Ransomware poses the biggest cyber threat to businesses in 2021. How does it work? How to protect yourself from it?
Ransomware is the type of cyberattack on which the French National Information Systems Security Agency (ANSSI) communicates the most in 2021. Indeed, ANSSI registered a 100% increase in ransomware cyber attacks in France over the past year. Officials said ransomware attacks pose the "most serious security threat" for companies. One should note that the coronavirus pandemic has paved the way for many phishing emails because through those scams, hackers prey on user panic.
How does a ransomware attack work? What are its consequences for the company? How to be effectively protected? Qu’est-ce qu’une cyberattaque ransomware ?
A ransomware attack, as its name suggests, involves a ransom demand.
According to a guidance article by the NCSC, ransomware “is a type of malware that prevents you from accessing your computer (or the data that is stored on it).” Ransomware can infect your computer when you visit certain websites. It can also be activated during a hacker intrusion on your device.
This same NCSC article points out that ransomware belongs to the category of “malicious software”, also called “malware”. This kind of malware has the specificity of encrypting files on a computer or other computing devices, including the files saved in a shared folder such as the ones hosted on a cloud drive. Ransomware can also prevent any access to the computer.
The purpose of ransomware is to extort money from you by promising to restore your access to locked devices or encrypted data. In some instances, however, hackers have no other goal than to compromise your IT. This often means their motivations are therefore unfair competition or political attacks. Through ransomware attacks cybercriminals can damage the operation and harm the reputation of your company.
There are two main categories of ransomware: data encryption and locking ransomware. In addition to those two classic types of malware, there are new ones, such as Ransomware-as-a-Service (RaaS) or scareware. It is important for you to learn how to recognise those different cyber attacks in order to take efficient protective measures.
This type of ransomware outright blocks access to the interface of computers or tablets and smartphones. The device becomes unusable and a message from the hacker appears on the screen, specifying the terms of payment of the ransom.
Some hackers even go so far as to use social engineering in their messages. They try to make the user believe the ransom is actually a fine. They thus take advantage of the panic reflexes of their victim.
This type of ransomware is not the most common because, fortunately, it only blocks access to the interface, without compromising the files. Once it has been deleted, the user retrieves all his files left intact.
Encrypting ransomware, also known as “data blockers” or “cryptolocker ransomware” is far more dangerous than screen locking ransomware. This kind of ransomware can target the most critical files on your device and change their extension. Hackers often look for financial data, pictures, videos, confidential projects or personal data.
Under those circumstances, it becomes impossible to read or access files without a decryption key. Just like with locking ransomware, the victim often receives a message that looks legit or even official. This could be a brand spoofing message posing as Apple, Gmail, a bank or Paypal.
The hacker is also able to limit your access to your computer, by locking certain keys on the keyboard, for example. In this case, you are then forced to communicate with the hacker.
Once the ransom has been demanded, either you pay and regain access to your files held hostage or you have to use a professional ransomware decryption software. This solution remains the best one because many cyber criminals do not restitute the files in their initial state.
Several large-scale cyberattacks examples fall under the category of data encryption ransomware:
New types of ransomware have emerged over the past years, especially in 2020:
In a ransomware fact sheet, the FBI says “attacks can impact all sectors”.
Indeed, private companies, and public services can experience this type of cyber attack on all types of devices. Also, all operating systems are targeted: iOS, Windows, Linux, Mac and Android.
However, in a recent article, the cybersecurity news website Cybereason points out that the sectors most affected by ransomware are healthcare, education and the industrial sector. One may add that IT companies also constitute a prime target for ransomware cyberattacks.
Additionally to the financial losses due to the payment of ransoms, ransomware also has economic, industrial and social repercussions. This is particularly the case with “Big Game Hunting” attacks that have been raging on since 2014. Those attacks target large companies or institutions capable of paying vast amounts of money.
In its analysis of the consequences of ransomware, the French government agency ANSSI (National Agency for the Security of Information Systems) lists the following types of adverse consequences on companies:
Authorities acknowledge five major groups of cybercriminals behind ransomware. The reference site ID-ransomware, however, counts more than 800 of them. When it comes to ransomware, hackers have indeed developed a great variety of methods:
The stake, for the hackers, is always to penetrate the information systems of a company. To achieve that, they first need to exploit a vulnerability to inject a program, such as a malicious attachment. This first code triggers a second one, larger, which comes from an external server. Once it has been activated, the ransomware blocks access to certain files or devices. The company is now ripe for ransom.
Protection from ransomware begins with you taking all necessary preventive measures. It also means you being aware of the right behaviours to adopt in the event of a ransomware attack.
In its campaign against ransomware, ANSSI has been issuing a number of tips aimed at preventing ransomware attacks. The British NCSC also details several similar good practices. Here is a summary of the ransomware prevention methods recommended by the British and the French governments:
1 / Perform regular backups, on separate media/devices;
2 / Beware of emails sent by unknown or suspicious persons or entities: pay attention to the sender’s address. Be careful, especially with emails that seem, at first glance, to be issued by official authorities, or by usual correspondents. Cyber criminals do not hesitate to spoof the addresses of your usual contacts. If in doubt, delete the email and contact the person or department in question, to check that the communication really came from them.
3 / Never open attachments compressed in SCR or CAB format, those mean CTB-Locker ransomware;
4 / Do not work on your devices from an administrator account, but rather from an user one;
5 / Regularly accept software updates as soon as you receive corresponding notifications;
6 / Use an up-to-date antivirus and configure your firewall so that it only allows legitimate applications;
7 / Do not install hacked programs;
8 / Avoid websites enabling illegal downloading of music, films or software;
9 / Use complex passwords, change them on a regular basis;
10 / Switch off your devices when you are not using them;
11 / Practice by training for a ransomware attack scenario.
One of the main measures you can take to effectively protect your information systems is having your staff trained in cybersecurity. Your employees specifically need to know how to detect phishing attempts. Antivirus cannot always block those.
Ransomware simulations help educate your employees about cyber risks by teaching them the right behaviour. It is also one of the easiest ways to develop an internal cybersecurity culture.
Besides phishing detection training, have your staff perform recovery simulations. The goal of this kind of test is to find out how quickly it takes them to recover data after a ransomware attack. It is above all an opportunity to measure the effect of such a cyberattack on your operation, on your users, and more generally on all your stakeholders.
If one of your employees faces an actual ransomware attack, there are a number of guidelines to follow: individual security procedures but also company-wide measures..
When dealing with ransomware, employees must:
If your company has been hacked, do not give in to the temptation to pay the ransom. The hacker may very well decide not to give you the decryption key afterwards.
Whatever you do, they already had access to your files, and may have made copies of them. The data they collected could be leaked even if you paid the ransom. Paying them may also compromise your payment method.
By deciding to pay the ransom, you are also unwillingly enabling cybercrime. Another reason why ransom demands are getting higher and higher is that hackers have noticed the propensity of companies to pay dearly to recover their confidential data.
On a company scale, proceed as follows:
As a reminder, if the personal data handled by your company is unavailable, modified, disclosed or deleted, you are entitled to notify the incident to the ICO. Specify, in that case, the following elements:
Your company may choose to trust its CIO with getting rid of the malware. Your IT teams will then use sites like No More Ransom to find an appropriate ransomware decryption solution.
If the CIO fails to decrypt the corrupted data, the company may resort to ransomware decryption services. You could contact your usual cybersecurity provider to try to identify any copy made by the intruder. Your cybersecurity provider may also revoke the hacker’s access to your sensitive data.
Then comes a recovery phase. This involves completely reformatting the device, but also restoring your backup copies. Reset all potentially affected devices, as well as the servers.
The time of the turmoil due to the theft of your data has passed, now comes the time to analyse the cybersecurity vulnerabilities that allowed the ransomware attack to happen:
Once the crisis is over, it is time to activate your DRP, or Disaster Recovery Plan in the event of a cybersecurity breach. This has to have been thought out in advance, so that the operation of your company does not suffer from ransomware in the long term.
Ransomware is malicious software capable of locking down computers or encrypting company data. When it happens, hackers eventually demand a ransom in exchange for the inaccessible files.
To prevent the victim from accessing their data, the ransomware hacker can encrypt it, or block access to the computer’s screen or the internet browser.
Do not pay! Even if you give the cybercriminal the ransom they demand, there is no guarantee that they are going to decrypt your data or that they will not disseminate it. You would then also support an unhealthy and illegal trade, plus hackers would then identify you as a good customer.
related to Cyber Risk Quantification