Ransomware is a cyberattack that involves malware. The malware locks users out of their data or makes it impossible to decipher through encryption until they pay a ransom.
Cybercriminals know how to profit from uncertainty. The current Coronavirus pandemic in the United States is an example of this. Organizations have had to make major changes to their IT architectures since the beginning of the year to allow employees to work remotely. Many organizations have found themselves with security holes that cybercriminals can exploit because of the speed at which these changes were implemented. You don’t need to tar your hull, hackers can launch waves of attacks to sink your vessel. This analogy shows that the pandemic has caused many leaky ports.
According to Check Point’s study, ransomware attacks per day increased by 50% in Q3 2020 compared to the previous half of the year. US was the most targeted country for ransomware, with its ransomware attacks nearly doubling. They aren’t alone. India, Sri Lanka and Russia also reported an increase in ransomware attacks.
SonicWall’s recent research has shown that ransomware attacks have increased by 40% in Q3 2020, compared to the previous quarter. This same study also revealed that Ryuk ransomware was responsible for one third of the attacks. Attackers have been increasingly using Ryuk to attack healthcare facilities.
Attacks are not only increasing in number, but they are also becoming more sophisticated. Ransomware attacks are inevitable for most businesses, as bad actors continue to find new ways to bypass security layers. How do hackers get into your system? And what are the best ways to recover from ransomware attacks when you’re the Sinking Sailor.
What is Ransomware and How Does it Work?
There are two types of ransomware, crypto-ransomware or locker-ransomware. Crypto-ransomware is a ransomware that encrypts files and requires a ransom to decrypt them and return them. The Locker-ransomware works the same way except that it blocks users from accessing files and encrypts them instead. It then demands a ransom to unlock the data. Both cases involve the attacker demanding payment and threatening the victim with publishing sensitive information or permanent removal of data if they don’t pay.
How does ransomware infiltrate your system?
It often begins with a trojan. Trojans are malware that trick victims into believing it is harmless, disguised as legitimate software. Emotet, a trojan known for its notorious nature, was first discovered in 2014. It has been reactivated in a series attacks that have made it one of the most serious ongoing threats facing organizations, according to the CISA.
Spam mails are the most common way Trojans like Emotet get around. The trojan can be downloaded by the recipient if they click on the URL or open the attachment. It can also be used by attackers to spread malware such as TrickBot and Qbot. The second layer of malware spreads laterally throughout the company, stealing credentials and deploying backdoors. But, most importantly, it tries to access the domain controller. Once they have gained access to the domain controller, the attacker may then use ransomware like Ryuk to encrypt the data of the company and demand ransom.
Ransomware doesn’t need to be spread by users. WannaCry is a type malware that can replicate itself so they can spread like wildfire through a system without needing to be passed on via malicious URLs and attachments.
How can you recover from a ransomware attack?
Pay no ransom.
First, don’t pay the ransom. Unless your data is not stored anywhere else, you should weigh the cost of data loss against the amount you are required to pay. This can be due to a number of reasons:
This is a case of a criminal. You can’t guarantee you will get your data back if you pay the ransom.
By proving the attacker’s process works you are encouraging them to target other organizations which, in turn will pay up. It’s a vicious cycle.
The ransom payment doubles the cost of a cyberattack. Even if you get your data back, malware may still be on your servers so you will need to clean them thoroughly. In addition to the ransom, you’ll have to pay for downtime, human time, and device costs.
Sophos’ survey revealed that 26% ransomware victims received their data back after paying the ransom. 1% of ransomware victims paid the ransom but did not receive their data back. 56% of ransomware victims were able to recover their data using backups, which is more than twice the number who paid the ransom.
Report the attack.
After you have taken a deep, calm breath and put your wallet away, it is time to report the attack. This will allow authorities to identify the attacker, their target and prevent others from being attacked.
You can generally contact your local police to be connected to their cybercrime investigation department. You can report from the US via the On Guard Online site; Action Fraud is available in the UK.
Cleanse your system.
Although there are a few software packages that claim to remove ransomware from your system, there are two issues. You can’t be certain that the ransomware will be completely removed by anyone else than the attacker. You may not be able access your data even after your system has been successfully cleaned. There isn’t one decryption tool that works for all ransomware types. Experts will need to take longer to create a tool that can uncramble your files.
Encryption involves running a decryption function and the original file through it together in order to recover the original file. Modern attacks require a unique key for each victim. It can take many years for even supercomputers to locate the correct key for each victim. TeslaCrypt is an example of this. While the original ransomware required only one key to unlock the data of multiple victims, modern versions of the attack allow criminals to create unique encryption keys for each victim.
It is a good idea to wipe your entire storage device and then start over, reinstalling everything starting from the bottom. This will ensure that ransomware is not lurking in dark corners and give you a fresh slate to restore your data.
Restore your data.
Here is where we return to backups. Traditional data backup was viewed as an IT compliance issue. It is done to check boxes and pass audits. It’s now being viewed more as a security issue, and with good reason.
Seymour says that while it is not always possible to prevent a cyberattack, mitigating its impact is definitely possible. This is why backup should be considered security. An organization is faced with two choices when it becomes ransomware victims: either pay the ransom which is not advised or continue without the data. It is possible to quickly recover if the company has a backup strategy in place to combat cyberattacks. This will allow it access its data without any downtime and save money.
Backups can be used to restore data in a number of ways. First, you can do a DIY restore. It’s easy and inexpensive. You might find malware in the data that you are trying to restore. Personal files won’t be available either. This means that even though it may take you back to step 1, you might not be able to access everything you have lost. You should ensure that you have a backup plan in place to allow you to use third-party disaster recovery.
Backup and disaster recovery solutions create a point in time copy of all your files, databases, and computers and then write those copies to secondary storage devices that are isolated from your local computers. This solution offers both a secure and assured recovery of all your files, as well as external support from the vendor to help you manage the recovery. Only problem is that you will have to pay for it – you don’t get everything.
Point-in-time recovery is a method that allows organizations to recover from ransomware attacks. It’s also called continuous data protection, journaling, or continuous data protection. Organizations can recover data as little as seconds after ransomware attacks.
Seymour says that organizations can rest assured that their data is safe and available with a backup strategy. CDP gives organizations the ability to recover all their data at a precise time before an attack happened, minimising data loss. Caroline says that the best CDP solutions can be customized to retrieve exactly what an organization needs. She explains that this ensures a quick return to a functional state. Traditional backup tools that are based on snapshots can expose an organization to data loss in between snapshots.