To quote character Tom Mullen in the 1996 film Ransom, “You got no idea what suffering is.” When it comes to a breach, ransomware tops the list of the most damaging cyberattacks. According to IBM’s 2021 Cost of a Data Breach Report, last year, the total average cost to an organization of a ransomware attack was $4.62 million. Knowing how to prevent a ransomware attack is critical to the overall safety of your data and your organization as a whole.
The term ransomware is a scary buzzword these days, but what exactly is a ransomware attack, how do you prevent them, and what do you do if you are the victim of one?
What are Ransomware Attacks?
Simply put, ransomware is a form of malicious software, or malware, that encrypts files on a device, rendering the files and the systems they rely on inoperable. The hacker then demands a ransom in exchange for the decryption of the files. In other words, the files are kidnapped until a monetary demand is paid.
The two most popular types of ransomware are Locker and Crypto:
- Locker ransomware blocks basic computer functions. For example, you may be prevented access to your desktop with only a partially functioning mouse and keyboard. Because your system is not entirely disabled, the hacker can share the ransom demand and payment method with you while keeping the computer otherwise inoperable. The good news with locker ransomware is that it doesn’t usually target critical files. Therefore, it is unlikely that there will be a complete destruction of your files.
- Crypto ransomware encrypts your important data, such as documents containing personally identifiable information (PII) or proprietary data, while otherwise leaving the basic operations of your computer functional. Crypto developers often include a countdown to their demand, threatening to delete all the ransomed files if the payment is not made by the deadline.
Unsurprisingly, industrious cybercriminals also develop Ransomware-as-a-Service to sell to hackers with limited technical skills. This provides a revenue stream with lower risk and higher gain for the malware programmer.
Ransomware is ever-evolving, and new variants crop up frequently. Here is a handful of the most well-known:
Locky Ransomware was first developed in 2016. The malware can encrypt more than 160 file types. Through the use of social engineering techniques, Locky is distributed through phishing emails that install malicious code. Typically the infectious mechanism is a Microsoft Word attachment containing the code. When the attachment is opened, it shows only gibberish with a prompt for the user to enable macros to view the document, thus deploying the virus, which is loaded into the system’s memory. Locky is different than most ransomware. It uses macros and attachments to spread the virus instead of being installed by a Trojan or using a previous exploit.
Ryuk is a highly targeted ransomware commonly delivered through spear-phishing emails or by using compromised credentials to log into enterprise systems. Ryuk is a form of locker ransomware. It is known as one of the most expensive types in existence, with ransom demands that average over $1 million.
Maze is famous for being the first ransomware to combine file encryption and data theft. If the ransom demand was refused, the variant collected sensitive data from the victim’s computers before encrypting it. The potential cost of the data breach, which would be publicly exposed or sold to the highest bidder, was an additional incentive to pay up. Maze is no longer in use, but Egregor and Sekhmet variants which are believed to have a common source, are still in use.
Lockbit is a Ransomware-as-a-Service data encryption malware that has been in operation since 2019. Developed to encrypt large organizations quickly, it prevents rapid detection by security appliances and IT/SOC teams. It encrypts certain types of files and then shows a ransom message instructing users to send an email to the ransomware operators to learn how to decrypt the files.
DearCry exploits four recently disclosed vulnerabilities within Microsoft Exchange servers. The variant targets systems that have not installed the Microsoft patches resolving the vulnerabilities and encrypts certain types of files. It then shows a ransom message instructing users to send an email to the ransomware operators to learn how to decrypt the files.
How to Prevent Ransomware Attacks
There are two critical factors to avoiding ransomware infection. The first factor is training the user, and the second factor is properly managing the organization’s technology.
Security Awareness Training
Most ransomware can be prevented when your staff is armed with a sound understanding of cybersecurity threats and how to identify and avoid attacks. Here are some of the elements to include in training:
- Phishing Emails?
- Do not open suspicious emails.
- Never click on links or attachments in emails sent from a dubious source.
- Do not download software or media files from unknown sites.
- Check their trust seals.
- Ensure the browser address shows “https” instead of “http.”
- Check for a shield or lock symbol in the address bar.
- This also indicates that the page is secure.
- Never connect a USB stick from an unknown source.
- Cybercriminals are known to infect the stick and place it in a public place, hoping someone will use it.
- Use VPN services whenever on a public Wi-Fi network.
- Public networks leave your computer more vulnerable to attacks.
IT Technology Management
Managing your technology is a function for either your in-house IT department or an outsourced Managed IT Services Provider like FUSE3. Protocols to put in place to protect your systems include:
- Keep your operating systems, software, and applications current.
- Automate Updates and Patches across the board.
- Neglecting Updates or Patches leaves you vulnerable to malware infections.
- Automate Updates and Patches across the board.
- Set up antivirus and anti-malware solutions and run regularly scheduled, automated scans.
- Back up data frequently.
- Confirm that backups are completed.
- Secure backups so that they are not connected to the computers and networks they are backing up.
- Send backups to a secure location in the Cloud, to a separate in-house server, or to an off-site server.
Detecting ransomware before a demand is made gives you an advantage. The ransomware virus can be stopped and the malware deleted. The encrypted data will be lost, but with regular backups, you will be able to recover the files and prevent the malware from spreading to other devices and files.
In the case of Locker ransomware, by starting the computer in Safe Mode, the screen-locking action may not work. Then you can use your antivirus program to combat the malware.
The immediate steps to take if you identify a ransomware attack are:
- Immediately isolate affected systems by disconnecting any machines that show signs of infection from wired networks or Wi-Fi. This will prevent the malware from spreading to the network or communicating with command and control systems.
- Identify the type of malware infection using a malware removal program.
- Provide law enforcement agencies with information about the attack. You can file a report via the FBI Internet Crime Complaint Center.
FUSE3 Ransomware Remediation
Whatever the circumstance of your attack, DO NOT PAY THE RANSOM. There is no guarantee that the hacker will decrypt your data even if you do. Plus, frequently, they will have installed another virus that they can exploit later. Paying the ransom only opens the door to future attacks against your organization.
We understand the urgency and frustration of being hit by ransomware, and we have the knowledge and experience to handle the problem quickly. We know a thing or three about ransomware because we have thwarted our share of attacks over the years.
Talk to us about our proactive and preventative approach to cyberattacks. We will develop a plan of defense specifically tailored to your business.