What is ransomware and how to protect against it?

Ransomware is the type of cyberattack on which the French National Information Systems Security Agency (ANSSI) communicates the most in 2021. Indeed, ANSSI registered a 100% increase in ransomware cyber attacks in France over the past year. Officials said ransomware attacks pose the "most serious security threat" for companies. One should note that the coronavirus pandemic has paved the way for many phishing emails because through those scams, hackers prey on user panic.

How does a ransomware attack work? What are its consequences for the company? How to be effectively protected? What a ransomware attack is?

What is a ransomware cyberattack?

A ransomware attack, as its name suggests, involves a ransom demand.

Ransomware: a definition

According to a guidance article by the NCSC, ransomware “is a type of malware that prevents you from accessing your computer (or the data that is stored on it).” Ransomware can infect your computer when you visit certain websites. It can also be activated during a hacker intrusion on your device.

This same NCSC article points out that ransomware belongs to the category of “malicious software”, also called “malware”. This kind of malware has the specificity of encrypting files on a computer or other computing devices, including the files saved in a shared folder such as the ones hosted on a cloud drive. Ransomware can also prevent any access to the computer.

The purpose of ransomware is to extort money from you by promising to restore your access to locked devices or encrypted data. In some instances, however, hackers have no other goal than to compromise your IT. This often means their motivations are therefore unfair competition or political attacks. Through ransomware attacks cybercriminals can damage the operation and harm the reputation of your company.

Typology of ransomware attacks

There are two main categories of ransomware: data encryption and locking ransomware. In addition to those two classic types of malware, there are new ones, such as Ransomware-as-a-Service (RaaS) or scareware. It is important for you to learn how to recognise those different cyber attacks in order to take efficient protective measures.

Locking ransomware

This type of ransomware outright blocks access to the interface of computers or tablets and smartphones. The device becomes unusable and a message from the hacker appears on the screen, specifying the terms of payment of the ransom.

Some hackers even go so far as to use social engineering in their messages. They try to make the user believe the ransom is actually a fine. They thus take advantage of the panic reflexes of their victim.

This type of ransomware is not the most common because, fortunately, it only blocks access to the interface, without compromising the files. Once it has been deleted, the user retrieves all his files left intact.

Encrypting ransomware

Encrypting ransomware, also known as “data blockers” or “cryptolocker ransomware” is far more dangerous than screen locking ransomware. This kind of ransomware can target the most critical files on your device and change their extension. Hackers often look for financial data, pictures, videos, confidential projects or personal data.

Under those circumstances, it becomes impossible to read or access files without a decryption key. Just like with locking ransomware, the victim often receives a message that looks legit or even official. This could be a brand spoofing message posing as Apple, Gmail, a bank or Paypal.

The hacker is also able to limit your access to your computer, by locking certain keys on the keyboard, for example. In this case, you are then forced to communicate with the hacker.

Once the ransom has been demanded, either you pay and regain access to your files held hostage or you have to use a professional ransomware decryption software. This solution remains the best one because many cyber criminals do not restitute the files in their initial state.

Several large-scale cyberattacks examples fall under the category of data encryption ransomware:

• Ryuk ransomware, which we have analyzed regarding its fallout, has been operating at full speed since 2020. It is the weapon of choice in numerous cyber attacks against French hospitals during the COVID-19 pandemic.
• WannaCry is an encrypting ransomware that has operated on over 250,000 Windows operating system computers around the world. Hackers made a 150,000 USD profit with it.
• CryptoLocker has infected half a million computers, it generated a 3.000.000 USD profit for the criminals..
• Petya, renamed Not-Petya, went so far as to delete the victims' files after payment. This devastating ransomware has damaged large numbers of computer networks around the world, including those of Ukrainian banks and public transportation.

New types of ransomware

New types of ransomware have emerged over the past years, especially in 2020:

• Scareware disguised as antivirus. The victim receives a seemingly legitimate alert informing them of contamination. Acting out of panic, they download the so-called antivirus software. Thus, the cybercriminal is granted full access to the victim's personal data.
• Ransomware-as-a-Service (RaaS): hackers go through a “supplier” to create ransomware. Once the ransom has been collected, that “supplier” receives its share of the spoils.
• Doxware comes from the abbreviation “docs” for “documents”. It is sometimes also called "leakware". Through doxware, hackers intend to cause panic among their victims by threatening to disclose confidential information.

Who are the targets of ransomware attacks?

In a ransomware fact sheet, the FBI says “attacks can impact all sectors”.

Indeed, private companies, and public services can experience this type of cyber attack on all types of devices. Also, all operating systems are targeted: iOS, Windows, Linux, Mac and Android.

However, in a recent article, the cybersecurity news website Cybereason points out that the sectors most affected by ransomware are healthcare, education and the industrial sector. One may add that IT companies also constitute a prime target for ransomware cyberattacks.

Ransomware attack: consequences

Additionally to the financial losses due to the payment of ransoms, ransomware also has economic, industrial and social repercussions. This is particularly the case with “Big Game Hunting” attacks that have been raging on since 2014. Those attacks target large companies or institutions capable of paying vast amounts of money.

In its analysis of the consequences of ransomware, the French government agency ANSSI (National Agency for the Security of Information Systems) lists the following types of adverse consequences on companies:

• drop in productivity provoking heavy financial losses;
• suspension of user services;
• remediation costs;
• ransom costs ranging from several hundred euros for individuals up to millions of euros for businesses;
• delays in pending procedures;
• publication of personal data, yet subject to GDPR regulations.

How does a ransomware attack work?

Authorities acknowledge five major groups of cybercriminals behind ransomware. The reference site ID-ransomware, however, counts more than 800 of them. When it comes to ransomware, hackers have indeed developed a great variety of methods:

• Distributing malicious advertisement via legitimate websites and redirecting victims to a spoof domain.
• Using phishing emails in order to trick victims into clicking or opening an attachment containing a link to a ransomware.
• Infecting a whole network by having ransomware propagate to other devices.
• Using known vulnerabilities of a given software, which is why it is useful to regularly update every software.
• Taking advantage of the simplicity of a password to access a network.
• In some rare cases, hackers manage to bribe an employee, who then installs ransomware himself.

The stake, for the hackers, is always to penetrate the information systems of a company. To achieve that, they first need to exploit a vulnerability to inject a program, such as a malicious attachment. This first code triggers a second one, larger, which comes from an external server. Once it has been activated, the ransomware blocks access to certain files or devices. The company is now ripe for ransom.

How to set up efficient protections against ransomware?

Protection from ransomware begins with you taking all necessary preventive measures. It also means you being aware of the right behaviours to adopt in the event of a ransomware attack.

Preventive measures against ransomware

In its campaign against ransomware, ANSSI has been issuing a number of tips aimed at preventing ransomware attacks. The British NCSC also details several similar good practices. Here is a summary of the ransomware prevention methods recommended by the British and the French governments:

1 / Perform regular backups, on separate media/devices;

2 / Beware of emails sent by unknown or suspicious persons or entities: pay attention to the sender’s address. Be careful, especially with emails that seem, at first glance, to be issued by official authorities, or by usual correspondents. Cyber ​​criminals do not hesitate to spoof the addresses of your usual contacts. If in doubt, delete the email and contact the person or department in question, to check that the communication really came from them.

3 / Never open attachments compressed in SCR or CAB format, those mean CTB-Locker ransomware;

4 / Do not work on your devices from an administrator account, but rather from an user one;

5 / Regularly accept software updates as soon as you receive corresponding notifications;

6 / Use an up-to-date antivirus and configure your firewall so that it only allows legitimate applications;

7 / Do not install hacked programs;

8 / Avoid websites enabling illegal downloading of music, films or software;

9 / Use complex passwords, change them on a regular basis;

10 / Switch off your devices when you are not using them;

11 / Practice by training for a ransomware attack scenario.

Training to deal with a ransomware attack

One of the main measures you can take to effectively protect your information systems is having your staff trained in cybersecurity. Your employees specifically need to know how to detect phishing attempts. Antivirus cannot always block those.

Ransomware simulations help educate your employees about cyber risks by teaching them the right behaviour. It is also one of the easiest ways to develop an internal cybersecurity culture.

Besides phishing detection training, have your staff perform recovery simulations. The goal of this kind of test is to find out how quickly it takes them to recover data after a ransomware attack. It is above all an opportunity to measure the effect of such a cyberattack on your operation, on your users, and more generally on all your stakeholders.

What to do in the face of a confirmed ransomware attack?

If one of your employees faces an actual ransomware attack, there are a number of guidelines to follow: individual security procedures but also company-wide measures..

How should an employee react when confronted with ransomware?

When dealing with ransomware, employees must:

• Disconnect the device from the Internet. This means that they must either deactivate the WiFi connection or unplug the ethernet cable;
• Alert the IT department and, if applicable, the company’s cybersecurity service provider;
• Ensure the preservation of evidence in order to give the company the opportunity to file a complaint : encrypted data, fraudulent email etc.

Company-wide, step 1: do not pay the ransom

If your company has been hacked, do not give in to the temptation to pay the ransom. The hacker may very well decide not to give you the decryption key afterwards.

Whatever you do, they already had access to your files, and may have made copies of them. The data they collected could be leaked even if you paid the ransom. Paying them may also compromise your payment method.

By deciding to pay the ransom, you are also unwillingly enabling cybercrime. Another reason why ransom demands are getting higher and higher is that hackers have noticed the propensity of companies to pay dearly to recover their confidential data.

Company-wide, step 2: file a complaint and report the ransomware

On a company scale, proceed as follows:

• Keep the evidence of the ransomware your employees or providers have detected. It could be an infected email, encrypted data, firewall reports.
• File a complaint before restoring the compromised files, this way you keep evidence of the cyberattack. You may want to contact the police station or any competent judicial authority.
• Report the ransomware infection to the Information Commissioner’s Office (ICO) if the attack resulted in a violation of the personal data of your employees or clients.

As a reminder, if the personal data handled by your company is unavailable, modified, disclosed or deleted, you are entitled to notify the incident to the ICO. Specify, in that case, the following elements:

• nature of the violation: modification, deletion, dissemination;
• categories of staff members involved and headcount;
• categories of personal data and quantity;
• consequences of the attack on the data, and measures taken to mitigate those;
• Measures you already took as well as measures you consider taking to prevent a second ransomware attack.

Company-wide, step3: repair the computer system and recover the corrupted data

Your company may choose to trust its CIO with getting rid of the malware. Your IT teams will then use sites like No More Ransom to find an appropriate ransomware decryption solution.

If the CIO fails to decrypt the corrupted data, the company may resort to ransomware decryption services. You could contact your usual cybersecurity provider to try to identify any copy made by the intruder. Your cybersecurity provider may also revoke the hacker’s access to your sensitive data.

Then comes a recovery phase. This involves completely reformatting the device, but also restoring your backup copies. Reset all potentially affected devices, as well as the servers.

Company-wide, step4: analyse your computer vulnerabilities

The time of the turmoil due to the theft of your data has passed, now comes the time to analyse the cybersecurity vulnerabilities that allowed the ransomware attack to happen:

• Was it human vulnerability? Think, for example, of devices that might have been recently lost by or stolen from your employees.
• Clicking on a malicious link?
• Phishing?
• Browsing on a corrupted site?
• An intrusion on your computer system for lack of strong passwords?

Once the crisis is over, it is time to activate your DRP, or Disaster Recovery Plan in the event of a cybersecurity breach. This has to have been thought out in advance, so that the operation of your company does not suffer from ransomware in the long term.