Nothing fills an IT Manager or Director’s mind with angst and trepidation more than the utterance of ransomware.
It is like the digital incarnation of the bogeyman, a children’s folktale that scared kids into fitful sleep. Merely, mentioning the word in a security meeting would send the room into immediate silence. The crazy thing is that it has done this to IT professionals and business owners for well over a decade now. Ransomware was not just an overnight occurrence. It is estimated that its earliest form, scareware, hit the scene somewhere in the vicinity of 2005.
So, what is ransomware?
As its name suggests, scareware merely played on the unassuming users fears and emotions, blasting their screens and monitors with a threat to delete or release their information if they don’t pay a certain amount of money within a certain amount of time. Usually, the ransoms would be small and no more than a couple hundred pounds. The targets would be unsophisticated, every day, run-of-the-mill users, whose technical acumen is not likely that high. However, the reality was that their information was safe, but they didn’t know that. It wasn’t until the advent of cryptographic ransomware that the threat became very really indeed.
Unlike scareware, cryptographic ransomware had some teeth. It had the ability to encrypt certain file extensions, thereby denying the user access. It was thought that the code was the brainchild of Russian hackers, but this has never been confirmed with a high degree of accuracy. Nonetheless, cybercriminals used the code to devastating effect, extorting millions of pounds from users all around the world at £80-£200 at a time. Spurned by the success of these types of attacks, cybercriminals utilising ransomware attacks started popping up one after another. And then things went from bad to worse for the general population. Cryptographic ransomware evolved, it got bigger, it got badder as CryptoLocker rose to prominence.
These days almost every single ransomware attack is committed with CryptoLocker or one of its variants. Now, cybercriminals can target businesses and corporations as easily as thy can go after individual users. Once this was made known, criminals shifted their focus and attacks on businesses skyrocketed. The attackers did not discriminate and would target small-medium business as much as large-multinational corporations. Ransomware attacks became rampant especially when the attackers figured out that they can actually ask for more money from businesses. Gone were the £80-£200 asks, and in came the four and five figure ransoms. The payments were to be made using Bitcoin or some other cryptocurrency which made tracing the flow of funds pretty much impossible. This leaves many business owners asking How? How is this possible? How did things get to this point?
How does ransomware work?
Ransomware is not a virus. It cannot seek out and penetrate your system from the ether. It must be let in, set up shop and then do its dirty work. Cybercriminals rely on poor security measures, inadequate email handling policies and download practices to get their ransomware into their victim’s systems. A wide casting and relentless phishing campaign is usually employed to engage individuals within businesses. At the beginning it was merely an email blast, but recently criminals and fraudsters have moved on to more customised and sophisticated means of achieving success. Nowadays, phishing emails are tailored to look like it came from a trusted source, all the way down to its wording and formatting. They will go to great lengths to fool employees into opening their email and increase the odds of the ransomware taking hold.
The emails usually include a call to action in them to entice the victim to download or open an attachment. This attachment can be a document, photo, video or another file type. Seems harmless enough, but embedded within is another file that automatically executes and silently installs. Ransomware exploits come in the form of worms. Once downloaded onto a system, the worm will sit quietly, gathering information or watching until it is activated. The time and date it is activated is either pre-programmed or can be initiated remotely in some cases. Once the switch is turned on, the worm will seek out and encrypt the target file, folder or drive. Some versions of the CryptoLocker virus go so far as to seek out copies and duplicates of the target file within the victims network, and then delete them, thereby ensuring that the file being held for ransom is indeed the sole copy available. When the user tries to access the item being held for ransom, a popup window will appear stating that should they fail to pay the amount stipulated by the criminal in a set amount of time, the file will be deleted, destroyed or released to the public (this latter option is usually given when the file contains confidential and/or damning evidence).
Whom does ransomware target?
The truth of the matter is that in the eyes of cybercriminals everyone is fair game. The high success rate of ransomware attacks have made criminals bolder over time, and it seems that these days their preferred targets are business, large and small. Ransomware attackers view businesses as a low risk, high reward endeavor. Businesses, generally have more to lose than individual users and have the resources to pay. Due to the lackadaisical security practices of most businesses, attackers don’t really have to try that hard to penetrate their systems. Small businesses have seen a sharp increase in breaches and ransomware incidents over the last couple of years. This may be due to the fact that the majority of small businesses simply don’t have the same kind of man power and technical expertise that larger corporations, with their legions of IT staff, have at their disposal. To criminals this is a weakness that is easy to exploit.
To make matters worse, it is far more likely for businesses to pay a ransom when compared to individual users. Individuals don’t mind losing the occasional file or may even want to get law enforcement involved. Businesses, however, have to take several more factors into consideration when faced with a ransomware threat. CEOs, Directors and IT managers know that should they refuse to pay the ransom, they run the risk of losing sensitive documents, confidential files and even proprietary information. If they get the police involved, there is a high likelihood that word will get out to the public that their systems have been breached and that company information (and maybe even customer information) is currently being held for ransom. Imagine, the impact that will have on investors, stockholders, and trust with their customers. Small businesses often bite the bullet and pay the ransom, viewing the loss of money to have less impact on business than the loss of customers should the news ever get out that they were breached.
How can you protect against ransomware?
While it may seem all doom and gloom, there are ways that a small business can protect itself from the tumour-like headache that only a ransomware attack can cause. And, to no surprise, what is required is not an investment in some fancy new security software or solution, it is simply to invest a bit more time in acquainting (some would say reacquainting) employees with the security policies and proper procedures.
Step one – backup everything!
The first step is to take away a ransomware attackers leverage. Cybercriminals rely on the existence of a single copy of a file. They want the small business to be so desperate for that unique file that they are willing to do anything to get it back. Naturally, the solution would be to create a duplicate and store it in a secure place, therefore if a file does get encrypted you will be taking away the fraudsters bargaining power. This boils down to employing rigorous backup practices. File and system backups are as exciting as watching water boil very slowly in the Arctic, but it is absolutely necessary.
Backups should be performed on a regular, preferably scheduled, basis. The backup should then be stored in an off-network site (this prevents seek-and-destroy actions implemented by CryptoLocker and the like).
Step two – keep systems up to date.
Ransomware attackers also rely on small businesses to be reactive rather than proactive. That’s why it is essential for businesses to take preventative measures so that they are as ready as possible should a ransomware attack ever strike. Cybercriminals love to exploit outdated or unpatched systems, as it gives them multiple attack vectors. Therefore, keeping your systems, applications and devices updated with the latest patches are key acts to prevent breaches.
Step 3 – use cloud services.
Along with backing up files, folders and drive to an external storage facility, storing files in the Cloud may also be a viable way to ensure that a copy or duplicate exists. Yes, Cloud services and systems can be hacked, but the majority of Cloud service providers also backup their files and systems on a fairly regular basis, which means that there are even more copies of your file or document.
Step 4 – educate your employees.
Finally, there is the people, the employees, the managers and the C-suite executives. Training in the proper treatment and handling of emails and downloads should be mandatory. The policies and regulations that spout from the training should be enforced without exemption, not even to the C-level. With proper training and by familiarising them with the realities of the ransomware threats in the industry, small businesses can let their employees know what red flags to look out for when going through their daily work. Disappearing files, hidden file extensions and of course encountering the dreaded ransom and countdown screen, are all indicative of a ransomware attack.
Step 5 – trust no one.
Finally, it is with great sadness that we write, trust no one. Emails, it seems, can be easily manipulated to make it look like it came from within the company, or a trusted source. Cybercriminals saw that as the perceived trust of an email increases, so to does the likelihood that the user will download the ransomware worm onto their system. Understandably, this last point may incite a sense of paranoia in the workplace. However, proper explanations along with the implementation of strict guidelines, ensures that small businesses can prevent this kind of attack from ever taking root.
Step 6 – never pay up.
But what if the worst case scenario happened, and a ransomware attack did strike. What should a small business do then? The answer is simple; don’t pay and keep working. Remember that the number of ransomware attackers has increased exponentially within the last decade or so. This is directly correlated to the amount of successful ransom tactics that were employed by criminals. Paying a ransom would only reinforce the message that ransomware attacks are profitable and easy.
Looking at the bigger picture, a paid ransom will only attract more and more fraudsters. And, there is no guarantee that a criminal will release all of the encrypted files even if they do receive the ransom money.
By keeping their nose to the grind stone, small businesses have the ability to send a message to the criminals that they are not beholden to the encrypted files. They are not desperate to recover it and are willing to move forward. From an optics perspective, continuing work tells stakeholders, investors and customers that you are working on making things better and are hard at work.
Step 7 – consider a third party company.
Ransomware is truly a nightmare to deal with. It penetrates a small businesses system in one of the most nefarious methods imaginable, through sophisticated impersonation. However, there are ways to get ahead of the danger and set up a web of policies and procedures to ensure that ransomware can never gain a foothold in corporate systems.
Security in depth and strict enforcement are the only ways to practically guarantee that CryptoLocker worms and the like never enters the company’s network. And should the worse come to pass and files become encrypted, don’t pay. Don’t play a part in the propagation of one of the biggest cybercrimes. Backup your data, get the police involved and be proactive in the protection and safeguarding of your businesses data.