FACT: Ransomware is the number-one cyber threat to businesses today. – Barracuda.
The highly respected online blogging and security services organization ‘Tech Republic’ commented not so long ago that “Nigerian princes are no longer the only menaces lurking in an employee’s inbox.”.
We remember the days when that Nigerian prince’s phishing email or the virus link were the only thing you would run into in your email those days. They were niave, transparent and so absurd almost no one fell for them (almost!).
Sadly that is no longer the case. Avoiding the Nigerian princes and your “million dollar inheritance” phishing email is the least of your worries today. There are so many other ways that individuals, companies great and small, institutions and even governments are being damaged that those phishing emails of yesteryear seem almost like a fond memory.
What are the most common cyber threats right now?
Really what you want to know is how to avoid ransomware attacks. We will get to that in a minute. First though, you need to be able to recognize your enemy.
As basic background knowledge, it is important to know the general terms for the most prevalent types of threat. Here they are in an easy to reference list with the briefest of descriptions
- Phishing – a general term for malware (malicious code such as viruses designed to do damage), personal data grabbing and ransomware deployment through email
- Spear Phishing – the same as Phishing with the added threat of it being targeted & personalized making it more successful.
- Hacking – criminals gain access to systems through security weaknesses, usually with the intention of exploiting the resources in those systems in some way.
- Denial of Service attacks (DoS) where websites are flooded with requests to the point where they become overloaded and can no longer function.
- Credential Reuse – Hackers steal multiple login credentials from a website (or buy them in bulk through the Dark Web), using automation the hackers then use the same credentials across 100’s of popular sites and services. This is effective because many people use the same passwords for multiple sites.
- Password attacks – criminals use software to try and crack your passwords. This is why common, obvious passwords are considered insecure. These are termed ‘brute force’ attacks.
- Man in the Middle – if for example you are contacting your bank, the criminal will appear to you to be your bank, and to the bank they will impersonate being you.
- Drive By Downloads & Malvertising – malicious code that downloads itself and compromises your computer when you click on an advert or just visit a certain website
- Rogue Software – You may see these as popups in the bottom right hand corner of your screen occasionally. It is malware that appears to be legitimate security software saying that it is required to keep your computer system safe.
In broad terms, these are the main types of threat that you are most likely to face, although each comes in many guises and they are evolving all of the time.
Currently the most common one of these threats, the one which is seeing the greatest growth is Ransomware. Criminals are devilish in the ways they deploy it, and through increasing involvement of criminal networks, cyber gangs and low skilled rogue individuals with ‘Ransomware Kits’ purchased on the Dark Web, the growth in attacks is accelerating. Thousands of victims are being caught out every day.
8 Ransomware Facts
Check out these alarming 2017 ransomware facts:
- 47% of business have been affected by ransomware
- Approximately 4,000 computers are infected with ransomware every hour worldwide. Ransomware attacks are not only escalating, they’re becoming more sophisticated
- Criminal gangs have often turned to spear phishing e-mails targeting specific individuals
- 59% of ransomware infections are delivered via email attachments or clickable links & buttons
- $209 million was paid to ransomware criminals in the first quarter of 2016 –Barracuda
- There is no guarantee that paying a ransom will recover your files, typically 30% do not
- Cyber criminals mostly demand that their payment is be made in Bitcoin
- Typical ransomware demands are between $300 & $600. Recovery costs can be much higher and are often necessary in addition to the ransom payment.
Who is Being Hit by Ransomware?
Whether you are a service business, a hospital, a school, local government or a manufacturer, whatever size your organization, you’re subject to the same kind of threats. From police departments to hospitals to big corporations, ransomware is targeting them all equally and the attacks are costing millions. Local and central governments, law enforcement agencies and some of the largest healthcare providers in the world have been hit with ransomware.
Small businesses with anything from one to one hundred employees in particular are easy pickings for these criminals. Without the benefit of an in-house cyber security professional, all too often these organizations don’t have anything much more than standard anti-virus software (AV) and their fingers crossed!
Ransomware attacks are on the increase and are prevalent globally in every sector. They are becoming more sophisticated and far more complex. What’s more, they are often much tougher to identify in advance of an attack meaning that even many of the organizations guarding you against the attacks can’t route out these malicious infestations. Cyber criminals are getting away scot-free with the cash more frequently than ever before. They know that their chances of being caught are infinitesimally small and so are emboldened with every success.
There is an additional problem with many smaller companies and individuals who are targeted. The ransom payment may not be financially crippling to them, perhaps anywhere from $300-$600. That ransom amount in itself wouldn’t normally put them out of business.
However the denial of the data which they rely on and use every day within their systems might – especially if you have people dependent on that data for manufacturing, delivering services, making payroll, providing medical services or even legal services.
This will stress any enterprise, and drive some out of business completely. It can be devastating.
Larger organizations such as hospitals, colleges, large companies and government agencies are often hit with demands for significantly larger ransoms. But once again, it is the loss of access to their data, whether temporarily or permanently, that can be so crippling.
In cases such as these, forewarned is forearmed and education, plus a good defense, is going to be the best offense for any organization or enterprise.
High Tech Bridge’s CEO Ilia Kolochenko commented that “The Dark Web and Bitcoin allow almost anyone to sell stolen data without identification—cyber criminals understand they can make easy cash without the risk of being jailed.”
They are asking a ransom that simply isn’t acceptable, but at the same time, one that in some cases, has been–and had to be–paid.
In reality, just about everyone is vulnerable to a certain extent. Healthcare systems are the most often targeted because traditionally they have the worst security, the most people who are working in the network and have the least high tech, up to date systems of nearly any kind of business. That doesn’t mean they are all the businesses that are being hit. Far from it.
Hackers are actually going into systems, gathering and moving data into servers and then encrypting all of it. That has been the case with several very large financial institutions.
A ransomware attack that was aimed at Hollywood Presbyterian Medical Center in California locked systems and left staff unable to electronically communicate in the hospital for more than a week. They paid a $17,000 ransom in bitcoin according to CEO Alan Stefanek.
South Carolina’s Horry County School District found out how devastating a network attack by these cybercriminals could be. The hackers froze networks that housed information imperative to 42,000 students and thousands of staff. Their technology director, Charles Hucks, tried to shut down the system, but momentarily, the attackers immobilized 60 percent of the schools computers. The district paid $8,500 in Bitcoin to unlock the computers.
This is just two examples. Daily there are hundreds.
What is Ransomware?
Ransomware is a very sinister type of malware that can be sent through an email into an unsuspecting business owners, directors or employee’s inbox. It requires that the persons actually opens the email and clicks the link but when they do, there is malware deployed that makes a real issue within that computer, plus very often spreading quickly to anything connected to it like, USB’s, external drives and servers as well as to other computers.
The malware is delivered by means of the phishing methodology, or by spear phishing.
Phishing emails are sent to general email lists and often feature themselves as having come from a well known and trusted third party, such as Amazon, a bank, a UPS parcel delivery or perhaps a government tax authority. Typically the emails look authentic at first glance and are designed to catch you unawares. They will ask you in believable terms to take an action, this will be to update account details, confirm receipt of a delivery, query a delivery, cancel an unwanted order or to claim a refund. All you have to do is click the link provided!
Spear phishing operates on a different level. These are very targeted attacks and have a higher level of success. Generally aimed at key people in an organization, research is carried out by the criminal about the person they wish to target and facts garnered about the organization. All this information is freely available if you know what to look for and where to look.
Depending on who is being targeted, a totally relevant and authentic looking email is sent to the intended victim. A request is made for them to click on a link, perhaps to download an invoice, some images, a product brochure or for details of an upcoming event.
The perpetrator may take information from a person’s social media and then send them an email purportedly from an actual friend. That email carries a nasty payload disguised as something nice, but because the person is known to them the victim may go ahead and click it.
Once the link is clicked, the ransomware process starts, files will be encrypted and locked up until a ransom is paid within a prescribed time period. These types of malware are a grave threat that has grown exponentially in the past two years alone.
Rick McElroy, who is a security strategist for the cyber security company Carbon Black Enterprise Response states “
“We’re currently seeing a massive explosion in innovation in the types of ransomware and the ways it’s getting into organizations. “It’s a big business, and the return on investment to attackers is there—it’s going to get worse.”
Ransomware is not a new thing. It’s been in existence for about 15 years but not until 2015 did we see such as massive number of attacks take place.
During 2015 the FBI got more than 2400 complaints and companies saw a loss of about 1.5 million according to the Internet Crime Complaint Center. In 2014, the number of complaints had only been about 1400 so in just that scant one year alone they rose by more than 1000 complaints.
Is The Threat a Real One?
According to the US FBI article, the amount of complaints rose dramatically in 2016 and will continue to rise in 2017. According to Secure Works researchers, “Though most ransomware attacks are not targeted, it is likely there will be an uptick in targeted attacks in 2017 as well.” Alexander Hanel, a security researcher at SecureWorks also noted, “Compromising corporate environments through targeted attacks allows the attackers to request more money than they would receive from a typical user. That makes enterprise targets more attractive.”
Moreover according to Secure Works, while most ransomware activity “has focused on Europe and North America, many threat actors are localizing ransomware threats to infect systems in other regions.” That means the threat isn’t confined to just the US, UK and EU any longer. You can expect to find it anywhere.
Just the first two months of 2017 alone more than “37 new ransomware variants appeared, updates were released for 22 old samples, and security analysts created eight free decryptors.” according to Tripwire’s estimates.
The vast proliferation of Ransomware is probably due—at least in part – to the Ransomware as a service model being used by many purveyors of this cybercrime methodology.
An example is where it is believed that will have criminal gangs that have recruiters who target and recruit students to do the research and launch the attacks for the spear phishing campaigns. The gangs collect the money, paid by Bitcoin into their accounts and they in turn split the proifts with the students who did the work. It makes for a great system if you are a criminal, both lucrative and untraceable with almost zero risk of prison.
There are other organized systems of distribution, but in all cases the creators of the malware are opting to use a vast network of distributors to infect the targeted systems. The person who helps them makes money and the creator can also take a portion of any profit that is made by their malware scheme.
There are even rumors of a “ransomware 2.0“, a bigger and more devastating threat to enterprise.
According to most cyber security experts, it is possible that even with the the best efforts of counter technologies, you will almost certainly not be left untouched by ransomware because of the human factor involved.
Tripwire and other security firms like them recommend that “With the abundance of different strains floating around the Internet, the precautions are timeless and invariable. End users and organizations should maintain backups, use effective security software, and treat spam as a potential means for contamination rather than simply a nuisance.”
With so much going on in the ransomware arena, how can companies protect themselves? What are the best steps to take to avoid ransomware?
Are there steps to take or countermeasures to avoid ransomware?
Fortunately the answer is yes. There are ways that you can work to prevent ransomware attacks and help your employees or the company staff to do the same. It takes a little time, but that time spent will net you an amazing ROI in that you may well save your company from a massive attack from which you cannot recover.
What You Should Do to Prevent Ransomware Attacks
It is not possible to guarantee that you won’t get hit by ransomware. Every person who has access to your network raises the odds of it just a little bit, but it’s also inarguable that there are steps that can be taken to prevent it.
Stopping the proliferation of ransomware and preventing you and your company from being attacked or rendered helpless by the ransomware can be done with a combination of good sense, education, and proactive effort.
The first line of defense for the smaller companies as well as the larger ones is also the most cost effective one. The most essential step is building awareness. This is and should always be the first line of defense.
Knowing what’s out there and how it could affect you is of paramount importance and, in terms of ROI, it certainly beats the expensive solutions of local server back up systems and in house security professionals that many small companies can’t afford.
Phase 1: Implement Ransomware Education
Education is the most valuable tool that you have in the fight against ransomware. Nearly every incidence of ransomware is perpetrated using employees who are unaware of the problem and the way to fight it.
The Nigerian prince and his retinue are no longer used in the emails that are targeting you. Gone are the days that phishing emails are created using poorly written and grammatically incorrect notes that mean very little.
The new phishing emails can be almost identical to the real thing and are easy can fool you easily. The new spear phishing emails are targeted directly to you and are much harder to spot. They are designed to sneak in under your psychological defences.
These spear phishing emails genuinely appear to be written by someone who knows something about you and your life and they offer you something that seems–looks–feels–and sounds legitimate.
They may tell you that your package can’t be delivered. Nearly everyone has a package on the way today so it sounds legitimate enough, right? They may alert you to a refund from somewhere that you would deal with. It may even be a message from a friend. Whatever it is – Click the link or open the attachment and it offers you nothing but serious problems which then proliferate through your entire network of data storage and networked systems. Immobilizing your business for the entire time it takes you to resolve the issue.
Remember, while you and any other senior personnel in your organization may be subject to these personalized attacks, your end user staff, in any department that uses computers with an internet link, will also receive similar attacks that can be just as devastating – they will just be less targeted but will infect your systems just as readily.
Your employee’s ignorance and lack of mindfulness when accessing emails, could be your greatest security weakness.
Start to counter these threats by instigating a significant employee awareness and education programme; this is particularly imperative in small companies. Make sure that you have all of the preventive measures that you can in play and make them aware of the most recent malware threats.
Offer your team good information about the inherent risks involved in clicking the links–even those that seem legitimate enough. Have weekly or biweekly meetings that keep them apprised of new scenarios, new attachment names and new methods of phishing so that they know what to look for.
This sounds like a lot to do and time consuming to research and implement, but the effort is essential – you wouldn’t leave your building unlocked and unsupervised overnight would you?
This is a new level of threat that requires new types of measures and procedures.
Back Up–Back Up–Back Up Your Data.
This one simply cannot be emphasized enough, but we will qualify it. From the largest corporation to the smallest company, your data is everything. Did you know that most companies who lose access to all of their data, whether through a virus attack, a ransomware attack or a natural disaster never fully recover? Back up your data at least weekly.
ANY software or programs that are specific to your company and running something without which you cannot do business should be backed up to locally connected network accessible areas but that is not enough. They should also be backed up with offline media and that media should be tested monthly for integrity.
Cloud based storages are not sufficient by any stretch of the imagination. Every backup that you make should be backed up to your network, but also to offline storage or personal server storage that is not connected in order to prevent that copy from being found and damaged or encrypted along with the network data.
Make sure that you have a clear inventory of every digital asset that your company has and the location of that information. Have backup of everything but know what you have and where it is located. Monitor those systems to ensure that you don’t have a breach that you are not aware of. Many large companies have had breaches that took place weeks or even months before they were aware of it. That is not acceptable and gives your adversary a clear field to attack your company.
In general terms there are several types of backup systems:
- Self-implemented local storage – this is where your end users have access to a separate hard drive, and typically at the end of each day will hit a backup button in a dedicated utility program. Very easy and manageable. The greatest weaknesses are twofold: first, any ransomware that is lurking on your PC will also be backed up. Secondly, if the hard drive is not disconnected during the day, then this backup storage could also become encrypted during an attack.
- Cloud based backup services – very low cost and easy to set up, these services allow you to continually drip feed all your data to a protected online storage facility. Any data changes on your pc are mirrored in the remote storage. The greatest weakness is the slow backup and data recovery process. A PC could take days to back up initially, and will be painfully slow to restore any lost data.
- Internal servers with protected back up environments – There are different levels of server back up services with many options to consider. Specialist advice is recommended for the set up process. However it is considered the best and safest environment for critical systems back up. The best systems can give you very fast system restores in the event of a successful encryption attack.
An important point to note is that, normally, you will only be able to restore your systems with data that was backed up prior to the infection Hence, the more regularly data is backed up and stored safely, the more will be recovered.
This ‘loss of data’ issue alone highlights the importance of awareness training and not instigating an attack in the first place.
A recent ransomware attack on a government department in Idaho resulted in a $3500 ransom being paid. The initial demand was for $28,000 . The department was able to recover most of the data from backups, but they unexpectedly found three servers that were not backed up. For that they had to pay a smaller ransom in Bitcoin. However, recovery is a slow and painful operation requiring many stages of operation and the recovery costs were nearly $100,000!
Is There Ransomware Detection Software Available?
Yes. There are a number of number of global operators that do provide quite effective software systems that you can install. They do work, but only as well as the latest update. This still leaves your systems vulnerable.
The fact is, there are so many new variants of ever more sophisticated ransomware emerging the whole time, that even the most well funded and responsive of these organizations cannot ever be ahead of the game.
They can only protect your systems after attacks have happened elsewhere, after they have found the solutions to identify and block the malware. They are then able to deploy these solutions through updates. It is an ongoing game of hide & seek where the criminals always have the lead and the motivation.
Once again this highlights the importance of awareness training and support.
Remove Unnecessary Users, Check User Privileges, Ensure Strong Passwords
Consider this section to be a part of best practices – take time to look monthly at everyone who is attached to the network in any way. Those who are using your systems should be reviewed to determine whether they need all of the permissions that they have and if so, why. Those who are using shared network drives should be limited to ‘viewing’ files rather than modifying them unless there is a real need for them to do so.
Current technology demands the use of passwords for security and privacy concerns.
Cyber criminals will do ‘brute force’ attacks on points which require password access. They use ‘bots’ to carry out these attacks, where they can crack passwords in minutes, and in the case of simple or generic passwords – in seconds.
It is essential that you set minimum requirements of complexity and novelty in password construction – so as to make it far more unlikely that a brute force attack would succeed.
A recent ransomware attack on a government department in Idaho came about as a consequence of a brute force password attack, followed by a ransomware demand.
This cost the department dearly. For the criminals it resulted in a $3500 ransom being paid. The initial demand was for a whopping $28,000 . However, the department was able to recover most of the data from backups, but they unexpectedly found three servers that were not backed up. For that they had to pay a smaller ransom in Bitcoin.
Inspite of this, the recovery is a slow and painful operation requiring many stages of operation and the recovery costs were nearly $100,000!
Monitor Your Software and Firmware and Update regularly
Ensure that you review your software regularly. Don’t apply scripts or themes that prevent you from being able to update your software as need be. An example of this is a theme that may require a specific version of WordPress or Joomla, and won’t allow any other updates to keep functioning. This type of software can be an accident waiting to happen. Remind yourself or development team on the need for regular updates and make sure that they happen.
Monitor your software and note if any security vulnerabilities are reported for it. If so, apply the patches as soon as they are released and verify regularly that the firmware and software on your system is up to date.
Protect your PC, your Servers and Employees from Bad Emails
Educate the workers in your employ about the dangers of opening emails from those they are not expecting, do not know or haven’t heard of. Regardless of how legitimate something looks, it probably is not so these days.
Speak to your employees regularly and let them know the names of attachments being used so that they are apprised of what to look for in email. Work diligently to assure that personal email or joke emails aren’t on the work servers as these are an easy way to provide a vessel for malware.
Plan and Plan and Continue to Plan
Educate not just your employees, educate yourself. Stay apprised of the latest information on malware. Know what the typical attachment names are. Know when something new has come out and how it is being implemented.
Stay on top of all of the latest threat information and methods of protecting yourself against it.
Implement an incident response plan that everyone knows and understands and one that includes malware and ransomware scenarios. Rehearse it frequently and make sure that everyone knows their response to it.
If You Are Attacked, Can You Mitigate the Loss?
In many cases the answer to that question is yes. There are some ways to mitigate the losses that are incurred in an attack. Consider these tactics to help you to accomplish that:
There is a ransomware rescue kit that was lauded by ZDnet. Try it and see if it offers you and your company any measure of support or help.
If your company is hacked and hit with ransomware, there are one or two things that you can do to mitigate your losses.
Immediately take all infected machines off the network so that the ransomware can’t use your own network against you by proliferating across the network
Get a team to work immediately to find out if this malware has been investigated by other teams or companies and if it can be decrypted. About a third of malware can be decrypted using other means and avoiding the ransom says Kolochenko from High Tech Bridge
What You Should NOT Do.
You shouldn’t depend on the fact that paying the ransom will end all of your woes.
It’s easy to pay the ransom and hope that everything turns out okay. Realistically it may not.
Although it is in the interests of the professionally minded attackers to provide you with the de-encryption keys to unlock your system – the fact is, you don’t know who you are dealing with and 30% of the time data is never unlocked.
Multiple individuals, companies and government entities have paid the ransoms. In some cases it worked out well and in others it did not. When you pay to regain access to the data that you own, keep in mind that it carries massive risks.
In many cases the attacker will refuse to remove the encryption and could keep your money. In other cases, their receiving a fee for giving you back your own data encourages them to attack you again and again, eventually costing you more than you can pay.
Some experts have ranked giving in to the ransomware creators as tantamount to paying terrorists not to attack. It presents unacceptable risks and eventually, no matter how diligently you do as you are told to do– the ransomware creators will not always keep up their end of the bargain.
Consider every avenue available before you pay a ransom and if you do pay it, spend the next month or two implementing every type of educational program that you can to prevent a recurrence. Once you’ve paid, many cyber criminals see you as an easy mark. If you have to pay the ransom, do so, but consider it a lesson learned and get busy on correcting the way they attained access to your network.