Ransomware is the number one security threat for companies. It tops the charts for all cyber vulnerabilities, attacks, and maliciousness. But what exactly is ransomware?
In a ransomware attack, a threat actor gains access to your system and encrypts files so that you can’t access your own data. In order to get those files back, you have to pay a ransom.
In theory, the attackers will then provide a decryption key or some other mechanism that gives you access to your data, but statistics show that there is no guarantee you’ll get your files back if you pay the ransom. The FBI generally recommends not paying the ransom, but rather using other mechanisms to get your data back.
In this article, I’ll give you an overview of ransomware attacks — how they work, how they can impact your business, what to do if you’re a ransomware victim, and how to protect your organization from an attack.
The FBI Internet Crime Complaint Center found that annual losses due to ransomware have more than quadrupled in the US in recent years. Obviously, ransomware has become a serious security threat, so it’s important for you to know how to keep your organization’s data as safe as possible from the danger such risks pose.
What are some common misunderstandings about ransomware attacks?
The biggest misconception about ransomware is that smaller companies aren’t going to be targeted by it—but they absolutely can be. For example, we’re even seeing places like schools and hospitals falling prey to ransomware.
Public schools aren’t big money makers, so you might wonder why hackers would be targeting them. Hackers don’t care. Anyone who could click a link containing ransomware is essentially a business opportunity, and you can bet they’ll take it.
Ransomware is often a crime of opportunity, so hackers utilizing ransomware will be looking for ways to appear to be a trusted source, or for other weaknesses. They might phish against your external-facing systems or scrape email addresses/contact information from public sites like LinkedIn. They might try guessing email addresses based on naming sequences. Your organization doesn’t have to be some large, multimillion dollar company for it to be attacked.
How does a ransomware attack occur?
Phishing is the most common method for someone to gain entry. An employee receives an email that has a link in it and they provide their credentials, thinking that the email is from a legitimate sender.
Ransomware can also be picked up when visiting websites—there are enough permissions inherent in browsers now that it’s easy to unknowingly download something just by visiting a website. Once the ransomware has successfully gained entry to a single machine, your entire organization’s security may be compromised.
It won’t be hard to tell whether you’ve been attacked by ransomware. Typically, at some point during the encryption process, a pop-up will tell you that your machine has been infected. If there’s no pop-up, there will almost always be new files containing ransom instructions added to each of your directories.
Most of the time, the ransomware notification demands payment through crypto because those currencies are harder to trace. Sometimes the FBI can recover ransom payments, but that’s not a given and it can take a long time.
Ransomware is particularly insidious because it doesn’t always activate immediately. The most sophisticated ransomware will lie dormant for up to six months or more. Attackers do this because the only real recovery method is to have very thorough backups, and if the ransomware file lies undetected long enough, it becomes hard to know how far back you need to go to restore your data.
Staying undetected also allows ransomware to access more files in your system. If it has only encrypted one directory when it notifies, you could shut your computer off and potentially recover most of your data off that hard drive before it does significant damage. The most sophisticated ransomware will not only encrypt files on your own machine, but it’ll try to achieve lateral movement, using credentials from the compromised machine to do more damage to the surrounding network by rapidly jumping from machine to machine.
What makes ransomware challenging is most operating systems have all the components necessary for ransomware built in. Windows has BitLocker, while Mac and Linux have tools like file vault and dm-crypt. All the ransomware needs to do is call those tools and pick a key that you don’t know to encrypt your data.
How badly will a ransomware attack impact your business?
For organizations that lack good backups and are unprepared to deal with ransomware, an attack on your systems can be devastating. There are cases where ransomware has shut down small businesses permanently.
Businesses unprepared for a ransomware attack will likely not be capable of earning revenue until they restore their systems, and that could take months. Many organizations aren’t prepared to restore from backups, so they have to completely rebuild their systems from scratch.
There’s also the cost of losing your data. If, for instance, your financials are ransomed and you don’t have backups of them, what happens if you lose all of that historical financial data? Are there regulatory impacts? Are you still able to pass your audits? What about outstanding bills or invoices?
A ransomware attack can also damage the reputation of your organization. You’re required by law to disclose this type of incident, which can make it hard to get future business, especially for smaller companies trying to do business with larger companies. There’s a lot of scrutiny on the software supply chain, and customers will always consider the risks service providers pose.
Ransomware cases generate headlines. One of the more interesting cases was the Colonial Pipeline incident. The pipeline was put at risk because ransomware moved laterally across the network and started encrypting all their servers, to the point where users lost the ability to physically manage the petroleum products that were flowing through the gas pipeline. There was fear that the pipeline was going to explode.
At the same time, ransomware is so prevalent that it’s almost impossible not to encounter it. And if you deal with it effectively, it can become a feather in your cap. You can say, “We dealt with it. There was minimal to no impact on business operations.” It shows you’ve got a strong plan in place, that you executed the plan, and you were able to overcome the challenge.
What should you do if you’re a victim of a ransomware attack?
Hopefully you already have a plan to address ransomware. If you do, from the moment you recognize ransomware, you need to start executing that plan. This plan should consider:
- Recovery time objective (RTO): what is your goal for the time it takes to restore data?
- Recovery point objective (RPO): how much data can you tolerate being lost?
The only way to really get rid of ransomware is to restore your systems from a backup that existed before the attack occurred. But depending on how long you’ve been infected, you could mistakenly restore from a backup that also has the ransomware. In that case, it’s just going to pick up where it left off, and you’re back at square one.
That’s why you see some organizations down for weeks or months at a time—businesses either get caught in this cycle of restoring the ransomware, or they don’t have detailed enough backups that go far enough back.
My recommendation is to have a very sophisticated backup scheme that includes incremental file level backups. That way, if you can find the ransomware, you can incrementally restore around it. You also want to be able to go back as far as you possibly can, because you may not be able to incrementally restore the particular file or files where the ransomware started.
Hopefully you’ve got security people within your organization. If you don’t, then it’s highly recommended you bring in a third party to deal with the incident.
The worst thing you can do is nothing—ransomware is something that needs to be dealt with. One of the best things you can do right away is power off the affected asset and bring in the professionals.
From the moment that you notice you have ransomware, power off or disable any affected assets before it can spread. Not only does that keep it from spreading laterally to other machines, it also stops the ransomware from encrypting data on that particular machine as well.
This is true for both physical and virtual machines, containers, anything with an operating system. If you just power off or stop that machine, then the ransomware stops functioning. It’s not guaranteed you’ll get your data back off that machine, but at least it stops the threat from multiplying.
You should also engage security professionals to try to recover your data. It’s quite possible the keys may be on the hard drive somewhere. A forensic analysis might be able to find those keys for you and use those keys to decrypt your data.
There are third-party services out there that help people recover from ransomware. They provide hundreds of thousands of decryption keys for common ransomware. So there’s a possibility you can find your keys out there on the public internet.
If the damage to your business is severe, then you should engage law enforcement. And specifically, you should contact the FBI. Most local police agencies and state police agencies are not really equipped to deal with these incidents, but the FBI is.
How can you prevent a ransomware attack?
Since the number one entry point by far for ransomware right now is phishing, the best thing you can do is have a robust security awareness campaign and regularly perform test phishing campaigns for your users.
Train your employees to be aware of phishing in all of its various forms. Equip them to understand phishing as a practice and what it may look like. Give them tools and techniques to catch phishing attempts before your employees get caught. If ransomware doesn’t have a chance to download, then you can’t be infected.
Hopefully, you’re running tools like antivirus that will catch the ransomware. The best tools are ones like CrowdStrike, which are based on machine learning. They look for ransomware behavior, and when they see something suspicious jumping from file to file, CrowdStrike will block and quarantine it until that behavior is reviewed.
Particularly for midsize to large organizations, it’s important to have intrusion detection systems running in addition to antivirus software.
Backup, backup, backup. At least annually, you should test your backups by making sure you can actually restore your data. You would not believe how many people think they have a great backup scheme until they try to restore their files and discover their backup method won’t allow them to restore the data they need.
It might take days of restoration just to get back a single file if you don’t test your backups ahead of time. Make sure they’re working the way you expect, so that you can recover your data in the event of different types of incidents. Be sure that you can restore specific files and directories. Verify that you can restore entire servers or systems.
Black Kilt helps your organization defend against and recover from ransomware attacks
Black Kilt can review your current security practices, procedures, and tooling to help you understand whether those tools are sufficient to protect against ransomware. On the flip side, if it comes to recovery, we have incident responders available that can deal with these types of incidents on short notice.
We also have forensic analysts that can go through hard drives, look for encryption keys, and help minimize your data loss.