Blog

Ransomware attacks explained

Ransomware Attacks Explained – What is it & Prevention Solutions

posted by: Paula Boyden date: May 01, 2020 category: All, Malware comments: 0

Over the past 20 years, since the first attack in 1989, ransomware threats have increased significantly both in volume and complexity, to the point where they are now basically threatening every company which has any online presence, world-wide.

What is Ransomware?

Ransomware (ransom malware) is a type of malware or malicious software, designed to gain profit for its creator by denying the victim access to their computer files until a ransom fee is paid.

To perform a successful ransomware attack, the cybercriminal must first get someone inside the target computer/network to download a malicious file or click a malicious link. This is usually done by a phishing attack, where they trick users into divulging doing this or provide sensitive information.  Even if one of your employees only took their eye off the ball for one second, it would be enough to give the attacker an initial foothold into your network. After deploying the ransomware, the victim’s computer files become either partially or completely inaccessible, with every screen displaying a ransom note containing instructions that explain that, in most cases, only the attacker can override the file lockdown after the victim delivers the ransom fee in the way explained.

If it is a network of computers, e.g. in a business, the ransomware will spread to as many connected computers and servers as it can. Then the attacker will ask for a fee to return access to files, generally using digital currencies such as Bitcoin.

Not all ransomware attacks are the same, though. The main two types of ransomware are ‘crypto-ransomware’, which encrypts the files on infected computers with a key that only the attacker knows, and ‘locker ransomware’, which does not encrypt the files, but rather locks the user out of their computer and demands a fee to unlock it.

Nowadays, we hear of ransomware attacks almost on a daily basis. The publicity of attacks, portrays the supposed easy profitability of ransomware and this has led to a huge increase in criminals offering ransomware as a service on dark web forums with no prior technological knowledge. This has created a huge market for ransomware campaigns, which can affect thousands of computers and be worth millions of dollars in ransom fees. The bulk of campaigns will most likely target Small to Medium Businesses (SMBs), as statistically, around 63% of ransomware victims are small businesses.

One of the most notable examples of the power of ransomware is the ‘Wannacry’ attack from May 2017. This attack, widely attributed to North Korea, has encrypted hundreds of thousands of computers around the world, demanding that US$300 be paid within three days. Although a kill switch, that stops the attack, was revealed a few days after the attack began, the global financial damage it caused is estimated at billions of US dollars.

A second widespread ransomware campaign was ‘NotPetya’, which was distributed soon after, on June 2017. This campaign mostly affected businesses in Europe, specifically Ukraine. Affected businesses included the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant, and the world’s largest container ship and supply vessel operator, Maersk. Similar to the Wannacry campaign, estimations are that the total damage from NotPetya exceeded US$10 Billion.

As for future attacks, the estimated cost of ransomware for 2021 is US$6 Billion (assuming, of course, that there is not another attack the scale of Wannacry or NotPetya).

Even though there has not been a large-scale attack in the past three years, criminals have not stopped targeting businesses. In recent months, new trends have emerged from notorious ransomware groups such as Maze, DoppelPaymer, Zeppelin, and Sodinokibi, where they not only encrypt the victim’s network but also threaten to publish the stolen data or even alert the NASDAQ of the breach, as an extra incentive for the victim to pay the ransom fee to prevent further damage to reputation or stock price. The Maze attack group has already released troves of data belonging to victims, even setting up a website with the names of victims, publicly shaming them and stating who has paid and who has not.

Another trend is a cooperation between nation-state actors, e.g. North Korea and cyber-criminal gangs. One example of this cooperation is between the notorious North Korean ‘Lazarus Group’ and the East European cyber-criminal group, ‘TrickBot’. Although the TrickBot group operates a banking trojan rather than a ransomware, experts believe that this trend will soon emerge between nation-state actors and ransomware groups as well.

How to prevent ransomware attacks

If your business is one of the lucky ones that still hasn’t encountered a ransomware attack, give yourself a pat on the back. Not too hard, though; If you do get attacked, the evidence will be immediate and painful. A ransom note screen, usually with bright red colors, will start appearing on computers in your network at the rate of three seconds per computer, leaving you helplessly watching as it replicates, eventually spanning your entire IT network, making it unusable.

If the worst has happened to you too, and your business has suffered a ransomware attack, know that you are not alone. More than 850.97 million ransomware infections were detected around the world in 2018 alone, with the average cost of a ransomware attack for a business being US$133,000.

Paying the ransom fee does not always guarantee you will get your files back. In the most optimistic scenario, it can take days for all of your systems to be up and running again, and for you to have fixed the security gap that allowed the attacker access in the first place. In many cases, it might take even longer, because trying to build an IT environment from scratch is an extremely pricey and lengthy option. The average downtime of your network is also something to consider – it increased 2.6 times in 2019 alone, and currently stands at 16.2 days.

Therefore, you should remain vigilant and perform protection steps to safeguard your business. The most efficient ways are:

  • Making sure you have an anti-malware service on all computers.
  • Create and maintain a regular backup for your digital information.
  • Educate your employees on how to stay vigilant and spot cyber threats.
  • Make sure you know who to turn to – hire an Incident Response team and/or a Forensics team on retainer.

These steps, if performed regularly, can significantly improve your chances of preventing a possible attack and make the criminals look elsewhere for victims. Since cybercriminals, unlike nation-state actors, are in it for the profit, making their investment unsustainable is the desired result.

FraudWatch International provides various digital risk protection services, including malware protection and ransomware solutions. Should you wish to better protect your business from cyber threats, feel free to contact us.

 

 

Comments are closed.