Ransomware is a specific type of malware that locks the files on your computers unless a ransom is paid. Typically, ransomware is downloaded via email attachments and can even be embedded in common Office documents. When the unsuspecting user opens the file, malware encrypts the user's files and replaces them with ransom notes.
Another very common method of infecting systems and networks with ransomware is through remote exploitation. In this case, an attacker uses either a system flaw (usually due to not applying updates) or by logging in with remote desktop protocols using stolen passwords. Once inside, the attacker will simply launch the ransomware and let it spread.
These ransoms can range from a couple hundred dollars to millions. In some older ransomware variants, the encryption was reversible without buying the decryption keys. Unfortunately, that isn't usually the case anymore. Your options are generally (1) pay the ransom and decrypt your files, (2) restore the computers from backup, or (3) lose your data forever.
Lifecycle of a Ransomware Attack
Over the past six months we’ve observed that Ransomware attacks are becoming more varied, and much more damaging. In the vast majority of ransomware claims we see, there is no technical means by which the victim can recover their data absent paying a ransom. Simultaneously, ransom demands have skyrocketed from 10’s of thousands of dollars to 100’s of thousands, and even $1M+ in some instances.
Criminal techniques are also changing, with criminals now gathering targeting information in pre-attacks against targets, multiplying the impact of the ransomware activation. Here's an example of a modern ransomware lifecycle:
- Employee receives an email containing a malicious attachment
- Employee downloads and accesses the attachment
- Malware infects the employee’s computer via the malicious attachment
- The threat actor moves throughout the employee’s computer and into the corporate network where ransomware software is deployed
- All files on the company network are encrypted and trigger ransom notes
Gaining popularity in 2018, many ransomware infections are also installing a “banking trojan” onto the system prior to the ransomware payload. A banking trojan is a type of malicious computer program that grants the malicious actor with access to information on a system. The typical capabilities of banking trojan’s can include harvesting all network passwords from a system, capturing passwords stored by web browsers, intercepting network traffic, stealing banking credentials entered by an end user, capturing credentials and data from email clients, and spreading through a client environment similar to a worm. Many of these trojans are polymorphic in nature, which means constantly changing and very hard to detect and eradicate via typical antivirus methods. Prevention is the best method when dealing with these trojans.
It's difficult to prevent all types of malware. However, there are several best practices we can follow to help avoid and recover from these kinds of attacks:
- Educate Employees - There are a few, simple best practices that employees can follow that will greatly reduce the chances of malware infecting your network.
- Run Anti-malware Software - This may sound obvious, but running up-to-date anti-malware products is critical. While not a 100% solution, these products are designed specifically to help you avoid malware infections.
- Apply Your Updates - System software vulnerabilities are one of the ways attackers can install and spread ransomware. When security updates are available for your operating system or software, you should apply them as soon as possible (or in accordance with your IT security policy). This applies to workstations, laptops, and servers alike.
- Keep and Test Backups - Use a reputable backup service to backup all your important files. Many cloud service providers offer services to detect and revert your files after a ransomware attack, but you should always test this capability before you need it.
- Keep Offline Backups - If your primary means of backup is another computer (e.g., a backup server) or a removable hard drive, it's possible that those devices could be remotely accessed and either deleted or encrypted as well. If this is your chosen backup method, always keep periodic offline backups (i.e., Removing the drive after backup, backup to DVD/Thumb drive, etc.). The backup media should be securely stored, as well.
- Adhere to "least privilege" - Least privilege means only allowing the minimum required access to a system. Do you need administrator access to your computer all the time? Do your employees? The likely answer is "no." Create specific administrator accounts when required, and only use them when you need them. This will help contain the spread and impact of any malware on your networks.
- Block Macros in Office Documents - Do you require macros in Word or Excel? Likely not. If that's the case, disable the execution of macros to prevent document-based attacks like we discussed earlier. If you do require macros, look in to macro signing and only allow trusted/signed macros.
Ransomware has emerged as one of the greatest cybersecurity risks for businesses of all sizes. While there is no reasonable 100% solution, the above recommendations will reduce the likelihood of infection while helping to ensure a quick recovery in the event of a successful attack.
For more technical information on this topic, please read Securing your business against ransomware or reach out to us; We’re here to help!