The Scourge of Ransomware & How To Prevent It

#

Ransomware, along with data breaches, is one of the most devastating cyber-attacks facing online companies and organizations today. The targets are often SMBs (small to medium businesses), but an exhaustive list of high-profile companies and government organizations have fallen victim to ransomware attacks as well.

In this article, we are going to focus on major ransomware attacks in recent history, security companies that are developing anti-ransomware strategies, and what you can do to ultimately protect yourself.

The impact of ransomware on business

A ransomware attack can be incredibly devastating to an organization, both in terms of the cost of dealing with the ransomware, and the danger posed to customer privacy.

According to a SentinelOne report, the average cost of a ransomware attack amounts to more than $900,000 USD. This not only includes the ransom itself, which the organization may choose not to pay, but the fallout as well. A ransomware attack, even if paid, can amount to huge losses in productivity, legal fees, remediation, and more.

Daniel Markuson, a digital privacy expert at NordVPN, made the following comments regarding ransomware in an interview with Threatpost:

“Businesses face numerous cyberthreats from hackers, but ransomware is particularly insidious and common. When ransomware infects a server, it quickly spreads to encrypt all of the files on that server. Obviously, this can be disastrous for a business – all of its payroll, customer information, contracts and trade secrets all rendered inaccessible. Once it’s deployed, the hacker simply demands a ransom from the company before unlocking their files. That’s only if they’re honest, however.”

As far as whether or not organizations should pay up the ransom to hopefully quickly resume business, this presents a serious dilemma. For starters, there is no guarantee that the cyberattackers will actually deliver the encryption keys. And even if they do, ponying up the ransom can tell future cyberattackers that your company is willing to pay, which paints an even larger target on the company.

If a company chooses not to pay, they’ll end up needing to pay a cybersecurity firm for remediation of the situation, and in some cases this can cost more than the ransom itself.

While the adage “don’t negotiate with cybercriminals”can be easy to say, it’s fairly unrealistic. In more cases than not, making a ransom payment is the only viable option for a company, in the hope of quickly becoming operational again. Thus, it becomes an argument of ethics versus business necessity.

While there are numerous decryptor tools freely available from antivirus companies, they do not work for every type of ransomware attack, and a company can spend a lot of time and resources on trying to find the right decryption tool to use, if one is actually available for the specific strain of ransomware virus the company has been attacked with.

The cybersecurity industry itself can sometimes take advantage of a company’s situation, by simply paying the ransom without the company’s knowledge, and then charging the company a premium for their “work”.

Significant Ransomware Attacks in Recent History

Every day we hear about significant data breaches and ransomware attacks, but some stand out from others, especially considering the targets and the extent of financial damage.

In 2019 alone, we’ve seen several huge ransomware attacks against major global companies and even government organizations, sometimes bringing local government offices to a grinding halt.

In May, for example, ransomware infected local government systems all over the city of Baltimore, the fallout of which is still being felt today. While the ransom demanded $76,000 worth of Bitcoin, Baltimore’s government refused to pay. However, the city voted to transfer $6 million USD, taken out of the cities parks and recreation funds, to invest towards IT security and infrastructure, to hopefully prevent a similar attack from happening again. The city also acknowledged that an unknown amount of data was destroyed during the attack.

Then in June, the city of Riviera Beach, Florida was hit with a ransomware attack demanding $600,000 in payment. The FBI actually advised the Riviera Beach city council against paying the ransom, but the city council voted on paying for it anyways. Around $300,000 of the ransom payment was covered by the city’s insurance policy. Other municipalities around Florida were also attacked, including Key Biscayne, and Lake City, the latter paying almost $500,000 in ransom.

Other attacks on local government offices include a ransomware attack on the court system in rural Jackson County Georgia – Jackson County paid up $400,000 for data to be restored.

Founder of Georgia-based security firm Rendition Infosec, Jake Williams, had the following to say about these attacks:

“While the size of recent payouts are certainly not groundbreaking, publicly reporting on them is. There are tons of targets out there, and most of them don’t realize they have the exposure. I’ve never worked a ransomware case where a victim said ‘we realized this could happen to us but were playing the odds it wouldn’t.’ Most of them have heard of ransomware but fail to realize they have an exposure.”

While targeted attacks on local municipalities may seem like a new threat, it’s unknown if it’s the same cybercriminal group making these attacks. The FBI had the following to say on the matter, in an interview with WIRED:

“We are seeing an increase in targeted ransomware attacks; however, we do not have enough data to indicate one industry or sector is being targeted more than another. Cyber criminals are opportunistic. They will monetize any network to the fullest extent.”

So while these are examples of how cybercriminals have started to target government offices, there is still a significant focus on going after major companies.

  • ASCO: A ransomware attack in June on ASCO, a Belgian airplane manufacturer, cost millions of dollars in payment, system restoration, and overall downtime. As one of the largest airplane suppliers, the company had to shut down production in its Canada, Germany, and U.S. factories after a ransomware infection crippled their plant in Belgium. Around 1,000 workers had to be given leave, further adding to the financial impact.
  • Verint: US cybersecurity firm Verint was hit by ransomware in April, in their Israel offices. Being a large cybersecurity firm, however, Verint claims they were able to successfully mitigate the damage, without any ransom payment.
  • Arizona Beverages: One of the largest “iced tea” beverage suppliers in the U.S. was hit with ransomware in April, knocking over 200 computers and servers offline. This led to millions of dollars in lost sales, as the company was unable to process customer orders. The FBI had priorly warned Arizona Beverages that their systems were open to compromise for at least a couple months before the ransomware attack.

,

The future of possible ransomware prevention

Numerous cybersecurity firms have been researching how to completely prevent ransomware, but PayPal, the global online payment transaction company, believes they have figured out a unique system for detecting and beating ransomware.

In April, PayPal was granted a patent by the United States Patent and Trademark Office (US patent number 10262138), for a technique PayPal discovered in detecting ransomware. The system monitors for local files being stored in the computer’s memory cache system, where are all files are loaded when an application calls for executing an operation.

PayPal’s system thus will attempt to discover action patterns, such as when a file is duplicated and high-entropy encryption operations on performed on the duplicate. This is a common ransomware technique, which encrypts copies of original files while simultaneously deleting the original.

If PayPal detects these operations in progress, it will attempt to stop the process, and/or upload it’s own copies of the original files to a secure cloud-hosting server, for restoration at a later date.

How this differs from other ransomware detection systems in the past, for example Cryptostalker developed by Linux systems, is that past detection systems have relied on monitoring the filesystem for newly written files. If the files were being written at high speeds and contained random data, a sign of encryption, Cryptostalker would stop the writing process.

Other detection techniques include the now-defunct RansomFree app, which attempted to detect the onset of ransomware by using folder names with special characters, to ensure that ransomware would first encrypt the files in these specially named folders. If changes to these folders were detected, RansomFree would halt the ransomware encryption process.

Microsoft also released a ransomware detection with Windows 10 v1709, which creates a whitelist of approved apps that are able to make changes to files in user-selected folders. While it is actually a highly efficient system, it is not widely used because it requires a lot of manual setup, i.e. whitelisting every single app and folder the user has on their computer, and choosing which ones will receive the protection technique.

Overall, while there are a lot of mitigation and prevention techniques available, none have made any serious impact on stopping ransomware. Companies with huge networks of servers are especially slow to apply critical security updates, due to the amount of time required to configure each network with the latest security updates. This is why we see successful attacks like WannaCry, which relied on a security vulnerability that had actually been previously patched by Microsoft, but many of the victims had never applied the security update.

Ransomware prevention techniques you can take right now

Never download and open suspicious email attachments

This might sound like a no-brainer, but ransomware attackers have figured out some clever methods of making their emails appear legitimate. A popular method is sending an email about an “invoice” or other work-related documents attached, but the .PDF, Word file, or other documents are actually infected with the virus.

So for example, you might download a Word Document that is filled with characters and glyphs. Instructions will say something like “If you cannot view this document, please enable macros in Word settings”. Once the user enables macros, the document will actually run a malicious macro / script, taking over your computer and delivering the ransomware virus.

Create regular system backups

If ever you should experience a “successful” ransomware attack, and find that your data has been encrypted, it will be of tremendous benefit if you’d been regularly keeping backups of your system. However, you need to make sure that your backups are saved on an external drive that is never connected to the computer when not being used. The ransomware virus can travel to any external storage devices and encrypt those as well.

Another option would be cloud storage solutions, though this has risks as well. Cybercriminals are aware of cloud storage, and have been developing ransomware that can also infect files stored on the cloud, through desktop sync clients of popular cloud service providers.

Thus, the safest bet would be physical external storage devices, though this can be difficult for companies with huge amounts of data that exceed the storage limitations of physical storage devices.

Avoid clicking suspicious links

Malicious websites can run scripts that automatically start downloads when you visit the page, leading to infection. You should never click links from suspicious emails, and some ultra-security enthusiasts recommend going a step further and disabling scripts, especially JavaScript, on all websites except those that you explicitly trust.

Only download from secure sites

When searching for programs to download, you should only download from verified, reputable sites. You should stick to websites that use ‘https’ instead of ‘http’, and your browser’s address bar should display a shield or lock symbol to verify the site’s security.

If you’re downloading apps on your phone, this can be a little bit trickier. The main advice most give is to only download from the official app stores, which means Google Play or Apple Store, but malware-infected apps have been known to appear even on those official stores, getting past Google and Apple’s security. With this in mind, it’s recommended to regularly create backups of your phone’s data and transfer the backups to a separate storage.

Use strong antivirus software

There is a lot of antivirus software available out there, but the best antivirus software doesn’t just scan your device for infection. Prevention is the best cure, and that’s what many modern antivirus companies focus on. Real-time web and email shields that scan internet activity, to redirect you away from malicious websites and emails, preventing infection from ever happening in the first place.

Use mail server content scanning and filters

Using filters on your mail servers is not only a great way of organizing your inbox, categorizing your inbox based on your needs, but it can prevent the occasional malicious email that somehow slips past your Spam filter and appears in your primary inbox.

You should also have a strong content scanner, which will typically do a much better job of detecting spam and malicious emails than an email client’s internal configuration settings.

Keep your operating system and software updated

Software and operating system developers release security patches for a good reason, so not updating your system is basically shooting yourself in the foot. As we mentioned earlier in this article, the WannaCry ransomware was so successful because, despite Microsoft releasing a security patch that fixed the vulnerability WannaCry targeted, many companies did not install the update.

Software and OS developers aren’t trying to be a pain in your neck with frequent security updates, they’re doing a serious job. New viruses and security vulnerabilities are discovered every day, so developers work hard at patching these security flaws as quickly as they’re found.

Use a reputable VPN when connected to a public Wi-Fi

Whether you’re at the airport, coffee shop, or anywhere else that offers public Wi-Fi, you should be connected through a VPN to mask your data output. It’s easy for cybercriminals to sniff data being sent through public Wi-Fi, including login passwords and other data that is being sent from your device over the public Wi-Fi.

A VPN will typically encrypt this data, making it much harder for hackers to steal your personal data, or worse, inject malicious code onto your device itself. There are a lot of security risks and attack methods with regards to public Wi-Fi, so just do yourself a massive favour and download a trusted, highly-reviewed VPN.

Advertiser Disclaimer: We are a professional review site that receives compensation from the companies whose products we review. We test each product thoroughly and give high marks to only the very best. We are independently owned and the opinions expressed here are our own. We are not responsible for direct, indirect, incidental or consequential damages resulting from use of any antivirus software and/or this website.

Compare