Imagine, you are sitting in front of your computer, typing an email to a colleague, when all of a sudden, your screen goes black and red.
What do you do next?
You only have 96 hours to make a decision.
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment to regain access.
The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail.
Today, ransomware authors order that payment be sent via cryptocurrency with well supported step-by-step guidance.
Ransomware is now an all-too-real threat to businesses, governments, and individuals worldwide.
The problem with ransomware is twofold.
1. Ransomware is designed to completely encrypt a victim’s file system, potentially causing an irreversible loss of data.
2. An increasing number of cybercriminals are selling the stolen data on the dark web.
Given the whole purpose of ransomware is to extract maximum leverage and money from victims.
Let’s look at some numbers as reported by Emsisoft – https://blog.emsisoft.com/en/35583/report-the-cost-of-ransomware-in-2020-a-country-by-country-analysis/
• The average ransom demand is USD $84,000.
• 33% of companies pay the ransom
• Ransomware incidents result in an average of 16 days downtime.
Country-by-Country Breakdown
• Average minimum costs of a breach per submission $13,860
• Average maximum breach of breach includes 16 days of downtime $375,440
While the above costs may seem extraordinarily high, it should be remembered that ransomware incidents can be exceptionally expensive.
According to Check Point, ransomware claims a new victim every 10 seconds
Here are some examples
• Norsk Hydro estimated its ransomware related losses at more than $50 million.
• A ransomware attack against the New Orleans city government in early 2020 cost the city over $7 million dollars.
• The Baltimore City government was hit with a massive ransomware attack in 2019 that left it crippled for over a month, with a loss value of over $18 million
• The attack on Travelex on New Year’s Eve compromised the company’s websites in over 30 countries. This resulted in utter disarray for foreign exchange transactions in the first month of the year. The hackers allegedly demanded a $6 million ransom.
• An attack on England’s Redcar Council had employees resorting to the traditional pen and paper. A ransomware attack on the company rendered 35,000 United Kingdom residents unable to access public services online.
• A woman in Germany seeking urgent care died this week after a bungled ransomware attack took down a major hospital in Germany, thus forcing paramedics to rush her to another city for treatment.
Small To Medium Size Business Are Big Targets
According to the World Bank, small and medium-sized businesses (SMBs) play a massive role in most economies, accounting for 90% of companies worldwide and representing over 50% of employment.
While large enterprises may present themselves as more lucrative prey, SMBs are an attractive target due to their lack of resources to defend against such attacks.
According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities. While the second most significant problem revolves around limited budgets. The third biggest challenge is that the businesses may lack an understanding of how to protect against cyberattacks.
The Beazley Group briefing found that small-to-midsized businesses were at the most considerable risk. The highest ransom the company paid out for its clients in 2018 was over $930,000.
So, how do I get infected?
There are several different ways that ransomware can infect your computer. One of the most common methods today is through malicious spam or phishing emails that are used to deliver malware.
The email might include booby-trapped attachments, such as PDFs, images or Word documents. It might also contain links to malicious websites.
These emails use social engineering to trick people into opening attachments or clicking on links by appearing as legitimate, whether that’s by seeming to be from a trusted institution or a friend.
For example, cybercriminals use social engineering in other types of ransomware attacks, such as posing as the police, the tax office, lawyers in order to scare users into clicking on links or opening attachments.
Here is an example of a phishing email.
The initial attack starts with phishing campaigns that utilize a wide variety of lures such as customer complaints, COVID-19 themed, payroll reports and employee termination.
Once you click on one of the links, it takes you to a landing page that pretends to be a Word document, Excel spreadsheet, or PDF that cannot be viewed appropriately and prompts the user to click on a link to properly view the document. See the example below.
And once you click any of these files, you are actually starting an executable that downloads malicious software to your machine….and the game is over.
So, What Do You Do?
So, let’s get back to the scenario that I posed right at the beginning of this article… what do you do? Do you pay the Ransom?
Cybercriminals deploy ransomware, and therefore, it is strongly advised that you do not pay the ransom.
There is now guidance from Governments around the globe that could see you breaking the law if you do pay!
Instead, deal with this situation as an incident by considering the following steps:
1. Containment:
a. First and foremost, if this is an affected computer on a network, disconnect it, turn off the Wi-Fi, pull the network cable out the back. The aim here is to stop any potential spread across your network.
b. Check to see if any other computers are exhibiting similar behaviours, disconnect containing them as well.
c. On all unaffected computers, immediately follow best practice guidance to heighten your security posture (see Step 3, Prevention for more details).
2. Recovery:
a. Hopefully by quickly containing you have managed to limit the damage to a single computer. Ransomware is malicious software, and the computer must be rebuilt, and data restored from back-up. Only connect the computer back to your network once it’s been rebuilt, ready to restore data from back-up.
b. You must change all Passwords for every user account that has used the affected computer. That includes changing passwords to any personal websites and Apps that may have been used from the affected computer.
c.*Option* – If you don’t have backups of your data, you could considering using a Ransomware recovery service such as the “Kaspersky No Ransom” https://noransom.kaspersky.com or the “No Ransom Project” https://www.nomoreransom.org/. Just remember that if use a recovery service to recover data, there is no guarantee it will work. You need to rebuild still the computer returning it to a known good state after data is recovered.
3. Prevention:
a. This about making sure you avoid this situation again. Yes, you can be successful in employing the right steps. There is a lot of excellent guides available to help you avoid Ransomware. Here is a couple to consider:
i. The “No Ransom project” to assist you in preventing a future ransomware attack https://www.nomoreransom.org/en/prevention-advice.html
ii. The Australian Cyber-Security Centre ransomware threats https://www.cyber.gov.au/acsc/view-all-content/threats/ransomware
b. Continue to educate your users about the dangers of opening emails and clicking links from untrusted sources, as well as visiting untrusted websites.