maersk among others. Reports are that Maersk was on the brink of a complete global outage due to the compromise of their domain controller system. This total failure was fortunately prevented by an unscheduled power outage in Ghana that prevented a regional server from connecting with the affected data centre. Maersk has reported an estimated $10 billion in losses because of the attack.
One of the most common methods today is through malicious emails (Phishing). These emails might include malicious attachments, such as PDFs, Word documents or links to malicious websites and will come off as legitimate messages from friends or other trusted sources to trick you into clicking the attachments or links. Other methods include physical hardware breaches and website spoofing.
While there exists no fail-safe way of preventing ransomware attacks, it is important that we stay prepared for all eventualities. The recommended strategy involves two overarching principles:
Prevention
Security Awareness Training - Educating colleagues and employees about the risks and threats in the cyberspace from qualified cybersecurity professionals.
Vulnerability Assessment - The process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures.
Antivirus Review - Ensuring that the antivirus is up-to-date and fully functioning.
Response
Backup Review - The process of analysing risk tolerance of different data sets and establishing redundancies.
Continuity Review - In the event of a breach continuity policies should be in place. This ensures there is no loss of usefulness of critical infrastructure or data.
Never click on links or attachments in email from unknown senders. Even if it's from someone you know. When feasible, verify the contents of the email with the sender before clicking any attachments or links.
Backup your data frequently in multiple locations. In addition to this disconnect, all backups from your main system where possible and test backups frequently to maintain integrity.
Always keep your operating system (e.g. Windows/Linux, Unix, OSX) and software up to date.
Use reputable antivirus and firewall software and keep them up-to-date.
Show hidden file-extensions to expose the actual extensions of files on your machine. Remember ".pdf" is different from ".pdf.exe" which might very well be a malicious file like ransomware.
When at all possible disable Remote Desktop Protocol (RDP) as this is an access point targeted by many attackers.
When travelling always use a reputable Virtual Private Network (VPN) when connecting to any public Wi-Fi.
BONUS: If infected with ransomware, DO NOT PAY the ransom. It only encourages attackers to continue and helps to fund their efforts. Even if the ransom is paid, there is no guarantee they will give you a decryption key to regain access to your data.
