Ransomware Awareness & Response

Welcome back to Cyber Security Awareness Month with Secure Sense!

Last week we discussed human error in cyber security and the importance of training your employees to avoid being a victim of a phishing scheme or social engineering attack. This week, we are reviewing ransomware – an attack that is often times a result of credentials stolen via phishing campaigns, or from malicious email links themselves. Ransomware attacks have hit record highs in 2021, increasing 151% in the past 6 months compared to the first half of 2020. All industries are at risk, but its no surprise that healthcare, education, and manufacturing have been just a few of the hardest hit industries since the beginning of the pandemic.  Today we are discussing how ransomware works, who is at risk, how to deal with this kind of attack, and how your MSSP can help.

What is ransomware and how does it work?

As mentioned, ransomware attacks often occur after an employee or user opens or clicks an infected attachment or URL. When these infected links are opened, the virus is installed on the user’s computer and begins to either encrypt their files or simply lock their screen. Encryptor malware works by denying the user or organization access to their files and data – effectively holding that data hostage. In doing so, the ransomware agent then has the ability to ask for a ransom payment to release the files back to the organization to be decrypted with a decryption key. Screen lockers simply notify the user that their screen is locked and they must pay the ransom to have it unlocked. Once ransom is paid, the ransomware agent will give the decryption key to unlock the data. However, sometimes organizations will pay the ransom to then never receive the decryption key. It is generally accepted these days that paying the ransom is not advised because nothing is guaranteed – and in doing so, the organization or individual may become a target for future attacks. Not paying the ransom, however, can be extremely difficult on organizations as many feel they have no choice. Without the decryption key, gaining access to the lost data is extremely difficult and the organization risks lengthy business interruptions to restore from backups, or even losing important data forever. Even though a ransom can be upwards of hundreds of thousands of dollars, paying the ransom is often seen as the cheapest and most efficient way to regain access.

As most types of cyber attacks develop and become more sophisticated over time, ransomware attacks are no different. These kinds of attacks have been wreaking havoc on victims for years and attackers have only grown more creative. These days, cybercriminals can remain anonymous by coming up with ways to make tracking payments impossible – such as being paid in gift cards or cryptocurrencies. It may sound daunting to defend against something like this, however, there are many steps you can take to protect your organization against these attackers. Learning as much as possible about these kinds of attacks, training your staff, and putting the correct technical controls in place, are all measures that should be taken. Starting with becoming familiar with major ransomware attacks that have happened over the years will give you and your employees a good foundation of the tactics attackers use and the characteristics of these major attacks. Like we mentioned, attackers are always evolving and getting creative, however most ransomware attacks follow a few different models you should be up to speed to successfully create your defense. The following is a summary from our partners at Proofpoint of some major attacks over the past few years:

• WannaCry – A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a killswitch was tripped to stop its spread. Proofpoint was involved in finding the sample used to find the killswitch and in deconstructing the ransomware.

• CryptoLocker – This was one of the first of the current generation of ransomware that required cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. Cryptolocker was spread via an email with an attachment that claimed to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.
• NotPetya – Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in bitcoin to undo the changes. It has been classified by some as a wiper, since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.

• Bad Rabbit – Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. The majority of cases indicate that it was spread via a fake Flash player update that can impact users via a drive by attack.
• REvil – REvil is authored by a group of financially motivated attackers. It exfiltrates data before it encrypts it so that targeted victims can be blackmailed into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
• Ryuk – Ryuk is a manually distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.

Who is at risk and why is it spreading?

As with any cyber attack, any device that is connected to the internet becomes a risk. When ransomware is able to scan a vulnerable device, it is also able to scan anything connected via the local network – if that happens to be a business, the business then becomes a potential victim. The ransomware can then work by encrypting documents and files owned by the business. So how does a device become vulnerable? Aside from phishing emails and malicious attachments and links directly installing ransomware onto the device, a device (laptop, phone, etc.) can be especially vulnerable if it isn’t updated with the latest software security patches, has outdated/unsupported operating systems, or if it does not have anti-malware installed to help detect and stop ransomware.

Ransomware has been spreading at unprecedented rates in the past 18 months notably due to the increase in employees working from home. Not only have attackers increased their use of phishing tactics and social engineering schemes, but they are taking advantage of the increased surface area of vulnerable personal devices employees may be using or personal networks that don’t have adequate security.

Steps for Responding to an Attack

If your business has unfortunately found itself in a situation of a ransomware attack, there are a few basic steps you can take. Firstly, you should not pay the ransom. The ransomware message will typically say the amount to pay, how much time there is (usually not very much), and maybe even threaten to expose the business publicly that they’ve been compromised – thus putting pressure on the victim to act quickly. Although, it is important to act fast, paying the ransom isn’t advised. There are a few risks to paying:

1. It may be all for nothing as the attacker could decide not to release the decryptor key to the business
2. The organization risks becoming a repeat target now that the attacker knows they will pay the money
3. The attacker could still expose the organization and continue hacking their systems, even if they received the money. As mentioned, there is no guarantee with ransomware attacks.

So what should you do? Like we said, it’s important to act quickly so the ransomware doesn’t spread to other areas on the network. Our partners at Proofpoint have a few basic steps to follow before getting the experts involved for analysis, clean-up and investigations:

• Determine which systems are impacted. You must isolate systems so that they cannot affect the rest of the environment. This step is part of containment that will minimize damage to the environment.
• Disconnect systems, and power them down if necessary. Ransomware spreads rapidly on the network, so any systems must be disconnected either by disabling network access or powering them down.
• Prioritize restoration of systems so that the most critical ones can be returned to normal faster. Usually, priority is based on productivity and revenue impact.
• Eradicate the threat from the network. Attackers might use backdoors, so eradication must be done by a trusted expert. The expert needs access to logs so that a root-cause analysis will identify the vulnerability and all systems impacted.
• Have a professional review the environment for potential security upgrades. It’s common for a ransomware victim to be a target for a second attack. If the vulnerability is not found, it can be exploited again.

Ransomware Prevention and how your MSSP can help

Last year, 37% of employees at businesses surveyed in North America didn’t know what ransomware was while 32% had already been a victim of a ransomware attack. This indicates just how important it is to train your staff as one of your first lines of defense. Last week in the blog, we have some tips on how to train your staff on cyber security awareness. This training should be done regularly to ensure employees know how to spot an attack, what to do if they become a victim, and how to report it.

In addition to training your staff properly on social engineering, phishing, and best practices, you can turn to your MSSP for help. Not only can your MSSP help you get back on your feet in the event of a successful ransomware attack, but they can help you prevent them in the first place. Being prepared for an attack (even if you think it will never happen to you) is the most important thing you can do to protect yourself. Anyone can be a victim to a ransomware attack so it’s important to have the proper security in place to protect your organization. A few things you can talk to your MSSP about:

1. Your critical information needs to be backed up: you should always have an up-to-date back up of your critical data in a secure place so that it can be restored and not lost forever
2. Sensitive data should always be encrypted: even when your data is at rest (and not just in transit) it should always remain encrypted so attackers have an extremely difficult time accessing it to use it against you
3. Applying ransomware detection: having security tools in place, such as email and endpoint protection, will help keep your organization safe

There should always be a dialogue about security awareness with your staff, your security team, and your MSSP. Creating a prevention and response strategy across the board will help ensure your organization doesn’t find themselves in the unfortunate situation of a ransomware attack.

Interested in Chatting with a Security Professional?

There’s no better time than the present to enlist help for your security needs. Available across Canada, our team of specialists are eager and ready to learn how to become that trusted extension of your security team.

Don’t hesitate to reach out to us at 866-999-7506 or shoot us an email at contactus@securesense.ca. 

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.

You can also find us on Twitter, Facebook,  LinkedIn.