Cybersecurity is a never-ending battle. Just when we believe we have the right level of defense, a new threat makes the headlines and brings us back to the war room. While far from new, ransomware has been headlining cybersecurity news articles at an alarming rate. The attacks are becoming more coordinated, sophisticated, and devastating than ever so we need to ensure that our businesses are fully protected and aware of how ransomware inflicts its damage.
Today, we’re going to cover just what ransomware is, define the types of attack, and explain how you can guard yourself from a ransomware attack.
What is Ransomware?
Ransomware is a type of malware that prevents or limits its victims from accessing their personal data and forces them to pay ransom to get it back.
Once installed, most ransomware will encrypt files and typically force its victims to use online currencies such as Bitcoin to pay up. Some ransomware attacks are even more serious as there is no guarantee that you will retrieve the data in its original state. Even worse, the ransom could be paid only for the attacker to damage or even destroy the files anyway.
34 percent of businesses hit with malware took a week or more to recover full access to their data. - Kaspersky
How dangerous can a Ransomware attack be?
A perfect example of how dangerous ransomware is could be the massive attack that began on August 16th, 2019, where 23 Texas municipalities were the victims of an infiltration, locking files as well as halting business and financial operations for several rural cities. Some grave facts about this attack:
- The attack is still being mitigated as of today, and the attackers are demanding $2.5 million to unlock the encrypted files.
- The city of Borger, Texas cannot access birth and death certificates or accept any utility payments, affecting status of over 13,000 residents.
- Keene, Texas, population over 6,000, is completely locked out of their city payment systems, and the attack bypassed their cybersecurity defenses built by their outsourced IT company.
- Further details on the attack are still being divulged and investigated by the FBI, but evidence has found to point to “one single threat actor.”
What makes this attack so dangerous is how coordinated it was. By striking 23 cities at once, it could be the largest coordinated ransomware attack in recent memory, if not ever.
However, these Texas towns have not been the only ones under the targeting cross-hairs of ransomware attacks. Within 2019 alone, data networks of smaller towns within Florida, New York, Georgia, and Maryland have been struck by ransomware. School districts within Louisiana and Alabama, have been sidelined by ransomware attacks, which is most likely one of the reasons that the Senate Bill 820 was put into effect.
The United States is the country with the highest attack rate of ransomware, accounting for 53% of global ransomware attacks. 36% of local agencies have paid the ransom but only 17% got their data back in its original state. -Kaspersky
Some other famous examples of ransomware include:
- CryptoLocker - Cryptolocker is one of the more infamous types of ransomware attacks, which once triggered, hijacks the users’ documents and commands them to pay a ransom, typically within a certain time limit to send payment.
- CryptoLocker still continues to be a problem today and since it is a form of a Trojan horse attack, it doesn’t infect by self-replication. This means that the infection must be downloaded manually for the attack to take place and spread. Beyond your digital defenses, self-awareness of how to spot phishing attacks and verifying all download prompts can be the best defense against a CryptoLocker attempt.
- Ryuk – First appearing in August of last year, Ryuk wreaks havoc on systems by identifying and encrypting network drives and individual files, as well as deleting any detected shadow copies connected to the endpoint. The severity lies in that if the victim does not have any external backup sources, they may not be able to recover from the attack.
- A recent case of Ryuk ransomware hit the Tribune Publishing company in January of this year. Although the attack originated overseas, it affected all their affiliate newspapers around the globe including the Chicago Tribune and Baltimore Sun, as well as former affiliate, the Los Angeles Times.
- THANATOS - The Thanatos ransomware was spread by opening spam email attachments. It affects users by encrypting their files and ending them with .THANATOS. Whenever their computer boots up, a ransom note appears to ask for $200 in cryptocurrency.
- Worse off, the virus does not keep decryption keys, so paying the ransom would be useless. Thanatos is a perfect example of how paying ransom is no guarantee that you will regain access to your files in their original state, if at all.
- Petya/NotPetya - Petya operated like Cryptolocker in how the ransomware is spread through email and encrypts your files. Once infected, an image of a skull & crossbones appears, demanding you pay a ransom to retrieve access. However, NotPetya took it even further.
- NotPetya was much worse in that unlike Petya which required human action, NotPetya operated on its own, and severely damaged entire hard drives when encrypting files. While Petya has been neutralized, its effects are still being felt today.
- WannaCry – WannaCry was a different type of ransomware attack since it was a worm, rather than a Trojan. Once arriving on the infected workstation, it searches for files in multiple formats such as MP3s and Word documents to encrypt. If the victim attempts to access the file, a ransom notice appears prompting them to send the payment by Bitcoin through the Tor Web Browser.
- The WannaCry attack is especially interesting because it was found by Kaspersky Lab that 98% of the 300,000 devices that were infected by WannaCry were running Windows 7. The EOL (End of Life) date for Windows 7 is approaching soon (January 14th, 2020), and as of now, an alarming number of PCs are have not upgraded to Windows 10 so we would not be surprised if another form of WannaCry appears once the deadline has passed. We recommend having your workstations ready for the Windows 7 EOL deadline, and you can learn more about EOL here.
Total worldwide damages from the NotPetya ransomware attack were over $10 billion. – SafeAtLast.co
How do you contract ransomware?
There are three main ways that ransomware can be contracted onto an unsuspecting network.
- Malicious Attachments – When you receive an email or a direct message from a party that looks legitimate, especially from someone you know, our defenses on opening an attachment in their message tends to be more relaxed. Unfortunately, if the link in the email is a malicious file and it is clicked, this is a phishing attack and ransomware has been given access, potentially infecting the entire network.
- Sketchy Email Links – Just like how you should be weary of attachments from any email source, the same could be said for sketchy links. They tend to be within the body of the email and can be snuck in as hyperlinks in the message text. Once that bogus website has been visited, it may be too late as the system is then infected and the files are held up for ransom.
- Exploit Kits – A more advanced method of ransomware infiltration, exploit kits are executed even without directly clicking a link or even downloading a file. Many times, it is in the form of malicious code hiding on a bogus website that downloads automatically, such as within an advertisement (a.k.a. malvertising) that even a quick visit can leave you infected.
43% of all cyber-attacks target Small Businesses. - Verizon
What can you do to prevent ransomware?
Now that you know more about ransomware, what can you do to prevent from being a victim and keep your data safe?
- Back up your data locally and in the cloud. There is more to this than just a simple backup to a hard drive or a cloud storage solution. We recommend the “3-2-1” method of backing up your data which is:
- Three copies of your data: One is not enough. Having multiple copies of your data preserved reduces your chances of losing it all if something were to happen.
- Two copies on different medias: Keep your backups on at least two different types of media: external hard drives, servers, cloud storage, or even a Network Attached Storage (NAS) drive are viable options.
- One copy backed up offsite: Keep one of your maintained backups in a remote location, away from the primary network just in case it becomes infected and compromises any attached backups.
- AND ensure that you recover the data to a clean workstation. Don’t undo all of your backup efforts by attempting a recovery onto an infected machine.
- Evaluate your data access. Make sure your organization follows best practices in your network access, such as enforcing a strong password policy, setting up VLANs, having a guest network accessible, using a VPN (Virtual Private Network), locking down access and file/folder permissions.
- Keeping your workstations up to date and patched. This not only includes ensuring your workstation OS is up to date, but also any and all software that may be installed. Malicious attacks thrive on workstations using outdated software.
- Ensure your AV & Firewall solution is legitimate and operational. Schedule and evaluate the results of your AV scans. There is no such thing as too high of a frequency.
- Employee training & safe browsing habits. Making sure your employees are aware of how a ransomware attack or any type of threat to your cybersecurity is crucial. Create a plan of training your employees on safe browsing habits, how to spot a phishing attack, and who to contact if something does not appear to be legitimate.
- Evaluate your Disaster Recovery Plan. A ransomware lockout certainly falls under a disaster so be sure to factor this in with your IT source when developing your Disaster Recovery plan.
4 out of 5 Small Businesses report that a malware attack has evaded their antivirus. – Ponemon Institute
Ransomware is on the rise more than ever before so be sure to have your business armed with the latest solutions to avoid disruption. As a trusted MSP for over 20 years, neoRhino IT Solutions’ team of engineers and consultants are ready to provide your business state-of-the-art remote managed protection, cybersecurity training, and a multitude of data backup options to keep you safe from a ransomware attack.
Complete the contact form above or call us at (281) 779-4850 for a FREE Business Assessment and Consultation, and let neoRhino manage your technology so you can manage your business.