Most of our recent articles have been about cyber attacks as a whole, but we felt it was time to address different types of cyber attacks individually. We feel it’s important to do a deep dive into an explanation of each type of cyber attack: A definition of a a specific type of attack, how that type of cyber attack begins, subcategories of the individual types of attacks, who cyber criminals target, the potential results of the attacks (with examples), and steps that you can take to prevent each type of attack.
Today’s topic is ransomware. Let’s start with an explanation of what ransomware is…
According to excerpts from an article by Malwarebytes, they wrote, “Ransomware is a form of malware that locks the user out of their files or their device, then demands a payment to restore access. Ransomware attackers hit businesses, organizations, and individuals alike.
(***Malware, as an umbrella topic, is short for ‘Malicious Software.’ Malware, in the simplest of terms, is software that is designed to damage and destroy computers and computer systems.)
Malware is a significant problem. It’s a scary prospect to have all of your files and data held hostage until you pay up. Below, we’ll talk about ransomware’s different forms, how you get it, where it comes from, who it targets, and ultimately, what you can do to protect against it.
Ransomware definition
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access. While some people might think “a virus locked my computer,” ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organizations of all kinds. Some ransomware authors sell the service to other cybercriminals, which is known as Ransomware-as-a-Service or RaaS.
How a Ransomware Attack Begins
How exactly does a threat actor carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilize the malware needed to encrypt, or lock up your device and data. There are several different ways that ransomware can infect your computer.
- Malspam: To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and “takes the bait,” so to speak. Malicious spam, or malspam, is an unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites
- Malvertising: Another popular infection method is malvertising. Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations and then select the malware best suited to deliver. Often, that malware is ransomware. Malvertising often uses an infected iframe, or invisible webpage element, to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via an exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by-download.
- Spear phishing: A more targeted means of a ransomware attack is spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking you to take an important employee survey, or the HR department is requiring you to download and read a new policy. The term “whaling” is used to describe methods targeted toward high-level decision-makers in an organization, such as the CEO or other executives.
- Social engineering: Malspam, malvertising, and spear phishing can, and often do, contain elements of social engineering. Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate—whether that’s by seeming to be from a trusted institution or a friend. Cybercriminals use social engineering in other types of ransomware attacks, such as posing as the FBI in order to scare users into paying them a sum of money to unlock their files. Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you often visit, your job, etc., and uses some of that information to send you a message that looks familiar to you, hoping you’ll click before you realize it’s not legitimate.
Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can’t access them, you’ll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.
Types of Ransomware
Three main types of ransomware include scareware, screen lockers, and encrypting ransomware:
- Scareware: Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cybersecurity software program would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed—you’ve already paid for the software to do that very job.
- Screen lockers: Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.
- Encrypting ransomware: This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is that once cybercriminals get ahold of your files, no security software or system restore can return them to you. Unless you pay the ransom—for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cyber criminals will give you those files back.
Who Do Ransomware Authors Target?
When ransomware was introduced (and then re-introduced), its initial victims were individual systems (aka regular people). However, cybercriminals began to realize its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses, halting productivity and resulting in lost data and revenue, that its authors turned most of their attacks toward them.
By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. By 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack.
Fast forward to the global pandemic in 2020, and the threat persisted: Ransomware gangs attacked hospitals and medical facilities and developed new tactics like “double extortion,” in which attackers are able to extort more money with threats to leak sensitive data by decrypting computers they encrypted. Some ransomware groups offer their services to others, using a Ransomware-as-a-Service or RaaS model.
Geographically, ransomware attacks are still focused on western markets, with the UK, US, and Canada ranking as the top three countries targeted, respectively. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.”
We’ll revisit the Malwarebytes article for some tips about protecting yourself from ransomware, but first, let’s give you an example of a ransomware attack…
Ransomware Stories
In excerpts from an article by the Washington Post, they wrote, “A software company at the center of a major ransomware attack said a hack affected between 800 and 1,500 small businesses, potentially making it the largest ransomware attack ever.
Kaseya, which sells software to help other companies manage their computer networks, confirmed hackers broke into its system through a software vulnerability in its code. In a video posted to YouTube, chief executive Fred Voccola said the company shut down the compromised program within an hour of noticing the attack, potentially stopping the hackers from hitting more businesses.
Four days after the attack was discovered, it was still unclear exactly how damaging it was, especially since many businesses have been shut for a long weekend. Kaseya sells software to thousands of IT providers, which in turn often serve thousands of clients, meaning the company touches 800,000 to a million small businesses around the world.
While some experts initially thought that meant the number of affected businesses could stretch into the tens of thousands, even 800 to 1,500 affected companies would still be one of the more significant ransomware attacks ever. For each organization hit, the hack could be crippling, shutting down computers and potentially wiping out all of their files.
On Sunday, REvil said it would accept $70 million in cryptocurrency to unlock all the businesses at once. Jack Cable, a security architect at the cybersecurity consulting firm Krebs Stamos Group, reached out to the hackers to research the offer.”
In a separate article by GrowthBusiness, they wrote, “ A ransomware attack is a nightmare that hits the majority of businesses. In most cases, it finds its way to the devices after someone clicks on the phishing link in an email, downloads an infected attachment, or because of a weak password.
Depending on the hacking capabilities and the kind of malware that is deployed, a ransomware attack can obtain sensitive files or completely lock organizations out of their infrastructures.
According to Statista, over 70 percent of global companies reported that they’ve been a victim of ransomware in 2022.
Here, we cover some major ransomware attack cases that hit the headlines in 2022 thus far to conclude how they affected businesses so that we can learn not to repeat their mistakes.
#1 Advanced
In August 2022, the IT company Advanced stated that it had been the victim of a ransomware attack. Advanced promptly reacted to the threat, mitigated additional risks, and isolated the health and care environment since that is where the incident took place.
The hackers obtained third-party credentials and used them to gain deeper access to the company’s network. They managed to get more privileged access using a stolen password, copy and exfiltrate information, and install malware that decrypts systems.
This was possible because the systems lacked multifactor authentication that would otherwise request users to confirm their identity as they moved deeper into the network.
The incident disrupted not only their own systems but also those of their clients in the UK.
#2 Medibank
In October 2022, Australia’s largest health insurance company, Medibank, was affected by a ransomware attack.
Behind most high-profile ransomware cases are groups of hackers, some of them already widely known to the public. In the Medibank hacking, a well-known ransomware group dubbed REvil was identified to be behind the attack.
Medibank ransomware is one of the worst ransomware attacks that took place this year when it comes to financial damage, as well as the number of users that have been compromised in the incident.
The data breach resulted in hackers gaining the personal information of over 9.7 million customers that used Medibank’s services. The sensitive information from this breach has already been published on the dark web — including passport numbers, names, birth dates, health claims data, medicare numbers, and more.
The customers whose information has been leaked are likely to be victims of further criminal activity, such as attempted phishing and identity fraud.
#3 Entrust
In July 2022, the company that specializes in cybersecurity and data protection, Entrust, was also a victim of a ransomware attack.
A version of LockBit, the software that locks a company’s system, has been identified as the culprit. Since the ransom wasn’t paid, the group started leaking data they obtained in the attack on the dark web.
Although not confirmed by the company itself, it has also been reported that Entrust countered this with Distributed Denial of Service Attack (DDoS) that overwhelmed the site and caused it to be taken down.
#4 Toyota suppliers
In February and March 2022, multiple Toyota suppliers — Kojima Industries, Denso, and Bridgestone — were victims of a ransomware attack.
As a result, Toyota had to cease operation in 14 of its Japanese plants as well as temporarily shut down factories in Central and North America. As you can imagine, this was a very costly affair. The overall monthly productivity of the company has been cut by 5 percent.
Responsible for these attacks was LockBit, yet again. The software was created to lock users out of the systems until the ransom is paid.
#5 Nvidia
In February 2022, Nvidia suffered a ransomware attack. The company claimed that this incident hasn’t caused it to cease its regular operations. However, it has also been made clear that the employee data and some proprietary information had been made accessible online.
Once the company discovered the attack, they engaged in a threat incident response and straightened their security.
Cybercriminals used stolen credentials to gain access to Nvidia’s network. Some employees even used weak passwords that contained the company’s name.
The group that has been identified as a threat actor in the Nvidia ransomware is called Lapsus$. They also victimized the following companies using ransomware: T-Mobile, Samsung, Ubisoft, Vodafone, and Microsoft.
The group requested a million dollars from the company and claimed to have over 1TB of information and data concerning the new chip. They promised to leak it if the company didn’t meet their demands.
To conclude
These ransomware attack cases show that this type of threat is global; it’s on the rise, and behind it are organized groups of skilled hackers. What’s worse, anyone is likely to be targeted and extorted.
Also, having security solutions that can detect and mitigate this specific threat before it turns into an incident that damages one’s finances and reputation, as well as strong credentials, can aid businesses in avoiding ransomware.”
The Cost of Ransomware Attacks
In excerpts from an article by ProWriters, they wrote, “For many years, the average small business was unlikely to be targeted for a sophisticated cyber attack. That’s no longer the case. Small and medium businesses (SMBs) have become frequent targets because they are perceived by cyber criminals as less prepared.
Unfortunately, the numbers tell us that this is often true. A new study reveals that 57% of SMBs believe they won’t be targeted by online criminals, but almost 20% experienced an attack in the past year. These data breaches are costing more than ever before, with an average cost of a data breach for small businesses at $108,000. And, lost money isn’t the only matter at stake.
In small data breaches, the costs, disruption, and reputational damage are all greater than the small business ever anticipated. Businesses often mistakenly assume, “It won’t happen to me” or “This is probably covered somewhere in my insurance.”
Businesses are responsible for any damages associated with a third-party data breach. This type of event can be very damaging to small companies and can put many of them out of business because they often don’t have the financial resources to manage a breach.
Burying your head in the sand isn’t a good approach, as a data breach can be incredibly costly. Check out these figures:
- How Much Does a Data Breach Cost a Business?
For a small or medium-sized business (SMB), the average cost of a breach is $108,000, as stated above. Meanwhile, the cost for enterprises (businesses with more than 1000 employees) has risen to $1.41 million, up from $1.23 million the previous year. The financial damage will vary significantly depending on the size of the company and the nature of the breach.
- What is the Average Per-Record Cost of a Data Breach?
In 2020, breached data cost businesses an average $150 per record––and even more ($175) when breached via a malicious attack.
- How Many Businesses Get Hacked a Year?
More than 10,000 cyber claims are made each year, which doesn’t even include those submitted via a cyber add-on to another policy. It’s estimated that more than half of all businesses suffer a hack in a given year.”
It’s important to note that ProWriters is an insurance company. So when they wrote, “10,000 cyber claims are made each year, that figure doesn’t include competitors cyber insurance claims, SMBs who have cyber “add-on policies,” SMBs that don’t have cyber insurance or SMBs who don’t qualify for a claim.
Ransomware Prevention Tips
Going back to the Malwarebytes article that we mentioned at the beginning of this post, let’s see what they have to say about the prevention tips they offer…
Removing ransomware
“They say an ounce of prevention is worth a pound of cure. This is certainly true when it comes to ransomware. If an attacker encrypts your device and demands a ransom, there’s no guarantee they will unencrypt it whether or not you pay up.
That is why it’s critical to be prepared before you get hit with ransomware. Two key steps to take are:
- Install security software before you get hit with ransomware
- Back up your important data (files, documents, photos, videos, etc.)
If you do find yourself with a ransomware infection, the number one rule is to never pay the ransom. (This is now advice endorsed by the FBI.) All that does is encourage cybercriminals to launch additional attacks against either you or someone else.
One potential option for removing ransomware is that you may be able to retrieve some encrypted files by using free decryptors. To be clear: Not all ransomware families have had decryptors created for them, in many cases because the ransomware is utilizing advanced and sophisticated encryption algorithms. And even if there is a decryptor, it’s not always clear if it’s for the right version of the malware. You don’t want to further encrypt your files by using the wrong decryption script. Therefore, you’ll need to pay close attention to the ransom message itself, or perhaps ask the advice of a security/IT specialist before trying anything.
Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screen-locking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.
Prevention
While there are methods to deal with a ransomware infection, they are imperfect solutions at best, and often require much more technical skill than the average computer user. So here’s what we recommend people do in order to avoid the fallout from ransomware attacks.
- The first step in ransomware prevention is to invest in awesome cybersecurity—a program with real-time protection that’s designed to thwart advanced malware attacks such as ransomware. You should also look out for features that will both shield vulnerable programs from threats (an anti-exploit technology) as well as block ransomware from holding files hostage (an anti-ransomware component).
- Back up your data. Assuming you have backups available, remediating a ransomware attack is as simple as wiping and reimaging infected systems. You may want to scan your backups to ensure they haven’t been infected because some ransomware is designed to look for network shares. Accordingly, you’d do well to store data backups on a secure cloud server with high-level encryption and multiple-factor authentication.
- Patch and update your software. Ransomware often relies on exploit kits to gain illicit access to a system or network (e.g. GandCrab). As long as the software across your network is up-to-date, exploit-based ransomware attacks can’t hurt you. On that note, if your business runs on outdated or obsolete software, then you’re at risk for ransomware because the software makers aren’t putting out security updates anymore. Get rid of abandonware and replace it with software still being supported by the manufacturer.
- Educate your end users on malspam and creating strong passwords. The enterprising cybercriminals behind Emotet are using the former banking Trojan as a delivery vehicle for ransomware. Emotet relies on malspam to infect an end user and get a foothold on your network. Once on your network, Emotet shows worm-like behavior, spreading from system to system using a list of common passwords. By learning how to spot malspam and implementing multi-factor authentication, you’re end users will stay one step ahead of cybercriminals.
- Invest in good cybersecurity technology. Malwarebytes Endpoint Detection and Response, for example, gives you detection, response, and remediation capabilities via one convenient agent across your entire network.
What do you do if you’re already a victim of ransomware? No one wants to deal with ransomware after the fact.
- Check and see if there is a decryptor. In some rare cases, you may be able to decrypt your data without paying, but ransomware threats evolve constantly with the aim of making it harder and harder to decrypt your files, so don’t get your hopes up.
- Don’t pay the ransom. We’ve long advocated not paying the ransom, and the FBI (after some back and forth) agrees. Cybercriminals don’t have scruples, and there’s no guarantee you’ll get your files back. Moreover, by paying the ransom, you’re showing cybercriminals that ransomware attacks work.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca