A survey in August 2021 by market intelligence firm International Data Corporation found that more than one-third of organisations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months, and for those that fell victim to ransomware, it is not uncommon to have experienced multiple ransomware events.
As part of our Cyber Security Simplified series of articles, we explore what ransomware is, why it could be a threat to your organisation, and how to defend against the threat of a cyber-attack.
What is Ransomware?
Ransomware is malicious software used by cybercriminals that holds your data hostage where the criminals demand a payment in exchange for your data.
Encryption is normally used to protect your data and files so that they can only be accessed using a key such as a password, but ransomware will twist the power of encryption against you meaning that you are locked out of your documents, spreadsheets, and other important files.
The cybercriminals behind the ransomware attack are relying on the fact that you or your company are willing to pay money often in the form of Bitcoins in exchange for the decryption key to unlock your files. The problem for the attackers is that some victims may choose not to pay the ransom and so they will often steal copies of files that may contain sensitive information with the threat that if the ransom is not paid, they will either release the data to the public or sell that information to other criminals.
To pile on the pressure the cybercriminals behind the ransomware attack will often set a time limit for the ransom to be paid, after which they will either permanently delete the files or make the files publicly available on the internet.
A common concern victims have is that they pay the ransom, but the cyber criminals don’t provide the key to unlock the files or go ahead and release the files on the internet anyway. It’s important to remember that the criminals are primarily interested in making money, so if word spreads that victims aren’t getting their files back after paying the ransom then criminals may find victims in the future are unwilling to pay. Ultimately the decision on whether to pay the ransom will depend on several factors and anyone falling victim should carefully consider their options first.
Although most ransomware attacks use encryption to prevent the victim from accessing their files, some strains of ransomware just copy files to a remote server on the internet controlled by the criminals leaving the original files untouched. In these cases, the attacker will usually target specific businesses hoping to obtain either personal information or proprietary information such as trade secrets.
Who is the target of a ransomware attack?
As the people behind the ransomware attack want to extort as much money as possible, they will often focus their attention on businesses rather than home users where they can infect multiple systems and demand larger payments to maximise their profits.
Research conducted for the 2022 Veeam Ransomware Trends Report shows that companies of all sizes are impacted by ransomware, from small-to-medium-sized businesses (SMBs) to large enterprises and that just like any other disaster such as a fire or flood, ransomware attacks are universally pervasive.
Smaller businesses can be especially at risk as they do not have the resources to defend against a Ransomware attack that larger enterprises have at their disposal.
What are the consequences of a Ransomware attack?
The consequences for a business that is hit with a ransomware attack can be disastrous.
Initially, the company will be faced with an immediate loss in productivity due to their IT systems and other important files being unavailable. Added to this is the cost of recovering the systems impacted by the attack which might include paying the ransom demand or restoring the IT systems and data from backups. Veeam’s Ransomware Trends Report highlights that recovering from a ransomware attack is a slow process with the average organisation taking 18 days to recover their data.
The company may also suffer reputational damage due to a lack of trust from employees, customers, and suppliers which could take months or even years to rebuild. This will be even more problematic if sensitive data has been leaked on the internet.
Other consequences can include fines from regulators if the company has been negligent and increased insurance premiums.
How does Ransomware infect computers?
Although Hollywood would like to us believe that hackers are breaking through firewalls to launch their attacks, the reality is far more mundane and the cybercriminals often rely on an unwitting accomplice – an employee. This unsuspecting employee might open an attachment in an email from an untrusted source, download a file from the internet, or connect an infected USB memory stick to their computer.
The effects of ransomware may not be immediately obvious, and the unsuspecting employee may not realise they did anything wrong. As the cybercriminals behind the ransomware attack want to maximise their profits and demand the largest pay-out as possible, rather than going to work and encrypting files on the first computer straight away which would alert staff to its presence who could then take countermeasures to prevent it spreading, the ransomware will instead try to silently infect other computers and servers on the network. Only once the ransomware has infected as many systems as possible will it start encrypting files. This allows the cybercriminals to avoid getting caught early and ask for a larger ransom fee.
Quite often the ransomware will communicate with a server on the internet controlled by the cyber criminals allowing them to monitor progress and decide when to trigger the software to start encrypting files.
Once the ransomware starts encrypting files, the employees in the company will no longer be able to open their documents, spreadsheets, and other important files. Instead, users and IT staff will be left with a ransom note on the infected computers.
How to defend against ransomware?
There is a long-standing belief that if we build enough walls, it is possible to either prevent attackers from being successful or make it so difficult that they move onto an easier target. This approach is often referred to as defence-in-depth, but this isn’t enough to prevent a cyber-attack.
Former FBI director Robert Mueller delivering a speech at a cyber security conference said “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.“
It is impossible to protect against every cyber-attack and eventually attackers will be able to find their way into your systems and network, so instead, we need to consider the threat from multiple perspectives – identify, protect, detect, respond, and recover. Focusing too much on protecting against a cyber-attack, means you might be unprepared to detect and respond to an attack.
Many ransomware attacks use social engineering to trick an employee in the organisation into doing something. As mentioned earlier an unsuspecting employee might open an attachment in an email from an untrusted source, download a file from the internet, or connect an infected USB memory stick to their computer. Companies that provide their staff with Cyber Security training and awareness are likely to be better equipped than those that rely solely on technology.
When disaster strikes
Responding to a ransomware attack requires effective planning – after all, you don’t want to make it up as you go once an attacker has infected your company’s computers and servers with ransomware and you can no longer access important files and documents.
When creating a plan to respond and recover from a ransomware attack here are some things to consider:
- How will you restore data and IT systems that have been comprised by the ransomware?
- How will you contain and isolate the infected systems so that other IT systems don’t also become infected?
- Are there any regulatory and legal requirements that must be followed?
- Does your company have cyber insurance?
- If your company is going to pay the ransom fee to the cyber criminals, will you use a specialist third party to negotiate with them and how will your company make the ransom payment as many cybercriminals will only accept bitcoin?
- How will you manage communications with your employees, customers, and suppliers?
Finally, it is important to ensure that the ransomware attack is thoroughly investigated. This investigation first looks at how the attack happened so you can fix the point of entry. After all, you don’t want the attackers to come back in a few months using the same weaknesses as before. The second reason for conducting the investigation is to ensure the attack was limited to ransomware. Did the cybercriminals also install software that would allow them to remotely access your systems in the future? These are important questions that shouldn’t be overlooked, otherwise, your business might fall victim again.
What Next?
We hope this article helped you understand what ransomware is, why it could be a threat to your organisation, and how to defend against cyber attacks. If you would like to learn more about cyber security, be sure to check out the other articles in our Cyber Security Simplified series.
If you need extra help with ransomware protection, or want to improve cyber security in your business, speak to IT security consultant Ripley Solutions today.
Find more cyber-security advice here.