en

How to Protect your Business from Ransomware

Ransomware is causing havoc in company networks, while behind the attacks are well-organised gangs making vast sums from their criminal activity.

Ransomware strikes at business

In April, Dutch media was awash with reports of a lack of cheeses in Albert Heijn, the largest chain of supermarkets. Situations like this occur all over the world, and this would be seen as nothing out of the ordinary if it wasn’t for the fact that the whole affair was caused by ransomware. The attackers targeted Bakker Logistiek, one of the largest logistics firms in the Netherlands, and encrypted data belonging to the company. This interrupted delivery of products and the completion of orders. The bosses of Bakker Logistiek made a special announcement saying that they could not carry out warehouse management or provide transport services without access to the data.

This is not the first case of cyber criminals paralysing a large logistics firm. In November of last year, a global company from the USA went through a similar story, losing access to telephone systems and email services, and being left unable to manage their stock or complete orders. We mentioned how much the number of malicious attacks has increased in Ransomware attacks 2021.

The example of the Dutch firm shows that increasing digitalisation, despite the many benefits it brings, also carries threats such as ransomware attacks. The latter in particular have intensified during the pandemic (you can find out more about this in our article: The Big Shift. COVID-19 and IT). A report by the firm Bitdefender reveals that the number of incidents using malicious ransomware programmes increased by 715% year on year in the first half of last year. The attackers had no mercy for anyone, and in addition to companies, they targeted hospitals as well as scientific and government institutions.

Who is behind ransomware attacks?

Cyber criminals do not usually operate in the dark, of which ransomware attacks are the perfect example. At the top of the hierarchy are ransomware gangs who recruit partners to work with them. Of course, for the best among them there are high premiums. Malicious software can also be bought in the Darknet, with the price depending on the quality. Second-rate malware can be bought for around 70 USD, while investment in a top-of-the-range product costs 6000 USD. The cybercriminal industry is moving with the times, offering for example, Ransomware as a Service (RaaS). In this model, the client receives ready-to-use malware. What is important is that the buyer does not need any knowledge on server administration or malicious software. It’s worth noting, though, that in this case it is cheap ransomware, designed for attacks on small businesses or households. For more serious jobs, ransomware gangs round up specialists. So how much can you earn from such cooperation?

Ransomware as a service

The Sodinokibi group, also known as REvil, pays its partners a 30% commission of any ransom money received, with this rising to 40% after three successful attacks. According to information from the cyber security firm Intel 471, there are around 25 ransomware gangs that operate via partners. At the top of the hierarchy is Ryuk. This is an exceptionally dangerous group – devices belonging to the group were found in every third ransomware attack carried out last year. Ryuk conducts multi-stage attacks using infection vectors such as Trickbot, Emotet and BazarLoader. Entities associated with Ryuk seriously harass the American healthcare system. Other dangerous gangs sowing fear among network users are: DopplePaymer (used in attacks on Pemex, Bretagne Télécom, Newcastle University, Düsseldorf University), Egregor (Crytek, Ubisoft, Barnes & Noble), Netwalker / Mailto (Equinix, UCSF, Michigan State University, Toll Group) and REvil / Sodinokibi (Travelex, New York airport, local authorities in Texas).

Ransomware – to pay or not to pay?

That is the dilemma that every ransomware attack victim faces. Many specialists, including security system providers, advise against paying criminals. The first issue is that there is never a 100% guarantee that the attackers will unencrypt files, while the second issue is that paying a ransom encourages cyber criminals to continue their attacks. There are also conflicting opinions, though. If a firm does not pay the ransom and they have no way of restoring their data, they will have to face up to huge costs as well as disruption, which in extreme cases can end in bankruptcy. Even organisations with backup and technical know-how have to dedicate a lot of time and money to restore their systems.

One interesting take on the activity of ransomware gangs was made by John Carlin, US deputy attorney general. Earlier, as a partner in the law firm Morrison & Foerster, he focused on issues related to cybercrime. John Carlin admits that there have been cases in which the victim paid a ransom of 20 million USD.

 

In almost every case, the firm paying the ransom realised that the costs resulting from the damage related to lack of access to data would be 10 to 20 times greater than the ransom itself – John Carlin admits in The Wall Street Journal.

 

Meanwhile, according to a report prepared by Coverware, the average payment made in the fourth quarter of last year for unencrypting files was 154,000 USD, while the median was 49,000 USD.

Not without reason, there are calls in the United States for Congress to consider making payment of ransom by companies illegal, similarly to the financing of terrorism. John Carlin promises that the task force will also aim to find more “innovative ways of using legal means (…) in order to protect victims before they become victims”. Last week, the Department of Justice revealed that the FBI had accessed the computer networks of firms affected by the attack on the Microsoft Exchange Server. To a large degree, this decision was dictated by the fear that criminal groups could attack these networks using ransomware.

How to protect yourself from ransomware attacks

Ransomware attacks cause significant damage, but they can be almost entirely prevented. Organisations that have built strong cybersecurity foundations will be considerably less susceptible to this type of activity than competitors who treat IT security more frivolously. Ransomware is nothing more than a new variety of malicious software that usually uses well known variants which can be relatively easily detected thanks to active monitoring of an IT environment. Comprehensive protection should include scanning and filtering:

  • endpoints,
  • network traffic,
  • internet content,
  • emails.

These simple defence mechanisms are in general quite effective. However, there is always the risk that cyber criminals will think up something new. For this reason it’s also worth considering investing in EDR systems (Endpoint Detection and Response) that detect and react to suspicious activity on end devices. Another highly useful solution is a sandbox, which separates selected programmes from the operating system, making it impossible for attackers to change data on the users’ disc. The principal aim of the majority of ransomware attacks is to cut the victim off from access to critical information until they pay the ransom. This risk can be mitigated by creating backup. However, restoring data takes the company back to the point in time when there was a loophole that allowed the hackers to get into the system. Therefore, IT departments should not only restore the system to operation, but also identify and eliminate the main cause of the incident.

Educate employees about ransomware

Unfortunately, the creators of ransomware software never lie idle, and are constantly looking for methods that allow them to break down their victims. Since last year, they not only encrypt data, but also publish part of the information obtained, which leads to a loss of reputation for the organisation attacked, in addition to the financial losses. What’s more, hackers have already proved more than once that they are able to encrypt backup, although this is not always possible. This can happen if data is stored on tapes, which more and more frequently are called the last line of defence. As we know, tape storage works offline, and the criminals cannot remove or encrypt something that they do not have network access to. Another option is backup in unchanging mode, which means that the backup is only held as read-only. This means that it cannot be removed by anybody, including both the network administrator and any potential hacker.

Often, ransomware unfortunately gets into a firm as a result of the inadvertent actions of employees who fall victim to phishing. Therefore, staff must constantly be contacted with up-to-date, consistent information on cyber security. Reminding personnel of safe practices can prevent employees from unintentionally exposing the company to serious threats.

Find out more about cyberattacks from our blog Cyber Attacks – The Plague of the 21st Century.

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware