Currently experiencing a ransomware attack?
The popularity of ransomware has been rising steeply since 2018. So far this year, 68.5% of all cyber-attacks worldwide have been ransomware related – representing an all-time high. It’s no surprise then, that many have dubbed this the golden age of ransomware.
With over 300 million ransomware attacks occurring annually, it’s not a question of if your organisation will face an attack, but when. Despite this, too many are still woefully underprepared when an attack happens. Want to avoid making this same mistake? Here’s what you should know about protecting against ransomware, and ransomware removal.
What is ransomware?
Ransomware is a type of malware that restricts access to a system. Once this happens, cyber criminals then demand money for either the system or specific data to be released. The threat is typically spread via phishing emails, spam campaigns, drive-bys or programs downloaded to a computer by an unwitting user visiting an infected website.
You might be surprised to learn that ransomware is not new. The technique has been around since 1989, with the first ever documented case being the AIDS Trojan. This was created by Joseph Popp, who distributed 20,000 infected floppy disk drives to the participants of the World Health Organisation’s AIDS Conference.
There’s currently a growing trend for ransomware attacks to be combined with data theft, particularly the theft of personal identity information. This data provides additional leverage for cyber criminals, as they can threaten to release the information – or sell it to a third party – if a ransom isn’t paid.
Paradoxically, new data protection regulations in many countries can increase the time constraints and financial pressure on organisations that fall victim to a ransomware attack. This stipulates that organisations must disclose the loss of personal data within 72 hours, with large fines imposed for data loss.
How do ransomware attacks happen?
Most ransomware requires some sort of employee interaction, such as clicking on an infected link or attachment in a phishing email. In the case of a targeted attack, this will likely use social engineering, and the malware will be customised to give the file a unique signature, thus avoiding detection by antivirus
Some hackers, however – like those behind WannaCry – are now able to infect organisations by exploiting a remote code execution (RCE) vulnerability in unpatched systems. This technique, which doesn’t require any user interaction, was previously more closely associated with computer worms than ransomware.
Ransomware removal is notoriously difficult. Once it penetrates a system, it can usually traverse a network within hours, causing a domino effect as it infects other hosts and data servers. WannaCry, one of the world’s most well-known ransomware variants, caused global panic in 2017 when it hit over 150 countries in a matter of days. Multiple industries were affected, including rail, higher education, telecommunications and healthcare.
The WannaCry attacks – perpetrated by North Korean hackers – highlighted just how dependent both businesses and public sector organisations are on their data. Many, including the UK’s National Health Service and Spanish national telecommunications company Telefonica, were brought to their knees.
Ransomware removal: What should I do if my organisation is hacked? Do I pay hackers to release my data?
When an organisation is hacked, paying a ransom can seem like the easy way out. This is especially true if there’s no comprehensive backup strategy in place. Recently, for example, the high-profile Colonial Pipeline Attack ended after the business paid hacker group DarkSide approximately $5 million to regain control of its data and resume operations.
However, most law enforcement agencies and security practitioners will advise their clients against paying a ransom. This is for the simple reason that it creates a vicious cycle, where ransom payments fund hackers to conduct new and increasingly sophisticated attacks. Plus, even when a ransom is paid, there’s no guarantee that victims will have all their data returned. Ultimately, organisations need to assess their own circumstances, and decide whether paying a ransom is really worth it.
What can organisations do to protect themselves?
As IT and OT systems become more connected, ransomware attacks are increasingly moving from the digital realm into the physical one. Successful hacks on critical assets such as electrical grids, nuclear power stations and manufacturing facilities can have serious implications for both operational continuity and human safety.
As such, safeguarding against the growing volume of ransomware attacks should be top of the agenda for IT, OT and cyber security leaders. The first and most important step is creating multiple up-to-date data backups. In the event of an attack, these enable organisations to resume operations quickly and easily – without paying a ransom.
Secondly, to prevent an attack from happening in the first place, organisations should keep on top of their software patching processes. Many who fell victim to the WannaCry attack were caught out because they hadn’t updated their systems with the relevant patches.
Last but not least, ensuring employees are “cyber aware” is crucial. Businesses should not assume a pre-existing level of knowledge, and should make sure to teach staff about ransomware and the various techniques used by attackers. Plus, the use of “phishing emulation applications” to increase employee awareness can be very helpful. Not because every employee will recognise the email as malicious, but because if one person does and reports it, then at least the attack has been detected.
Unfortunately, not all attacks can be avoided. If your organisation does fall victim to ransomware, it’s important to learn lessons from it. Analysing how you contained the event, and if there are any changes that you could make to improve your response, will ensure you are better protected going forward.
At Airbus CyberSecurity, we have decades of experience in protecting governments, defence organisations, critical national infrastructure and enterprises from cyber threats. Get in touch to learn how we can support your organisation.