In 2017, the devastating WannaCry ransomware attack hit multiple organisations including the NHS, locking the PCs of victims with dire consequences. Nearly two years later, ransomware continues to target businesses and the public sector. Only last month, aluminium producer Norsk Hydro was forced to switch to manual operations after being hit by the malicious software.
The overall cost can be huge. Norsk Hydro estimates the price of the attack has reached $40m so far and this number is still growing. Other businesses hit by ransomware include French construction firm Saint Gobain which estimated it lost €80m of operating income due to a 2017 attack.
Ransomware is a big threat because it typically encrypts a firm’s data, preventing access to it. The decryption keys will only be offered once a firm pays a ransom – which can amount to millions of pounds. And even if the ransom is paid, there’s no guarantee information will be released.
Any company can become a victim of ransomware. Some businesses believe they are too small to be attacked, but “that is not how it works”, says Bill Siegel, CEO at Coveware. He says the vast majority of ransomware attacks occur because a company has not patched a common security vulnerability, such as an exposed remote access port.
ML and AI in cyber security: real opportunities overshadowed by hype
Siegel explains: “Cybercriminals can search for lists of vulnerable company IP addresses. They can even mass target these lists with a wide variety of attack techniques. It is only after a company has been breached and encrypted that the attackers actually bother to figure out who the company is, or what they do.”
Criminals use ransomware because it allows them to make an easy profit. It takes time to make money from data dump attacks: criminals have to find a buyer for the information, says Allan Liska, senior solutions architect and ransomware expert at Recorded Future.
In contrast, he says: “With ransomware, you launch the attack, infect the systems and they pay you straight away.”
The malicious software has been prevalent for a couple of years now. As it develops, ransomware is steadily shifting from opportunistic towards targeted attacks, says Christopher Elisan, director of intelligence at Flashpoint. “Threat actors realised there are a lot of victims willing to pay a ransom to get access to their files – which led them to start thinking big.”
SamSam is one ransomware variant that continues to cause havoc for businesses. “Unlike the usual ransomware variants – which are created for the mass market and sent to multiple people – the threat actors using SamSam are much more targeted,” says Martin Lee, outreach manager for Cisco’s Talos security team.
These attacks are combined with network intrusions: once a threat actor is inside an organisation the attack can “spread out, identify the critical systems and install ransomware on these, hitting the business with an extremely damaging attack”, says Lee.
So what typically happens when a firm is hit by ransomware? It is a multi-step process, says Siegel. “It involves the initial compromise; the use of exploit kits to harvest administrative credentials so the attacker can elevate their access; and network recon so the adversary can map the topography of the critical systems and their defences.
AI and data security: a help or a hindrance?
“Then, when the time is right, disablement of antivirus and endpoint protection and detonation of the encryption payload on both backups and primary machines. If the victim company does not have properly partitioned backups that were missed by the attacker, this will basically cripple an organisation – which maximises the negotiating leverage of the attacker to extort a large ransom payment.”
Typically, a business finds out about the attack when an employee or network admin notices a machine or drive is offline and finds the encryption and ransom notes, says Siegel.
And once it has taken hold, mitigating ransomware can be challenging. One of the most difficult questions for companies is whether they should pay the ransom. The UK’s National Cyber Security Centre says no, but some experts say there are times when paying is the only option.
Paying: A last resort
Siegel says firms should pay the ransom “strictly as a last resort”. First, he recommends all available backups are restored and recovered, and that companies make a full inventory of critical systems still unavailable. “At that point, the operability of the company should be assessed to determine if having to pay should even contemplated.
“We recommend the attacker should be engaged in parallel just in case a ransom payment becomes an option. It can take 24 to 48 hours to negotiate and pay a ransom, so starting that process in parallel can save material amounts of downtime. If the company decides it’s not a viable option, the communications with the attacker are dropped.”
If firms decide not to pay, says Liska: “You need to first find out how bad guys got in and lock systems so they can’t get access again. Then you start restoring files and afterwards check they didn’t leave a loader or something else. You can also bring in a third party to check residual malware has not been left behind.”
One of the most important considerations with backup is an off-site strategy, outside of the active network, says Tim Brown, VP of Security for SolarWinds MSP. “This makes malicious encryption on that copy nearly impossible.”
What killed the ransomware gold rush?
Low latency on downtime is integral, says Siegel. “How quickly a company can recover is the realistic measuring stick, not absolute prevention. The basics involve the right hardware, software and employee operations.”
Layered security defences are key, says Chris Dawson, threat intelligence lead at Proofpoint. He advocates up-to-date endpoint and network protections and regular patching regimens for applications and operating systems.
Employees should also be trained on the threat of ransomware as well as methods the malware uses to breach a business. In addition, says Liska. “You need a recovery plan in place: how did the attacker get in, what systems were hit – and was backup impacted? Sometimes attackers look for network accessible backups and encrypt them as well.”
Ransomware attacks will continue to grow in sophistication, so it’s important that firms are prepared. How an attack is handled will be unique to each organisation, but experts agree that a plan must be in place that assumes the worst could happen.