If you feel like you’re hearing about ransomware a lot right now, it’s not in your imagination. In the second half of 2018, ransomware attacks on businesses went up by 88%. It’s become lucrative to prey on companies that are desperate to restore their data and resume day-to-day functions. The popular ransomware variant, Ryuk, has made the news a lot recently, particularly for the high ransom demands. These news stories are only the tip of the iceberg. The majority of ransomware attacks happen in the private sector, and businesses choose not to disclose them. Also, while it may seem that ransomware is only happening to the “big fish” out there, that’s not the case. Hackers use ransomware to extort small businesses every single day.

How does ransomware work?

Ransomware is encryption malware that is installed to encrypt the victim’s data and prevent their access to it until they pay a ransom. After paying the ransom, typically in Bitcoins, a decryption key is provided. (Usually, but not always.)

How does a system get infected with ransomware?

The most common method (as high as 90%) for ransomware infections is through a poorly-protected Window’s Remote Desktop Protocol (RDP) port. Port-scanners can be used to search the internet for default RDP ports. Credentials are usually brute-forced by working through a list of common passwords, but it’s also possible to buy them on the dark web. Thousands of RDP credentials from previous data breaches are available on the dark web for about $3 each. Once a hacker has gained access, they increase permissions, download the ransomware, and manually install it. Other methods use email phishing to steal credentials or spam emails to trick recipients into accidentally installing the ransomware directly.

What happens during a ransomware attack?

Each ransomware variant has different behaviors; however, many share the same characteristics. It’s common for ransomware to remove antivirus or other security software, and delete any Windows Restore Points. Ransomware usually encrypts a long list of file types, not only essential data files. It’s also common for it to delete or encrypt backup data. Hackers typically all leave ransom notes in highly visible locations within a network. Some varieties of ransomware even remove themselves afterward.

How does a business recover from a ransomware attack?

Some businesses decide that paying the ransom is the best course of action, particularly if they don’t have backups. Data loss is still a consideration with this approach; however, the data recovery rates from hacker-provided decryption tools are quite high at 87-100%. While it may be a safer bet for data recovery, it still isn’t a fast process. Evaluating damages, purchasing Bitcoins, backing up files, decrypting files, and cleaning infected systems all requires significant time. It may take businesses several weeks to restore day-to-day operations. The average cost of all this is currently $3.86 million. The entire process is simplified, and losses are reduced considerably if a company has a Disaster Recovery plan and recent backups. If a business can’t pay the ransom and doesn’t have working backups, it could go bankrupt trying to get back on its feet again.

How can a ransomware attack be prevented?

• Make it harder to access RDP.
  • Use strong passwords.
  • Enable Network Level Authentication.
  • Limit privileges to only users that need it.
  • Change RDP ports from the default settings.
  • Access RDP over a VPN.

• Backups! Run complete backups frequently and store them off-site. Note: file-syncing to the cloud creates data access mobility; however, it doesn’t function as an actual backup system. Infected or encrypted files can easily overwrite clean data files.

• Spot intrusions sooner. Use an Endpoint Protection solution that monitors network usage anomalies.

• Invest in employee cybersecurity awareness training. Businesses are safer when employees know how to spot malicious attachments and phishing attempts. Employee training also improves how quickly suspicious activities get reported.

It’s easy to tune out news about the latest ransomware attack when it seems that it has no impact on your business. However, ransomware attacks continue to increase, and so do the odds that your business will be affected. An investment in prevention now, for evaluating and improving your current security practices could save your business from considerable harm later.

References:

Arntz, Pieter. (2019, June 18). Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses. Retrieved on August 9, 2019 from https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/

Definitive Guide to Corporate Ransomware Response & Protection Best Practices. Retrieved on from https://www.coveware.com/blog/2018/12/19/definitive-guide-to-corporate-ransomware-response-amp-protection-best-practices

Dharma Ransomware Payment & Decryption Statistics. Retrieved on August 9, 2019 from https://www.coveware.com/dharma-ransomware-payment

Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly. Retrieved from https://www.coveware.com/blog/dont-become-a-ransomware-target-secure-rdp

Ransomware. Retrieved on August 9, 2019 from https://www.malwarebytes.com/ransomware/

Ransomware Amounts Rise 3x in Q2 as Ryuk & Sodinokibi Spread. Retrieved from https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread

Siegel, Bill. (2018, October 25). Ransomware’s Favorite Access Point – Remote Desktop Protocol (RDP) Retrieved from https://duo.com/blog/ransomwares-favorite-access-point-remote-desktop-protocol-rdp

Sodinokibi Ransomware Poised to Impact Larger Enterprises. Retrieved on August 9, 2019 from https://www.coveware.com/blog/sodinokibi-ransomware