How Should Companies Handle Ransomware?

The rise of ransomware has been a major concern for companies in recent years. It is estimated that more than 75% of businesses with an online presence were targeted by ransomware in 2021. This might sound like a lot, but if you broaden the definition of attack to include any kind of cyber attack, that figure would be closer to 100%.

Ransomware has the potential to completely cripple a business, and for that reason, it's something all companies should be aware of, but what exactly is ransomware? How should a company respond if they are targeted? Can companies do anything to prepare against a ransomware attack?

We've got you covered with this comprehensive guide to handling and preparing for potential ransomware attacks.

What is Ransomware?

 

Ransomware is a type of malicious software that seeks to encrypt important files on computers until a ransom, usually in the form of money or cryptocurrency, is paid. It can cause serious damage to online data and systems, potentially leading to extended system downtime and the loss of important documents. This type of attack has become increasingly common since the onset of the digital age and shows no sign of slowing anytime soon.

What is the Threat of Ransomware to Your Company?

Ransomware has the potential to wreak havoc on a business, your company included. Not only is ransomware computer malware that locks up your systems, but some attacks can even encrypt and lock up data, preventing you from accessing important paperwork, contracts and financial information. The result? Your operations could come to a grinding halt until you settle the ransom demand made by the attackers.

How Does Ransomware Work?

The basic principle of ransomware is that it finds a way to get into a system and then holds it to ransom. In simple terms, ransomware basically works by trashing your computer's security measures, getting access to systems and encrypting your files. That means you can no longer open or modify any of the corrupted files until you have provided the required ransom. Ransomware has become an incredibly effective way for criminals to make money quickly and anonymously.

In recent years there have been some notable ransomware attacks.

LockBit

According to a recent report, the LockBit ransomware has been targeting businesses in the United States and Europe. The ransomware encrypts victims' files and then demands a ransom for the decryption key. There have been several high-profile cases of businesses being infected with LockBit, including a hospital in Germany and an energy company in Italy. Experts believe that this particular ransomware is being distributed through phishing emails.

Conti Ransomware Family

The Conti ransomware family is a relatively new form of malware that has emerged in the past few months. According to security researchers, this particular family of ransomware is being used to target businesses in Europe, specifically those operating in the healthcare and finance sectors. What sets this family apart from other forms of ransomware is its ability to spread quickly across networks using Remote Desktop Protocol vulnerabilities. If your business is targeted by this ransomware, it can quickly infect other systems and encrypt their data, making it impossible to access until a ransom is paid.

Blackcat Ransomware

In 2021, the Blackcat ransomware attacked a number of businesses across Europe. It was spread through phishing emails that contained malicious links and attachments.

REvil Ransomware

The REvil ransomware attack is one of the most notorious cyberattacks in recent years, targeting businesses across multiple industries. 

PYSA Ransomware

The PYSA was first detected in 2021 and has been targeting businesses around the world with devastating results. It uses sophisticated techniques to spread across networks, making it difficult to detect and contain. It also leverages public cloud services to gain access to networks, further complicating security measures.

What Are The Most Common Types of Ransomware?

There are a few different kinds of ransomware. The most common types of ransomware are crypto-ransomware and locker ransomware. Crypto-ransomware encrypts files on the system, making them unreadable until a ransom is paid. Locker ransomware prevents users from logging into their computers or networks by locking up an entire system until a payment is made. Within the world of ransomware, there are some subcategories depending on the main method of getting into a system or what the attacker is trying to achieve within it.

Phishing Emails and Social Engineering

Phishing emails are disguised as legitimate messages from people or organisations, but they actually contain malicious links or attachments that can install ransomware on your system. Social engineering is when attackers attempt to manipulate users into giving up sensitive information or taking actions that would give them access to the system. This can also be done via phone calls and text messages. The attackers may pretend to be customer service representatives or technicians in order to get what they want. Social engineering often relies on targeting vulnerable people who might not be very conscious about cybersecurity. 

Credential theft

Credential theft is a type of attack where attackers steal user credentials such as usernames and passwords. This can be done through phishing emails, malicious links, social engineering, and other methods. Credential theft is one of the most dangerous forms of ransomware, as it can lead to stolen intellectual property, financial loss and reputational damage.

Operating System/Software and Other Backend Vulnerabilities

Ransomware in the form of operating system and software vulnerabilities is a type of attack where attackers exploit weaknesses in systems or applications to gain access and encrypt data. This can be done by exploiting unpatched security flaws, using malicious software or malware, and taking advantage of weak passwords or weak encryption methods.

Preexisting Malware

Preexisting malware is malicious code that has been designed to gain access to a system without the user's knowledge. It often disguises itself as legitimate software in order to avoid detection, and it can be used to install more ransomware on a system. Preexisting malware is one of the most difficult forms of ransomware to detect and prevent, as it often takes advantage of existing vulnerabilities in operating systems or applications.

What Steps Are There in a Normal Ransomware Attack?

Although no two ransomware attacks are the same, there are some common steps in the process.

Infection

The first step of any ransomware attack is for the malware to gain access to a system. This is usually done through phishing emails, malicious links, social engineering and other methods.

Encryption

Once the malware has gained access to a system, it will encrypt files and documents that are stored on the system.

Ransom

The attacker then sends out a notification demanding payment in order to unlock the encrypted files or networks. This demand is usually made in the form of cryptocurrency, such as Bitcoin or Ethereum.

Payment

At this point, the victim must decide whether they want to pay the ransom or not. They often do pay it because they don't feel they have a choice.

Decryption

Once the ransom is paid, the attacker will then unlock the encrypted files and/or networks. This isn't always the case, though. Sometimes attackers will simply take the money and delete the files or leave them encrypted. Attackers have also been known to 'up the ransom' when a victim seems to be ok with paying it.

How Can Companies Lower Their Risk of Ransomware?

The available technologies to detect ransomware aren't really 100% effective, so it is advisable that all businesses have some sort of strategy or system in place to help lower the risk of a ransomware attack.

There are organisations like the Cybersecurity Infrastructure Security Agency (CISA) in the United States and The European Union Agency for Cybersecurity (ENISA) that provide useful guidance and resources to help protect against ransomware threats.

Organisations can also consider implementing a comprehensive cybersecurity strategy which includes the following.

Protection and Prevention

Organisations should ensure that they have up-to-date antivirus software and patch regularly to reduce the risk of ransomware attacks. They should also monitor their networks on a regular basis to detect any unusual activity. Furthermore, it is important for companies to establish strong passwords and multi-factor authentication as an extra layer of security.

Incident Response

Companies should have an incident response plan in place that outlines the steps they need to take if they are hit with a ransomware attack. This should include contacting appropriate authorities and having an established procedure for recovering data and systems.

Removal and Recovery

A removal and recovery process looks at quickly and effectively regaining control of files or networks.

What Should You Do if You Are Attacked by Ransomware?

If you are hit with a ransomware attack, it is important to stay calm and not panic. It is also essential that organisations notify law enforcement authorities as soon as possible. Try to not think about the ransom that has been requested and instead run through the following checklist.

Contact Your Incident Response Team

Make contact with any incident response team and start the process of triaging systems that have been impacted by the attack.

Identify Infected Systems

Figure out exactly which systems have been affected by the attack and make sure they are isolated immediately.

Don't Make Any System Changes

Do not under any circumstances make any system changes after a ransomware attack has been discovered. Changes made to a system that has been infected with ransomware could limit the ability to collect evidence later.

Assess The Integrity of your Backup Systems

Check any backup systems to determine if the data contained in them can still be used for recovery or if it has also been infected.

Contact Your Legal Team

Inform your legal team of the situation. They will most likely have procedures that they would also like you to follow in a ransomware attack situation.

Keep Managers and Senior Leadership Team Informed

Make sure that all managers, senior leaders and relevant stakeholders are informed of the situation. Not only does this step ensure that everyone is informed, but it can also help to remind colleagues to be vigilant.

Should you pay the ransom if you are the victim of a ransomware attack?

Paying the ransom is a difficult decision, and it's advisable to discuss this with your legal team first. Generally, experts advise against paying ransoms as there is no guarantee that victims will get their data back or that attackers won't simply demand more money. Even law enforcement agencies like the FBI and Interpol don't recommend paying attackers in the hopes of regaining control and restoring access to data.

As mentioned earlier, no two attacks are ever the same, and the decision to pay a ransom should never be made without first engaging with law enforcement and experts.

Who should you notify if you have been the target of a ransomware attack?

If you have been the target of a ransomware attack, it is important to notify the authorities as soon as possible. This includes local law enforcement, cyber security experts and other relevant organisations such as your internet service provider or cloud provider if applicable. 

It is also important to inform any third-party vendors or partners who may have access to your data, systems or networks. This will help to alert them and ensure that they are also taking steps to protect themselves from this attack. In addition, notifying the authorities can help with investigations into the incident and can assist in bringing the attackers to justice.

Are There Any Other Resources That Can Help You With Ransomware?

Yes, there are a number of resources available to help organisations handle ransomware attacks. These include cybersecurity experts and legal teams who have experience in dealing with such threats. There is also a range of online resources that can provide guidance on best practices for responding to an attack and for putting preventative measures in place to make sure your organisation is as safe as possible. Additionally, organisations can also look into cyber insurance policies, which may provide financial protection in the event of a ransomware attack. 

CISA has created a very handy Ransomware Guide that is based on research and expert advice. Equally, ENISA (the European equivalent of CISA) has also put together their own version based on experience and guidelines in Europe.

How a Vulnerability Management System Can Help defend against ransomware attacks

A vulnerability management system is an important tool for detecting and responding to ransomware attacks. An effective vulnerability management system allows you to monitor all cybersecurity issues across your organization’s assets in a timely manner, and support your ability to remediate quickly.

For example, a vulnerability management system allows organisations to quickly identify vulnerable systems and focus efforts on fixing patches before they can be used by attackers. Additionally, it provides visibility into any malicious activity on the network and can alert organisations if suspicious activity is detected. This enables businesses to take appropriate action in a timely manner, which can be essential in containing the attack.

Cybersecurity is a constantly changing, yet integral element of operating as a business in an incredibly interconnected world and investing in some sort of vulnerability management system will put your business in the best possible position, should you be unfortunate enough to be targeted by ransomware. If you would like to find out more about how a system like this can give you more peace of mind, schedule a free demo with Nanitor today. 

Conclusion

Keeping on top of your cyber security is essential in today's digital environment. By taking the time to understand their potential risk points, implementing preventative measures like a vulnerability management system and notifying law enforcement quickly if an attack occurs, companies can minimise the damage caused by ransomware and protect their data, systems and networks.

By taking proactive steps and following best practices, organisations can help to keep their data safe and secure. Taking the time to plan, prepare and understand your organisation's risk points can go a long way in helping prevent or mitigate damage from ransomware attacks. With the right tools and resources, companies can protect themselves from this increasingly common threat.