Is your business protected from the next ransomware attack?
There is danger in ransomware attacks, as well as in ransomware variants that keep emerging to target servers, websites, and specific organizations such as local municipalities. Ransomware maintains its position as one of the most profitable business models in cybercrime.
Recent figures show that ransomware has filled hackers’ pockets with $11.5 billion in 2019, compared to $5 billion in 2017.
In the first half of 2019 alone, Sodinokibi (REvil) ransomware strains claimed 23 municipal governments in Texas, while two small cities in Florida were scared by Ryuk ransomware into paying over $1 million to regain access to their systems, after being locked out for two weeks. It could cost an extra $1 million to restore the system and ensure everything is up and running, even if the attackers follow through on their end of the bargain when the ransom is paid (which they rarely do).
Hackers rarely unlock systems after the ransom is paid out.”
Ransomware attacks are a pain, and looking at Gartner predictions for 2020 – hackers will keep using this type of attack.
The research company warns that 99 percent of the vulnerabilities to be exploited in 2020 will not be unknown in the industry, showing some IT executives ignore software updates and patches to Internet of Things (IoT) systems that are already known to be vulnerable, either because they are not designed with in-built security or the system may not be patchable. These exploits will account for over 25 percent of enterprise attacks, Gartner predicts.
Companies that fall victim to ransomware experience, in most cases, experience permanent critical and proprietary data loss. As they struggle to contain the attack, they will have to consider the financial implications driven by the disruption of operations, by efforts to rebuild the system and, unavoidably, the effect on the brand’s reputation.
What is Ransomware?
Ransomware is malicious software that seeks out critical files and devices to encrypt them for extortion.
How Does Ransomware Work?
The most common initial infection vector is a phishing or spear-phishing email that uses social engineering techniques to manipulate the user into either clicking on a malicious link or downloading an infected executable file.
Once the payload is activated, it will contact the Command and Control (C2) server. It will then encrypt the system and hold the data hostage. Instead of trying to make off with data that they can sell, they hold that data for ransom within a certain timeframe dictated by ransomware.
Their mentality is that if the data is valuable enough to be protected by layers of security, then surely it is valuable enough that the business would not want to risk its loss. And the business may even pay a hefty bitcoin ransom for its safe return.
Ransomware is virtual kidnapping.”
This is the idea behind ransomware – an insidious form of malware which has seen a huge upturn in use over the past several years. Whether the data is personal files, business or accounting information, or a set of passwords, data can be incredibly valuable to its owner.
And anyone can be a target of ransomware, as evident by an ransomware attack over the holidays to an unpatched PulseSecure VPN with Travelex.
It doesn’t matter if you are a small business, a casual computer user, or a corporation with security in place. If there is a weak link in the chain, an attacker can compromise a system and wreak havoc against your business.
All it takes for ransomware to take effect is that an executable is able to run on a computer.
Ransomware attacks can be fast and deadly, quickly encrypting all files on your computer or even worse, your organization. User’s often restart their PCs or turn them off instantly, and hackers have even added a function to deal with this. Most of the time files won’t be encrypted until the computer or server is restarted, effectively locking the user out of the entire system.
What are Usual Attack Vectors to Watch for Ransomware?
Phishing attacks are generally meant to steal critical information, which includes data such as bank details, payment information, social security numbers, address, or date of birth. Basically this can include any information that could be used to commit financial fraud, perform illegal transactions, or even create fake beneficiaries for mortgages or insurance claims.
Ransomware can be easily attached to email spoofing attacks.
To make sure they get the information or to manipulate the user into activating the payload, hackers resort to sophisticated techniques such as sending emails impersonating credit unions, banks, the IRS, and even educational institutions or legitimate companies.
Software vulnerabilities are another entry point for ransomware, if left unpatched. Other points of entry can include unpatched Remote Desktop services, botnets, ads, infected installers, and web injects.
A recent report by security company RiskSense found that Microsoft products had 27 vulnerabilities that would be targeted by ransomware, out of which eight were Windows-related, while Microsoft Edge, Internet Explorer, and Microsoft Office had three vulnerabilities each. Five vulnerabilities were found in Oracle and Adobe products.
What are the Types of Ransomware?
Ransomware comes in different shapes and sizes, yet there are three main categories: scareware, lock-screen, and file-encrypting ransomware.
Some, such as CryptoLocker and SimpleLocker, can’t self-replicate, so they use a trojan downloader to install the malicious payload. TeslaCrypt was originally believed to be a CryptoLocker variant and was responsible for almost 50 percent of ransomware attacks in 2016. It targeted video game archives and distribution services, and was regularly improved, which made it impossible to restore files.
Some of the top ransomware attacks in the past five years manipulated Microsoft vulnerabilities to infiltrate and encrypt networks. 2017’s global WannaCry ransomware attack was worse than CryptoLocker, the first detected file-encrypting ransomware.
WannaCry deployed hacking tools stolen from the NSA. Hackers used the EternalBlue exploit that went after vulnerabilities in Microsoft’s Server Message Block (SMB) protocol – a network file-sharing protocol.
Many organizations left the port open for the worm, because they never installed Microsoft’s patch. The EternalBlue exploit was later used by NotPetya, also known as GoldenEye ransomware, allegedly authored by hackers backed up by the Russian government.
Can Antivirus Software Protect From Ransomware Attack?
Free antivirus software is not enough to fight ransomware. Ransomware infections can even hide behind a fake free antivirus or other free online tools.
It is wisest to invest in prevention and response to mitigate risks. A robust security software with an anti-ransomware component is critical for any organization to ensure network protection.
An antivirus solution with signature-based detection will keep a close eye on all activity, including looking for malicious software and suspicious behavior in real-time. Some hackers have figured out ways to bypass traditional signature-based malware detection, which means they have a small chance of success.
A good antivirus solution will deliver malware, spyware and ransomware protection with a behavior monitoring component, besides the signature-based detection, specifically designed for ransomware monitoring.
A priority for any antivirus software is to use the anti-ransomware component to immediately detect it, but if the payload makes it into the system, then the antivirus might not succeed in removing the ransomware.
Security companies are working on improving their solutions to block sophisticated ransomware. There are a number of antivirus solutions that can remove ransomware, but the encrypted files are usually lost and the system can only be restored if the OS is reinstalled. In this case, multiple backups in both online and offline repositories are critical to easily restore the system in case of infection.
There is only so much that antivirus software can do if users are not trained about security threats and safe browsing. Sometimes employees are the weakest link and thus the most preferred target in ransomware attacks.
While antivirus software delivers basic protection against less sophisticated, first-generation ransomware variants, it is up to each user to keep all software and operating systems updated, not click on suspicious links or download suspicious attachments, establish a recovery plan, and regularly back up files offline.
5 Steps to Protect Your Organization From Ransomware
Keeping your business and technology secure starts with a few basic things– having virus and spam protection on all corporate devices, for example. But just because some of the measures we take seem like common sense, there is no single foolproof method to protect your company.
However, incorporating these steps into your business-wide security practices will certainly help you avoid disastrous and unexpected situations.
Here are a few steps you can take to reduce the risk of your data being held for ransom.
1. Keep All Systems Up-To-Date
Security patches and updates are vital for security in our tech-driven world.
Unless you know that an update will absolutely brick your system, you should always be applying the latest patches and updates for software and operating systems. Outdated or unpatched systems represent a huge security risk for your business, even though it can easily be avoided.
Most attackers go for “low-hanging fruit”. Systems that are connected to the internet and don’t have the latest updates and patches are the first targets.”
Hackers most likely didn’t target you or your business directly to find a vulnerable computer; your PC may have been one of many random targets a hacker is randomly attacking.
2. Educate Your Employees
Something as harmless as opening a suspicious email attachment can wind up infecting your entire network with ransomware.
It’s imperative that you instruct your employees on how to recognize phishing attempts and what could be a malicious email or application. The more they understand the threats facing your business, the less likely they will be to put you at risk unintentionally.
Educating employees on proper security practices and guidelines for your organization can help stop a dire situation from happening, and get any suspicious activity in the hands of your security team. Even the best antivirus programs will not detect every threat, so a well-versed employee is one of the most effective measures to prevent the threat of ransomware.
3. Secure Your Server and Email
Even educated employees can make mistakes, and the more you can do to prevent those mistakes, the better.
By incorporating anti-spam and anti-virus solutions into your email server and networked computers, you have a tool that can automatically detect and block bad attachments and executables from being downloaded or running.”
While this will not guarantee that you will avoid infections from ransomware, it can go a long way in protecting even the most vulnerable systems.
Reducing the amount of incoming spam will help your organization lower the amount of times that risky attachments ever get to your user’s mailbox. This lessens the chances that an employee can even make a questionable decision.
Having anti-virus installed works much the same way. Up-to-date antivirus software can detect malicious executables before they are ran on a system, stopping a bad attachment that was downloaded, for example.
Antivirus and spam protection is never foolproof, but can be a last line of defense if an attack was imminent.
At Liquid Web, using our proprietary ServerSecure software and additional antivirus solutions can help protect and remediate systems from the dangers of ransomware.
4. Avoid Unsecured and Public Connections
An unsecured wireless network can be an open door into your organization’s network.
According to research from Kaspersky Labs, 24.7% of WiFi hotspots do not use encryption at all, and another 2% use WEP – which is functionally the same.”
If your employees access business resources through these unencrypted networks, it would be easy for an attacker to install malicious files to your servers.
Giving employees a secure means of remote access is important, whether you need to use SSH, VPN, FTP, or RDP. That way, even if a user accesses business-resources from an unsecured connection, there is a secure and encrypted layer between the insecure network and potentially malicious attackers.
VPNs are a common way companies navigate these risks.
A secured VPN connection puts another secure server in between user’s and your network’s resources. Your IT team should be able to handle this setup.
Learn more about how Acronis Cyber Backup, Liquid Web’s Dedicated off-server backup solution, works in this exclusive webinar.
5. Backup Your Data – And Protect Your Backups Off-Site
If you have reliable and automated off-site backups of your data, even if a hacker encrypts everything on your server, you have daily or hourly copies stored on another network via encrypted channels.
If an attack takes place and compromises your network or a handful of computers, you can immediately take everything offline, secure your network by updating passwords and firmware, and restore your last unaffected backups.
By downloading and scanning your backups for problems, or by identifying how an attack occurred, you can safely and securely bring your old files back and not lose more than an hour or a day’s worth of data.
Don’t Let Your Data Be Held For Ransom. Download our Security Infrastructure Checklist for SMBs.
Nick is the Senior Director of Security & Architecture at Liquid Web. He has over 16 years of experience in Technology and brings a wealth of knowledge and a strong understanding of data security to help safeguard our customers' environments.
Keep up to date with the latest Hosting news.