This new manifestation of organized crime is costing companies and institutions exponentially more money as the years go by. But what is ransomware? Who is behind these attacks? What is their impact, and how can you protect yourself against them? An overview in 2021.
What is ransomware?
Ransomware is a type of unwanted software, or malware, that has the particularity of taking data, computers, servers, or even mobile devices hostage. The authors of these piece of nefarious software typically demand a ransom in order to regain access to your data or devices.
Although these attacks have been cropping up over the past several years, the very first ransomware largely pre-dates the Internet: in 1989, Dr. Joseph Popp, a Harvard biologist, allegedly distributed 20,000 floppy disks around the world, offering educational software about AIDS. However, once the software was launched from the diskette, it triggered a routine that would encrypt the files on the victims’ hard drives after a few days. The ransom was a few hundred dollars sent to a post office box in Panama to receive the decryption disk.
Today’s ransomware usually presents itself via email, with a fake invoice to pay, a bank statement or an e-commerce receipt, or sometimes even appears to come from a trusted address within your company. Once the attachment is opened, this malicious software starts encrypting all your data with a military grade cipher, then blocks access to your device. Instructions appear on your desktop, most often asking you to pay a substantial sum in cryptocurrencies to receive the key to decrypt your data.
However, you don’t always have to open a booby-trapped email to get infected: a significant number of recent attacks have been carried out by exploiting known software vulnerabilities that are not always updated in time by the system administrators of the networks that have succumbed to the attacks.
WannaCry is an example of such an attack, exploiting a weakness in Windows. In May 2017, this ransomware spread from PC to PC, reaching more than 100 million computers in total. Microsoft had already offered an update fixing the exploited flaw (EternalBlue) two months prior; affected users had simply failed to update Windows.
Who is behind these attacks?
In most cases, it is impossible to trace the source of all these attacks. Global intelligence agencies are sometimes able to identify the developers of such software based on a few clues. For example, many ransomware programs are developed in such a way that they do not trigger on computers using Russian, Ukrainian or Syrian as their language, suggesting that the perpetrators are of one of these nationalities.
Even when the intelligence services manage to find these cybercriminals, few are arrested.
It is even possible, on some specialized forums on the Darknet, to rent the services of these ransomware (a form of Ransomware as a Service): the latest one, REvil, was a notorious example. The actors behind REvil seemingly have disappeared around July 13 or 14, 2021, no longer responding to requests. It is common for groups to disappear however, only to resurface under a different name later on, so the threat is still very real.
The impact of Ransomware
IIt is difficult to estimate the real impact of ransomware, but estimates in the hundreds of millions of dollars were seen as early as 2017. With the number of attacks constantly increasing, this figure is most likely an underestimate. The SARS-CoV-2 pandemic has only amplified the attacks, as corporate networks are becoming more and more open, with employees needing to connect from home in order to continue working.
In 2021, United Health Services, one of the largest providers of hospital care services in the U.S., reported in its public accounts a $67 million loss due to ransomware attacks on their networks.
In an even more recent example, Colonial, the company that operates a crucial pipeline for the transportation of natural gas and gasoline in the United States, paid the ransom demanded by the cyber criminals several hours after the attack. The ransom was 75 bitcoins, or $4.4 million at the current rate. The attack disrupted oil distribution throughout the northwestern United States, prompting residents to stockpile gasoline by any means possible for fear of a shortage.
No one is safe: in 2020, an Ivorian insurance company revealed at a trade show that multiple coordinated attacks on their systems cost them 1.2 billion CFA francs. It is estimated that this same year, cybercrime cost Africa nearly 2,200 billion CFA francs (3.3 billion euros).
We can see that the impact is not limited to the cost of the ransom itself; in addition to this, there is the cost of business interruption, with sometimes devastating effects; some reports of ransomware attacks in hospital systems have caused the death of patients in intensive care.
These attacks are also sometimes an opportunity for hackers to steal business data from companies; to these costs must be added the leakage of potential data (industrial processes and secrets, intellectual property…).
How Can I Defend Against Ransomware?
Security systems are never infallible. The more complex corporate networks are, the larger the attack surface is: it is important to have multiple strategies to counter these attacks, and failing that, to have a quick recovery plan.
The ANSSI (French National Agency for the Security of Information Systems) proposes a guide containing a wealth of information on the various countermeasures, which can be summarized as follows:
Keep backups of your data
The first point, which probably is the most important, is to regularly back up the company’s data. These backups will be critical in the case of a ransomware attack, but also for many accidents that may occur (fire, theft, loss of devices).
However, it is not enough to back up data to an external drive: if, at the time of an attack, the external drive is connected to an infected machine, the data on that external drive will be encrypted in turn.
Keep Software and Systems Up-to-Date
In the case of unattended attacks, a software flaw, sometimes an old one, is involved. It is therefore essential to keep all systems up to date, and never delay the updates proposed by the publishers of the software you use: servers, computers, cell phones, but also external computers connecting to your network, and even printers, scanners and other connected devices.
It is also important to keep anti-virus and anti-malware tools up-to-date on all machines.
Limit and Control Users Rights to Networked Resources
By ensuring that users are not administrators of their machines, and by limiting access on a granular basis to files stored on your servers, you will be able to soften the impact of an attack should it ever occur. Often, privileged accounts are used to allow ransomware to spread more widely within your network; increased auditing of network access can be a good way to guard against an attack that could cripple your entire business.
Control Access to Internet
By filtering the connection to the outside world, ransomware attacks can be detected and even prevented from being carried out. Setting up a secure gateway further reduces the risk of ransomware by blocking its download or preventing the exfiltration of data to malicious servers.
Monitor Event Logs
By setting up an event monitoring system, with the help of a SOC/SIEM platform, it is possible to identify alerts that could be precursors to ransomware attacks. Pooling the log files of an entire network gives a bird’s eye view over the entire network, allowing to identify unusual behavior of the various devices connected to the network early.
All existing mitigation techniques can block a significant number of attacks, but not all of them; therefore, educating your employees about the dangers of ransomware is one of the fundamentals of a complete defense against its dangers. IT staff should not be left out of the equation, as they have access to administrative software with higher privileges on the network; the compromise of one of their workstations could put the entire network at risk, including backups.
Initiatives, led by Interpol, exist and sometimes provide universal decryptors for certain ransomware. The NoMoreRansom website contains a large number of decryptors, sometimes allowing to recover data without paying a ransom. These decryptors are becoming increasingly rare, however, as the complexity and quality of the attacks increase every day.
A ransomware attack can have devastating effects on your business, but it is not fatal; with the right response plan and comprehensive defenses, it is possible to quickly return to normal activity. This type of attack is quickly becoming the norm, compared to the viruses of yesteryear, and is sure to make headlines for many years to come.
For over 30 years, Sonema has been supporting its customers in network, security and hosting. We offer a wide range of solutions that respond directly to the challenges of companies that care about their data. For more information, contact us.