Is your business protected from the next ransomware attack?
There is danger in ransomware attacks, as well as in ransomware variants that keep emerging to target servers, websites, and specific organizations such as local municipalities. Ransomware maintains its position as one of the most profitable business models in cybercrime.
Recent figures show that ransomware has filled hackers’ pockets with $11.5 billion in 2019, compared to $5 billion in 2017.
In the first half of 2019 alone, Sodinokibi (REvil) ransomware strains claimed 23 municipal governments in Texas, while two small cities in Florida were scared by Ryuk ransomware into paying over $1 million to regain access to their systems, after being locked out for two weeks. It could cost an extra $1 million to restore the system and ensure everything is up and running, even if the attackers follow through on their end of the bargain when the ransom is paid (which they rarely do).
Hackers rarely unlock systems after the ransom is paid out.”
Companies that fall victim to ransomware experience, in most cases, experience permanent critical and proprietary data loss. As they struggle to contain the attack, they will have to consider the financial implications driven by the disruption of operations, by efforts to rebuild the system and, unavoidably, the effect on the brand’s reputation.
Let’s look at ways of protection from ransomware attack.
Can You Recognize a Ransomware Attack?
The first step in protection from ransomware attack is knowing what it is, how it works, and usual attack vectors.
What is Ransomware?
Ransomware is malicious software that seeks out critical files and devices to encrypt them for extortion.
How Does Ransomware Work?
The most common initial infection vector is a phishing or spear-phishing email that uses social engineering techniques to manipulate the user into either clicking on a malicious link or downloading an infected executable file.
Once the payload is activated, it will contact the Command and Control (C2) server. It will then encrypt the system and hold the data hostage until a hefty bitcoin ransom is paid in a tight timeframe.
What are Usual Attack Vectors to Watch for Ransomware?
Phishing attacks are generally meant to steal critical information, which includes data such as bank details, payment information, social security numbers, address, or date of birth. Basically this can include any information that could be used to commit financial fraud, perform illegal transactions, or even create fake beneficiaries for mortgages or insurance claims.
Ransomware can be easily attached to email spoofing attacks.”
To make sure they get the information or to manipulate the user into activating the payload, hackers resort to sophisticated techniques such as sending emails impersonating credit unions, banks, the IRS, and even educational institutions or legitimate companies.
Software vulnerabilities are another entry point for ransomware, if left unpatched. Other points of entry can include unpatched Remote Desktop services, botnets, ads, infected installers, and web injects.
A recent report by security company RiskSense found that Microsoft products had 27 vulnerabilities that would be targeted by ransomware, out of which eight were Windows-related, while Microsoft Edge, Internet Explorer, and Microsoft Office had three vulnerabilities each. Five vulnerabilities were found in Oracle and Adobe products.
What are the Types of Ransomware?
Ransomware comes in different shapes and sizes, yet there are three main categories: scareware, lock-screen, and file-encrypting ransomware.”
Some, such as CryptoLocker and SimpleLocker, can’t self-replicate so they use a trojan downloader to install the malicious payload. TeslaCrypt was originally believed to be a CryptoLocker variant and was responsible for almost 50 percent of ransomware attacks in 2016. It targeted video game archives and distribution services, and was regularly improved, which made it impossible to restore files.
Some of the top ransomware attacks in the past five years manipulated Microsoft vulnerabilities to infiltrate and encrypt networks. 2017’s global WannaCry ransomware attack was worse than CryptoLocker, the first detected file-encrypting ransomware.
WannaCry deployed hacking tools stolen from the NSA. Hackers used the EternalBlue exploit that went after vulnerabilities in Microsoft’s Server Message Block (SMB) protocol – a network file-sharing protocol.
Many organizations left the port open for the worm, because they never installed Microsoft’s patch. The EternalBlue exploit was later used by NotPetya, also known as GoldenEye ransomware, allegedly authored by hackers backed up by the Russian government.
Can Antivirus Software Protect From Ransomware Attack?
Ransomware attacks can be a pain, and looking at Gartner predictions for 2020 – hackers will keep using this type of attack.
The research company warns that 99 percent of the vulnerabilities to be exploited in 2020 will not be unknown in the industry, showing some IT executives ignore software updates and patches to Internet of Things (IoT) systems, already known to be vulnerable, because they are not designed with in-built security and, sometimes even unpatchable. These exploits will account for over 25 percent of enterprise attacks, Gartner predicts.
Free antivirus software is not enough to fight ransomware. Ransomware infections can even hide behind a fake free antivirus or other free online tools.
It is wisest to invest in prevention and response to mitigate risks. A robust security software with an anti-ransomware component is critical for any organization to ensure network protection.
An antivirus solution with signature-based detection will keep a close eye on all activity, including look for malicious software and suspicious behavior in real-time. Some hackers have figured out ways to bypass traditional signature-based malware detection, which means they have a small chance of success.
A good solution will deliver malware, spyware and ransomware protection with a behavior monitoring component, besides the signature-based detection, specifically designed for ransomware monitoring.”
A priority for any antivirus software is to use the anti-ransomware component to immediately detect it, but if the payload makes it into the system, then the antivirus might not succeed in removing the ransomware.
Security companies are working on improving their solutions to block sophisticated ransomware. There are a number of antivirus solutions that can remove ransomware, but the encrypted files are usually lost and the system can only be restored if the OS is reinstalled. In this case, multiple backups in both online and offline repositories are critical to easily restore the system in case of infection.
There is only so much that antivirus software can do if users are not trained about security threats and safe browsing. Sometimes employees are the weakest link and thus the most preferred target in ransomware attacks.
While antivirus software delivers basic protection against less sophisticated, first generation ransomware variants, it is up to each user to keep all software and operating systems updated, not click on suspicious links or download suspicious attachments, establish a recovery plan, and regularly back up files offline.
Ransomware will spread to the cloud and anything connected to patient zero. And, of course, invest in a solution that comes with anti-ransomware to detect and fend off infections.