Skip to main content
search
Managed Security Services & SolutionsRansomware

Reacting to Ransomware

By May 26, 2022No Comments
ransomware

What is Ransomware?

Ransomware involves extortion. Ransomware is a type of malicious software designed to block access to a computer system/application until a sum of money is paid. And it’s big business. Ransomware attacks netted cyber criminals more than $600 million in cryptocurrency payments in 2021 (source: blockchain analysis firm Chainalysis), and that’s just the tip of the iceberg with the real number likely being much higher.

What does Ransomware involve?

Ransomware is often spread through phishing emails that contain malicious attachments or when a user visits an infected website and the malware downloads and instals without their knowledge.

If your infrastructure has security holes then no deception is needed, it’s like a door being left open, attackers can exploit your vulnerabilities by infecting your systems without needing to trick users.

Once the attacker is ‘in’ it’s usual for them to encrypt your files, and the files cannot be decrypted without a mathematical key, known only by the attacker.

You will be presented with a message explaining that your files are inaccessible and will only be unlocked if you make a payment.

Ransomware demands normally take the form of cryptocurrency payments in exchange for the encryption key. Usually you’re asked to contact the attacker via an anonymous email address or follow instructions on an anonymous web page, to make payment. However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files.

Occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted, and in fact it maliciously deletes the data and programs instead.

Types of Ransomware

There are some variations in the attacking style, here are the most common types:

  1. Crypto ransomware: one of the most well-known and damaging types of ransomware, files are encrypted and are inaccessible without a decryption key.
  2. Lockers: you are completely locked out of your system, the locked screen displays a ransom demand.
  3. Scareware: fake software claiming you have a virus, typically pop ups ask for payment to fix the problem, in many cases files aren’t damaged.
  4. Doxware or leakware: the attacker threatens to publish sensitive information unless payment is made.

Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.

Ransomware is big business, and on the dark web there are many business opportunities for those wishing to cash in. There’s even RaaS (Ransomware as a Service) where the ransomware is developed by one party and bought by an attacker, either via a one off fee, monthly subscription or a profit share arrangement, to then distribute.

Who is at risk of Ransomware?

Ransomware attacks are growing in size and frequency, threatening businesses around the world. Ransomware attacks target firms of all sizes, no size business is immune. Ransomware also affects all industries, Here are the top 10 ransomware targets by industry: (source: Sophos):

  1. Education
  2. Retail
  3. Business, professional and legal services
  4. Central government
  5. IT
  6. Manufacturing
  7. Energy and utilities infrastructure
  8. Healthcare
  9. Local government
  10. Financial services

What to do if you receive a Ransomware demand?

If you have a ransomware demand message appear, then an attacker has successfully infiltrated your systems, and this should trigger your cyber security incident response plan.

If you don’t have a tried and tested incident response plan then consider emergency response support from forensic experts, such as ourselves. We’ll make sure the threat is identified, contained and eradicated quickly to minimise any impact to you, your business and customers.

However, in the first instance, The National Cyber Security Centre (NCSC) advises that there are some immediate steps that you can take to instantly limit the impact:

  1. Limit the spread of the malware immediately by disconnecting the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
  2. In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
  3. Reset credentials including passwords (especially for administrator and other system accounts) – but verify that you are not locking yourself out of systems that are needed for recovery.
  4. Safely wipe the infected devices and reinstall the OS.
  5. Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you’re connecting it to are clean.
  6. Connect devices to a clean network in order to download, install and update the OS and all other software.
  7. Install, update, and run next-gen antivirus software.
  8. Reconnect to your network.
  9. Monitor network traffic and run scans to identify if any infection remains.
  10. Report the incident to the NCSC by visiting https://report.ncsc.gov.uk/ and to the Action Fraud website.

Should you pay the ransom?

The NCSC advises that law enforcement does not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom then there is no guarantee that you will get access to your data or computer. Also bear in mind that you will be paying criminal groups so could be more likely to be targeted again in the future.

How to prevent Ransomware

A mix of technology, processes and practices are required to protect your networks, data, devices and applications from attack. A multi-layered cyber security strategy is the only way to prevent, detect and respond to ransomware attacks.

  1. Assess the risk: With the rise in phishing and cyber fraud, as well as the high costs of ransomware and business email compromise, there is a growing need to assess your company’s vulnerability to social engineering attacks. A Phishing Exposure Assessment safely simulates phishing attacks to test your employees’ security awareness and evaluate the ability of your network security infrastructure to protect from cyber attacks. Cyber criminals are extending their attacks to the supply chain attacks too so it’s important to look at your wider network.
  2. Train your teams: over 90% of security incidents are caused by lack of staff awareness, so being more aware in spotting phishing attacks by way of suspicious emails, texts and calls, can make the difference to keeping you secure. With attacks becoming ever more sophisticated, it’s important that you keep training up to date to include emerging threats.
  3. Protect your whole network: An integrated fabric of security controls provide advanced protection to counter the ever evolving nature of security threats. From MFA, next generation firewalls, endpoint protection and network access control solutions, to network monitoring and user analytics, there’s a multitude of cyber security tools and tactics you can employ to minimise the risk of an attack. As a starting point, take a look at the Cyber Essentials Certification Scheme which focuses on 5 different areas of cyber security, which when correctly deployed, will protect your organisation from the most common cyber security threats.
  4. Be prepared for attacks: No network, system, or software is ever 100% secure and a quick and efficient response to an attack on your network can save an untold amount of time, money and staff hours. Our Cyber Incident Response Planning Service will help you optimise your incident response plan, coordinate an incident response team and determine the source, cause and extent of a computer security breach quickly. We also offer a fully managed incident response service where we step in immediately to limit the impact to your organisation.

If you need hands-on support then we are here to help

Here at Infosec Partners we live and breathe by our 3 golden mantras; Protection, Detection & Reaction. With more than 20 years experience in implementing mission-critical data security programs, we believe that a culture of preparedness is the only way to be cyber resilient.

Get in touch with the Infosec Partners team to discuss how our security services can minimise the cyber risks to your business.

 

Leave a Reply

five × two =

Close Menu