The year 2016 saw alarming growth in ransomware attacks. It costs businesses and other organizations in the UK £4.5 million per year
. An international survey
by Malwarebytes reported that 40 percent of businesses had experienced a ransomware attack in the past year, and more than a third of those affected lost revenue. Victims who haven't prepared face the choice of paying a criminal or losing important data.
Some organisations, such as hospitals, have had no choice except to pay, because of the human cost refusal would carry. However, being well prepared reduces the chances of being hit by ransomware and of having to pay for recovery.
The types of ransomware
Broadly speaking, there are two types of ransomware: locking and crypto-ransomware. The first type prevents use of a computer but doesn't do any permanent damage. It's almost always possible to get rid of it without paying the extortionist. The kind that encrypts files is more dangerous. It makes important files on the target computer unusable, and the only way to get them back may be to pay for the decryption key. It shouldn't surprise anyone that the second type is increasingly popular with cyber-criminals.
Some names are familiar to anyone who follows computer security news: Cerber, Locky, CryptoWall, Petya, etc. These are better described as families rather than specific units of code. The people who create them constantly vary them to elude detection and work around defences. Some use weak encryption schemes, making it possible to recover the files without assistance. Others use the strongest encryption available, leaving victims with no good alternatives.
The creators try to panic victims. The attack announces itself with a message on the computer screen and instructions on how to pay to recover the files. Usually, payment is by Bitcoin, which allows the perpetrator to collect anonymously. Sometimes there's a threat to expose confidential or embarrassing data; this is usually, if not always, a bluff. Often there's a threat to encrypt more files if payment doesn't arrive promptly; that threat is real. The object is to rush the victim into paying, instead of thinking carefully about the alternatives.
So far most ransomware targets the Windows operating system, but attacks on Android devices and Linux servers are on the rise.
The best defences
Attacks of this type usually start with phishing email that tricks the victim into opening an attachment or accessing a malicious web page. This installs a loader, which will download and install the ransomware software. It will surreptitiously encrypt files of selected types, or in some cases encrypt the master file table. Only after the damage is done will it make its demands.
Spam filtering and user education about email will reduce the chances that anyone in the organisation will open a malicious message and let the loader run. Up-to-date security software will reduce the chances that any kind of malware can take root in the system.
The other crucial defence is a current, offline backup. While backup to an attached drive is valuable, it's a weak defence against ransomware, which will encrypt any drives it can reach. Even cloud backup, if it's just to a mapped network drive, doesn't offer better protection. What's needed is a backup to a destination that isn't directly usable as a drive and retains old versions. Many cloud services provide this type of backup. If it performs frequent updates, then the amount of data loss will be limited to whatever changed since the last one. This may be an acceptable loss.
These points apply to crypto-ransomware. Locking ransomware merely prevents use of the computer, and there’s never a reason to pay the person who locked it to unlock it. Standard malware removal procedures will get rid of the problem.
Organised criminal activity
Many of the attacks come from well-run criminal groups. Some groups offer “ransomware as a service.” For a small amount of money, people with minimal technical skills can have an attack conducted for them and collect the payments.
Demands are usually small enough, in the range of a few hundred pounds, that victims may consider it easier to pay than to seek alternatives. Many attacks go unreported outside the business that was victimised. The result is a relatively safe stream of revenue to the criminals.
Planning for ransomware
Businesses should plan ahead, so that they don't have to make policy decisions under pressure. The policy needs to guide their actions at each step.
First, should a business ever give in to ransomware? It's easy to offer an indignant “No,” but this has to be backed up with a clear understanding of the worst-case consequences. Some organisations have the luxury of taking a stand, but others don't.
What are the immediate steps to take when an incident is reported? One of the first actions should be to report the event to the National Fraud & Cyber Crime Reporting Centre
. The next steps should include quarantining the computer, identifying the problem, and determining the extent of the damage.
How should IT staff proceed? The response will depend on the type of attack and currently available remedies. Removing the malware is usually a high priority, but if paying the ransom isn't ruled out, that might prevent restoring the files.
What actions will prevent a recurrence? The IT staff has to determine, if possible, what mistakes allowed the attack to succeed, and what efforts in software, system configuration, or training will reduce the chances of recurrence. Whatever decisions they make about payment, they need to make sure the malware is removed from the machine, and that no other machines on the network have it.
Weighing the alternatives
Deciding whether or not to pay the extortion fee shouldn’t be just a matter of which costs less. If you pay, you mark yourself as an easy target and help to finance further attacks. Sometimes there’s no choice, but you should make every reasonable effort not to pay a thief. The best way to do that is not to be victimised in the first place.
to learn how we can assist you in ensuring you have the appropriate defences and procedures in place.