Every year security challenges increase, and all businesses of all sizes bear the brunt of the same threat, the threat is called ransomware.
Cybercriminals have targeted every industry with specific malware known as extortionist malware or ransomware. Unless a strong protection measure like Spinbackup ransomware protection is put in place, Companies are being forced to pay huge ransom amounts from their actions.
Here’s a concise guide to ransomware that describes attack types, common attack vectors, prevention methods and tools, and best practices for recovery.
Ransomware
Ransomware is a piece of malware that can lock and encrypt data on the victim’s computer. The perpetrator then informs the victim that an exploit has taken place and data will not be able to be opened or decrypted until payment is received.
To be clear, malware is an umbrella term for any malicious code or program that gives hackers control over a system. The ransomware itself is malware that blocks access or encrypts data on the infected victim’s device and requires the victim to pay a ransom if they want to gain access.
Ransomware is a crime of cyber extortion, which then continues to develop into double extortion or double extortion. After blackmailing for the decryption key to open the encrypted/hostage file, their next step is blackmail by threatening to leak the data they have stolen.
Types of Ransomware
There are several types of ransomware that bad actors use to extort ransom. The traditional type is crypto and lockers. Two newer types, double racketeering, and ransomware as a service (RaaS) have gained popularity among criminals.
- Lockers block access to computers, and attackers require payment to unlock access.
- Crypto encrypts all or some of the files on a computer, and perpetrators require payment before handing over the decryption key.
- Double extortion occurs when cyber criminals demand one payment to decrypt files and another to not publish them.
- Ransomware as a Service (RaaS) occurs when cybercriminals can access or rent ransomware for a fee and a lucrative revenue share.
Ransomware is often known by the codenames of malware strains, such as the AIDS Trojan, which first appeared 30 years ago. Since then, names like GP code, Achieves, Trojan WinLock, Reveton, and CryptoLocker have made headlines for the havoc they have caused.
In the last decade, LockerPIN, Ransom32, WannaCry, Goldeneye, and Petya have appeared. And recently, a cyber-crime gang used a RaaS variant, REvil, to demand a $70 million ransom from software technology company Kaseya.
Vector Ransomware
Ransomware infiltrates organizations through three common vectors: phishing, attachments, Remote Desktop Protocol (RDP), and credential abuse and exploitable vulnerabilities.
Phishing
Phishing, which targets companies by embedding malware in emails, remains one of the most popular ways for cybercriminals to deliver their payload. Phishing emails have become much more sophisticated, even using good Indonesian, attracting that even the most discerning user can be tricked into clicking a damaging link.
Attachment
Files sent via e-mail are often the fastest vectors for malware to spread. If the email is not equipped with malware analysis, malicious attachments can easily enter and are likely to be clicked by the user. In some cases, there are disguised file names, such as myfilename.pdf.exe which is an exe file. Generally, malicious attachments are files with the extension .rar .zip .exe .bat .scr .vbs .doc .xls.
Rdp And Credential Abuse
Cybercriminals can inject malware via RDP, which is Microsoft’s proprietary protocol for secure remote access to servers and desktops. When the RDP environment is left insecure, hackers gain access via brute force, legitimate credentials purchased through criminal sites, and credential stuffing.
Vulnerability From Bad Patching Practices
Actors are looking for vulnerabilities they can exploit, and unpatched systems are an attractive entry point. Websites, including plug-ins, and complex software environments that link to third parties allow malware to enter undetected.
Dig deeper into how malware can be distributed through vulnerabilities in websites and browsers.
Top Ransomware Targets
While it seems no industry has been spared ransomware, some are more vulnerable to it than others. For example, educational institutions have suffered greatly at the hands of hackers. Here are the top 10 ransomware targets by industry:
- Education
- Retail
- Business, professional and legal services
- Central government (including federal and international)
- IT
- Manufacture
- Energy and utility infrastructure
- Health
- Local government
- Financial services
The size of the company is not always the determining factor; instead, it is where actors can extract maximum financial impact.
Identifying Ransomware Attacks
Ransomware attacks are uniquely difficult to detect because malicious code is often hidden in legitimate software, such as PowerShell, VBScript, Mimikatz, and PsExec scripts. Companies should use a combination of automated security tools and malware analysis to uncover suspicious activity that could lead to ransomware attacks.
Here Are Three Types Of Ransomware Detection Techniques:
- Signature-based ransomware compares sample hashes collected from suspicious activity to known signatures.
- Behavior-based ransomware examines new behavior about historical data; and
- Scams use baits such as honeypots. A honeypot is a network-connected system formed as bait to lure cyber attackers and detect, deter and study hacking attempts to gain unauthorized access to information systems. The honeypot’s function is to present itself on the internet as a potential target for attackers — typically, servers or other high-value assets — and to gather information and notify defenders of any attempts to access the honeypot by unauthorized users.
- Ransomware attacks happen quickly, and it’s important to be able to detect and respond quickly. Read about three ransomware incidents and their results.
Prevent Ransomware Attacks
Organizations can reduce their vulnerability to ransomware attacks and limit the damage they cause by assuming a strong cybersecurity posture. Steps to prevent ransomware attacks:
- Maintains an in-depth security program.
- Consider advanced protection technologies such as zero trust and endpoint detection and response (EDR)
- Educating employees about social engineering risks.
- Patch regularly.
- Perform periodic backups of important data.
- Don’t just rely on recommendations.
- Additionally, companies can implement business processes that limit or even eliminate transactions via email to make links and attachments more prominent and more suspicious to security professionals.
The cloud offers ransomware protection, as organizations can use it for backup and recovery strategies. Enterprises can create isolated, inaccessible backups of their core enterprise environment without making infrastructure changes or requiring many administrative authentication/authorization adjustments.
Recovering From A Ransomware Attack
After a ransomware attack occurs, organizations should follow a ransomware incident response plan that they ideally have created and tested well in advance of the attack.
Organizations want to try to remove ransomware, but it can be very challenging. Security professionals must ensure they do not allow malware to penetrate further into the system.
Isolate The Infected Device.
Specify the type of ransomware to allow for more targeted repair efforts.
Remove the ransomware, which can include checking if it’s removed, using anti-malware or anti-ransomware software to quarantine it, enlisting the help of an external security professional, and removing it manually if necessary.
Recover the system by restoring the previous version of the OS before the attack occurred.
Defense Scheme Against Ransomware
In addition to the above protection measures, Prosperity suggests the following defense schemes as a layer of defense against ransomware:
- Cloud mail security as an initial defense against all email before it reaches the server, is currently available in Indonesia and can be used free of charge for umm/startups such as spinbackup
- Email Server Security, server-side defense to filter email as a defense for the email server itself and email filters. ESET provides the ESET Mail Security for Exchange product for Microsoft Exchange users
- Server-side defense uses endpoints dedicated to servers. ESET provides ESET Server Security which can run on Windows/Mac/Linux operating systems
- Monitoring on the LAN/WAN network side using a specially designed Network Traffic Analysis and can observe digital attack threats such as Greycortex
- Defense on the endpoint side must be installed on every device without exception, including the USB port control. As if already equipped with cloud analysis and sandboxing. ESET provides integrated ESET Protect products for this need.
- Educate all personnel on the dangers of malware, especially ransomware by providing periodic information.