Ransomware by definition is “a type of malicious software designed to block access to a computer system until a sum of money is paid” – this includes anything from a single PC to an entire network.
The tools used to execute these attacks have come a long way since the first reported incident in 1989 when 20,000 infected floppy disks were physically posted to their targets. Lurking on them was a Trojan virus that hid directories and encrypted file names on the victim’s computer. To regain access they were instructed to send $189 to a Post Office box in Panama.
Since then, the perpetrators have swapped disks, envelopes, stamps, and cashier’s cheques for internet-enabled tools and techniques: malware, decryption keys, cryptocurrency payments to name just a few. The average ransom demand has altered slightly as well: reaching a whopping $233,817 by Q3 of 2020. This innovation has seen ransomware evolve into one of the biggest Cyber threats organisations face today.
These attacks were already on the rise before the Covid-19 pandemic reshaped the workplace landscape in 2020, when lockdown restrictions forced businesses to switch to homeworking at scale. Cybercriminals are exploiting the resulting uncertainty and weaker controls on home IT by executing more ransomware attacks than ever before: a mid-year threat landscape report released last year identified a 715% year-on-year increase in detected – and blocked – ransomware attacks in the wake of the pandemic.
How ransomware works
So, how do Cybercriminals infect computer systems with ransomware in the first place?
-
Social Engineering:
an unsolicited email that appears to be from a legitimate source, is used to deliver malware through infected attachments or links to malicious websites. Known as phishing, around 65% of ransomware infections are executed using this method.
-
Scareware:
users receive what appears to be a legitimate warning from an antivirus software company claiming their computer’s files have been infected and they need to download antivirus software. What they end up downloading, however, is fake software that distributes ransomware to their device.
-
Malvertising (malicious advertising):
this uses online advertising to distribute malware with little to no user interaction. The victim can be innocently browsing the web and before they know it, the malicious advert directs them to criminal servers without even clicking on it, which then distribute ransomware to their device.
Once ransomware has been downloaded and opened, it aims to hold systems or data hostage. The next step for Cybercriminals is trying to force the victim into paying them a ransom. Here are some of the most common methods:
-
Encrypting:
ransomware typically encrypts some or all the user’s files, which cannot be decrypted without a mathematical key known only by the attacker. The user is subsequently presented with a message explaining that the files are now inaccessible and will only be decrypted if they send an untraceable cryptocurrency payment to the attacker.
-
Leakware:
having infected the victim’s computer system and compromised their sensitive data, the attacker threatens to publicise it online unless the organisation pays a ransom.
-
Screen lockers:
this is a form of malware typically deployed at the operating system level that restricts login or file access, meaning the user cannot use the infected device. When attempting to log in, the screen locker ransomware will display a pop-up demanding payment to lift the restriction.
Who do Cybercriminals target with ransomware?
The short answer is ‘everyone’ – from SMEs to multinational corporations. However, your vulnerability to ransomware attacks depends on several factors:
- How attractive your data is to Cybercriminals
- How critical it is that you respond quickly to a ransom demand
- How vulnerable your Cybersecurity is
- How aware your employees are about Cybersecurity
Should organisations pay the ransom?
The proliferation of ransomware attacks and the potential damage they can cause poses an interesting question: should victims pay the attackers the ransom they demand? Paying a ransom does not guarantee an organisation will regain access or that they won’t be targeted again – although some do take the risk. Therefore, any decision to pay a ransomware demand must consider the inherent risks and be made in cooperation with relevant stakeholders: legal, law enforcement, IT and security.
The FBI reinforces this stance: “The FBI does not advocate paying a ransom, in part because it does not guarantee an organisation will regain access to its data. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
So, how do you prevent ransomware from happening?
The first thing to understand is that you cannot completely protect your organisation against malware – so prepare by assuming some malware will infiltrate your systems. Adopt a ‘defence-in-depth’ approach to Cybersecurity. This involves layering a series of defensive mechanisms to protect systems and data – if one mechanism fails, another is in place immediately to prevent an attack. These layers are:
- Education: provide Cybersecurity awareness training to all your employees, so they know how to prevent, identify, and respond to ransomware attacks.
- Make regular backups: restoration of your files from a backup is the fastest way to regain access to your data.
- Prevent malware from being delivered and spreading to devices: reduce the chances of malicious emails, files and links reaching your devices through a combination of:
- Filtering file types you would expect to receive
- Blocking malicious websites
- Actively inspecting content
- Using signatures to block malicious code
- Prevent malware from running on devices: having assumed that malware will infect your devices, take steps to prevent it from running. This should include centrally managing devices and keeping antivirus software up to date.
How to remove ransomware
If your organisation’s computer system is infected with ransomware, stay calm. Make a note of any information that looks important and log any files that are flagged by your operating system or antivirus software as infected. Then disconnect the infected device from the internet to prevent the malware sending your data out to the attackers. Use another PC to search for details of the virus and potential cures.
Cyber-attacks happen hundreds of thousands of times a day, from small SME’s through to Enterprise organisations, so no one is ‘immune’ to them. Don’t become a digital hostage. Be prepared and fight back Cyber-attacks with our comprehensive Cybersecurity services:
- Cyber assessments
- Cybersecurity operations centre
- Education and awareness
- Vulnerability management
- Critical hour framework
Working together, we can provide your organisation with the proactive protection it needs from ransomware attacks and the Cybercriminals behind them.
