In this article Arcturus provides the answer to the question, ‘What is Ransomware?’
Types of ransomware
Ransomware is a type of malicious software – malware – designed to block access to a computer or device until a sum of money – ransom – is paid. This is usually achieved in one of two ways:
Locker ransomware works by locking users out of the device preventing the device from being used e.g. Reveton.
Crypto Ransomware works by preventing users’ access to their data and therefore their system by encrypting their personal files and preventing decryption unless the ransom is paid.
How do users get infected with ransomware?
Users usually get infected with ransomware by phishing attacks which disguise a malicious payload as a legitimate file; businesses also fall prey to this. Poor patching strategies can also leave parts of software with known vulnerabilities ready to be hacked.
Once one device on a network has been infected with ransomware, the ransomware will then spread across the network. It will attempt to find vulnerabilities across the network and infect as many devices as possible. The ransomware will often stay dormant on the network for a period of time and get as many footholds on the network as possible. There will then be a coordinated attack where all the devices will be encrypted or locked at once. Not only do these ransomware attacks remove access to your device, but they can, and often do, steal data and passwords found on the devices.
I’ve got ransomware, what do I do?
Well, it depends. If you’re lucky, you’ve been hit with a bit of Ransomware that hasn’t been put together very well and there are tutorials to remove it online. This, however, is very often not the case with the most recent generation of ransomware. So, you’ve got 2 options: restore from backups (you do keep offline backups don’t you?) and hope you haven’t lost too much data, or pay the ransom. However, this is a very risky option to take. There are a multitude of instances where paying the ransom results in the attackers just disappearing, leaving you in the lurch with your data, and with your money gone. The official recommendations are to never pay the ransomware, but it all depends on how much value the data holds to you. We recommend you avoid contact with criminals, delete the malware infection, focus on other data recovery options, and fix any damage the virus has done either using a repair tool or by rebuilding.
How at risk am I?
In short, very. Ransomware as a business model is growing significantly and rapidly. It is getting easier by the day for non-technically literate people to set up and run their own phishing campaigns. There have also been “ransomware as a service” business models set up, where everything is managed for the attacker by a third party; for each ransom that gets paid, the business and the attacker get a cut.
I have had lots of customers say, “We’re too small, no one will target us”. I have also had these customers come back months later asking us for help since they’ve been infected with ransomware. Everyone is at risk now. There have been ransomware attacks on both large estates (like the NHS and Travelex) and small businesses alike. If you have an email address, you are at risk of getting ransomware and it’s as simple as that.
How do I protect myself?
There are several steps you and your organisation can take to minimise risk:
- Training (spotting and escalation/support).
- First do not open any email attachments unless they are from a known and verified source.
- Have all users throughout the business on a low privileged account.
- Follow a principle of least privilege approach; don’t give anyone access to anything unless there is a business case to do so.
- Don’t let users install anything.
- Ensure that you have a solid patching strategy. Make sure you have a means of updating everything on ~14-day cycle with the option to apply emergency fixes within the space of at least 24 but ideally 12 hours or less.
- All security hygiene practices should be enforced eg running up-to-date antivirus software, automatic workstation updates, strong password policies and of course backing up your files. I can’t emphasise file backups enough. If you don’t backup your files offline, you’re leaving yourself incredibly vulnerable to ransomware or hard drive failures.
It is predicted that the global cost of ransomware will reach ~$20,000,000,000 by 2021. 51% of organizations were hit by ransomware in the last year, and criminals succeeded in encrypting data in 73% of these attacks.
26% of ransomware victims whose data was encrypted got their data back by paying the ransom. A further 1% paid the ransom but didn’t get their data back. With all these stats in mind it’s obvious that a ransomware attack is a significant threat to all businesses great and small and actions should be taken to prevent the attack from happening, prevent the attack from spreading, and recover from the attack.