Ransomware is nasty. I talked about it briefly in our covid-era cyber suggestions.
While business email compromise has historically been a more lucrative attack, ransomware is catching up. It can destroy your data and bring down your network. It can bring your company to its knees. The 2023 series of attacks kept coming.
But what is ransomware, how does it work, who are these attackers, and are these attacks increasing?
How It Works
Software vulnerabilities are sometimes the entry point to a network. A common vector (attack method) for ransomware continues to be unprotected Remote Desktop Protocol (RDP) on Windows systems.
But most of the time the age-old phishing email is the vector.
It all starts when one of your users clicks on a link or opens an attachment in an email from a threat actor, who consequently breaks into your organization’s network, encrypts its files (locking them), and then demands a ransom in exchange for the decrypting key (to unlock the systems and data).
Alternatively, after encrypting the data, the actor may threaten to release your sensitive organization data (customer or patient data, for example) onto the internet. Most of the time, your organization will only get part of your files back–but could get none. About 80 percent of victims who pay will also be hit again. That’s why the FBI’s Cybersecurity and Infrastructure Security Agency (CISA) recommends not paying and not negotiating with ransomware threat actors. The ransomware attacks on U.S. company Henry Schein are a case in point. The healthcare company reported a second ransomware attack in November 2023, one month after the first attack in October. The BlackCat/ALPHV ransomware gang claimed responsibility.
It Can Happen To Your Business and It’s Only Increasing
You might not think it can happen to you. But it usually starts with your workforce (except for ransomware variants like WannaCry), as is common with most cyber attacks. Coveware, a cybersecurity extortion incident response firm, said that in Q1 2023, ransom payments averaged $327,883, up 55% from Q1 of 2022 ($211,529). It added that for that period, 45% of attacks had an initial ransom demand over $1 million.
Ransomware criminals also don’t care who the target is. Targets range from a home user to critical infrastructure like hospitals and government offices. Cybercriminals have targeted these organizations with no compunction about the damage they do to others. They’ve even hit police.
Who Are These Attackers?
Hackers from eastern Europe, former Soviet republics and Russia are the most common threat actors. They have created and/or used different strains of ransomware software:
Bad Rabbit, BitPaymer, Cerber, CryptoLocker, CryptoWall, Crysis, CTB-Locker, Dharma, DoppelPaymer, GandCrab, GoldenEye, Jigsaw, KeRanger, LeChiffre, LockerGoga, Locky, Maze, MedusaLocker, NetWalker, NotPetya (the most-costly cyberattack on record at over $10 billion in damages, it primarily wiped data rather than encrypting or locking it), Petya, REvil, Ryuk, SamSam, Spider, TeslaCrypt, TorrentLocker, Wannacry, and ZCryptor.
Ransomware has garnered much attention from CISA and other government agencies like the US State and Treasury departments. Because of this increase, in 2021, CISA created its ransomware education site. CISA also maintains a list of alerts regarding specific strains.
And now more concern has been generated with the release of ransomware-as-a-service (RaaS), i.e. as a subscription service, with the attacker paying part of the ransom to the ransomware creator in exchange for his use of the hacker’s software.
This all goes to say your business is susceptible.
How Can You Best Protect Yourself and Your Business?
Though no protection is guaranteed (though we can get you on your best foot), here are some plans and practices you should put into place:
1. Use anti-malware software on all your systems.
2. Backup, and backup your backups. I keep three copies of my data, one online, and two on external drives. One of the external drives is updated and then disconnected from the network when done (that’s called “airgapping”).
3. Install security updates from Microsoft, Apple, and other vendors. Patch your systems through Windows Update or with Apple’s updates for its devices.
4. Beware of phishing emails and links, even where you think you are dealing with a legitimate organization or suspicious activity from someone you know. These phishing emails can have corrupt links or contain malicious attachments. Don’t even open unknown emails, or respond.
5. Delete junk email. I use webmail for security. Gmail has great spam protection, and I know Hotmail and other programs do as well.
6. Use the principle of least privilege, i.e., set the lowest permissions you can on data and systems. For example, set write permissions on your files to off on your external hard drives.
7. Watch out for visiting suspicious websites, which can load malware without your consent or knowledge (“drive-by downloads”). This malicious software can load ransomware after the initial infection.
8. Set up Multi-factor Authentication (MFA) for your users and employees, which means another protection measure on top of passwords. I use a hardware security key for Gmail and other sites that can use it, but I choose additional protection through text messages when available.
What Should You Do If You Have Been Attacked?
- Again, do not pay the ransom. CISA and other experts say that it only encourages criminals, and you are not guaranteed your data back if you do pay.
- Unplug your computers from the network. Disable wireless and detach any ethernet cables.
- Get help from your ISP representative, anti-malware company representative, or law enforcement.
- If you are insured, contact your insurance company.
- Talk to a legal representative to see if you have to report the incident to law enforcement.
- Get help to wipe and restore your systems from backup.
Once you have restored your systems, examine what you could have done better:
– Did you use an anti-malware software product?
– Did you use a cloud backup AND keep an extra copy of your data on an external hard drive?
– Did you use a password manager or use complex passwords not used anywhere else?
Your organization should also have an incident response plan to prepare for a cybersecurity incident and a disaster recovery plan for events like a natural disaster or other unforeseen disruptions to your business. These plans will help you minimize damage by restoring your business’ network access and functionality as quickly as possible.
Conclusion: We Can Get You Ready
Tech Kahunas recognizes that user error can put you in a position vulnerable to ransomware and to a number of other attacks. That’s why we specialize in, training your workforce–and you, personally. We know that everyone needs to be on board with cybersecurity at your organization. The weakest link to your security may be your most seasoned employee or even an executive.
Tech Kahunas is a San Diego Managed IT Services provider that provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.