It might have been around since Wham and Culture Club were on the music charts, but ransomware is still very much in style for cybercriminals. Attacks cause massive disruption and loss for victims but can be very lucrative for those who initiate them.
The most recent generation of ransomware, known as crypto-ransomware, was initially spotted in 2013 when it became the first widely successful code released into the wild. It was also the first to encrypt the victim’s files.
Since then, cybercriminals have taken the concept even further. They have started to use industry-grade encryption and demand payment of ransoms in cryptocurrency. In many cases, they’re also playing on human psychology by showing a countdown timer that displays how long the victim has to make payment before their files are encrypted permanently.
Interestingly, the sheer volume of ransomware attacks has fallen in recent years. This is because attackers are becoming more targeted than simply blasting out spam emails to anyone with an email address.
The trend is also occurring because the IT security industry has become much better at protecting against basic ransomware. Unfortunately, this means cybercriminals have become much more sophisticated about how and who they are targeting.
At the same time, there has also been the rise of so-called ransomware-as-a-service. This gives anyone willing to pay access to the tools needed to mount an attack and does not require technical skills.
Increasingly, criminals are targeting specific organisations and taking time to find the best ways to breach their security measures. Once inside their target’s IT infrastructure, they take time to explore what resources are available and the most damaging places in which they could launch their encryption code.
Attackers are also likely to deploy code on multiple machines across the infrastructure and arrange for it all to launch simultaneously. In these instances, the impact on an organisation can be nothing less than catastrophic.
Double and triple extortion attacks
Far from standing still, ransomware continues to evolve and the latest instances go much further than their predecessors. Where earlier versions extorted payment by encrypting files, victims find that the cybercriminals are taking copies of files before locking them down.
In this second type of extortion, the victim is then threatened that, if payment is not made, those copied files will be made public. This makes a payment more likely, even if the victim was able to recover their files from a backup.
An even more recent attack type, known as triple extortion, involves an attacker using stolen files to gather information about a company’s customers and business partners. This is then used either to attack those parties directly, or cause further significant detrimental impact for the victim.
Preventing ransomware attacks
While ransomware can be extremely damaging, there are a number of steps organisations can take to prevent or mitigate attacks. The top 10 include:
- Keep software patches up to date: This is particularly important when it comes to public-facing IT resources such as a company website. In most cases, it is old software vulnerabilities that have not been fixed that allow the cybercriminals to gain access in the first place.
- Have strong password practices: Hackers don’t break in; they log in. Require staff to regularly change their passwords and use ones that are long and contain random characters.
- Deploy multi-factor authentication: This adds another layer of security above and beyond the humble password.
- Conduct regular data backups: At least when it comes to single-extortion attacks, if an organisation can recover its data from backups, the attack can essentially be ignored.
- Have a disaster recovery plan: It’s important to have a clear plan of the steps that will be taken should an attack occur. This will help an organisation recover more quickly and continue operations.
- Use advanced malware prevention tools: Traditionally, such tools have relied on signatures to spot malware before it can cause harm. However, this approach is no longer effective as malware have become very polymorphic. As a result, more sophisticated detection tools need to be put in place.
- Beware of ‘living-off-the-land’ attacks: These attacks do not require malicious code to be injected into a network but instead use software and tools that are already there. One popular example is the Windows PowerShell scripting language which can be used to change local and domain-based configurations.
- Undertake security training: Ensure staff fully understand the threat posed by ransomware and their role in preventing attacks.
- Adopt a zero-trust security strategy: Follow the principle of least privilege by giving staff access only to the resources they need and constantly check their digital identities.
- Remember, there is no silver bullet: There is no single answer to ransomware. Having layered security in place is the key.
Ransomware will continue to be a serious threat for organisations of all sizes. But, by following the steps outlined above, you can be in a much better position to prevent or contain attacks if and when they occur.