With contributions by Anwar Haq
Ransomware has grown to become a significant threat to organizations today, no matter the size or industry. Cybercriminals are exploiting vulnerabilities in small businesses and enterprises alike, creating short-term and long-term damage that can impact everything from your employees’ productivity to your relationship with customers.
In Canada alone, 17% of organizations¹ experienced a successful ransomware attack in 2021. In the US, over 22 million records² were compromised due to ransomware attacks in 2021, and this disruption has resulted in a dedicated government Task Force and updated sanctions³ to hold criminals accountable. In India, 68% of organizations experienced a breach4 in 2021, putting them at the top globally in terms of ransomware attacks.
“With the pandemic accelerating digital transformation initiatives, businesses of all sizes are becoming increasingly reliant on digital infrastructure and systems, making them more susceptible to cyberattacks,” Anwar Haq, Principal Security Manager of Sryas, said. “It’s not a coincidence that ransomware attacks are on the rise, becoming much more frequent and sophisticated. Developing and implementing the right cyber resilience framework for your business is no longer a nice to have, but a must-have. It’s mission-critical for organizations to adopt a preventative, multi-layer cybersecurity approach that protects multiple areas—from the outer network infrastructure to internal controls and systems.”
So, how can organizations start building this framework to shore up defences? It helps to know exactly what you’re defending against, and below are some important considerations to ensure you cover all the bases. You can also work with a cybersecurity partner to bring in the expertise and experience needed.
What is Ransomware?
As the name suggests, this malicious threat involves cybercriminals demanding a ransom in exchange for valuable data they have previously infected, encrypted, and withdrawn from an organization. A cryptographic key, which is a random string of data used in conjunction with an encryption algorithm, is needed to unlock the compromised files but will only be provided by the hacker when the ransom is paid.
This key is not only difficult and mathematically impossible to crack, but also requires a lot of resources and time, something that may not be readily available in the event of an attack. What’s more, an unsuccessful decryption attempt is risky and may result in losing the compromised files for good.
Ransomware is the malicious software that infects the organization’s system and encrypts the files. What’s one way of knowing if one of your files has been compromised? The file may have an extension that is unique to the kind of ransomware being used, such as .aaa, .encrypted., .ttt, and so on.
Attackers will commonly include files that contain the details of their demands: what ransom they want and how the organization can pay it to acquire the cryptographic key. Another important element to keep in mind, ransomware can readily spread to connected systems—making the threat even more critical and time-sensitive.
4 common ways ransomware occurs
But how do ransomware attacks even happen in the first place? Like most cybersecurity breaches, it starts with a security vulnerability, even the smallest vulnerability, being exploited. Organizations can become infected with ransomware in various ways, here are the 4 most common.
1. Phishing emails
These emails may look legitimate, from a credible sender or even from someone known to the recipient. It encourages the user to click on something, which will turn out to be a malicious link or attachment.
2. Infected websites
These seemingly innocent websites will initiate the unintended download of malicious code—a drive-by download—by exploiting vulnerabilities in the browser or browser plug-ins.
3. Fake apps
Cybercriminals create these apps with attractive features: an ad blocker, a security tool, or even live wallpapers. Once downloaded, the app will perform malicious routines that compromise the user’s data.
This involves injecting malware-laden advertisements into reputable online advertising networks and websites. When clicked, the ad will redirect the user to a malicious website or initiate a drive-by download.
Once malware gets into the organization’s system—through an employee opening an unsuspecting email or website—cybercriminals may spend a while undetected in the system to identify valuable data and files to encrypt. This is called dwelling, and it’s possible the organization may detect the breach weeks or even months after the penetration.
7 deadly examples of ransomware
While all kinds of ransomware are a cause for concern, some are more robust and deadly than usual. To put things into perspective, below are some well-known examples of ransomware that disrupted organizations on a large scale. If anything, these will show the extent bad actors will go through in order to launch an attack.
- Ragnar Locker – Associated with the hacking group Ragnarok, this has been plaguing service providers since 2019. It was used to demand a hefty ransom of $10 million5 in 2020.
- Sodinokibi – This highly sophisticated type of ransomware targets high-profile Managed Service Providers and once breached, proliferates to their customers using legitimate admin tools.
- UIWIX – This uses a vulnerability for the Windows OS called EternalBlue to initiate a fileless infection, which is more dangerous because it makes detection all the more difficult.
- Petya – This unique form of ransomware reboots the infected computer, making it inoperable and unable to boot up until a ransom is paid.
- CryptoWall – Creators of this ransomware6 run it like a business, making it very dangerous. They are continuously enhancing code, staying on top of trends, and developing numerous social engineering tactics to pressure victims into paying the ransom.
- Jigsaw – This encrypts and progressively deletes files until a ransom is paid or until all remaining files are deleted.
- Locky – This malware is spread using an email message disguised as an invoice, which becomes scrambled once opened. The user is then directed to enable macros in order to read the document, which will initiate AES encryption of a large array of file types.
Strengthening Defenses: Reduce the Risk of Ransomware
When it comes to cybersecurity, the key is to address existing vulnerabilities. This may involve reducing the attack surface by protecting the organization’s devices and networks. Install an Antivirus Firewall, apply security patches to all applications, and whitelist computer applications and websites. Since ransomware involves taking data hostage, it also helps to back up everything, every day for safekeeping purposes.
Another important measure to take involves the first line of defence: the users and employees. Investing in Security Awareness Training will keep everyone informed of common tactics and create a culture of vigilance. This may reduce the risk of phishing attempts, malvertising, and other stealthy ransomware strategies.
Remember to develop a Disaster Recovery Plan that’s easily accessible to everyone in the organization. While it’s important to take a proactive cybersecurity approach to ransomware attacks, it’s also crucial to have a comprehensive action plan when things go south. This plan should address the following:
- Immediate steps to take (e.g. shut down most of the organization’s network, Wi-Fi, and Bluetooth to prevent the infection from spreading)
- Involvement with local authorities
- A ransom policy (e.g. Either pay the ransom to get files back; or don’t pay the ransom, delete all the infected files, and restore using the backup)
And lastly, develop a cybersecurity strategy that covers all bases, because it only takes one exploited vulnerability to compromise the organization. We encourage you to implement some of the suggestions above when developing a cyber resilience framework for your organization. You can also partner with a security solutions provider that makes cybersecurity an integral part of everything they do. Sryas is here to help.
About the contributors
Anwar Haq is the Principal Security Manager at Sryas. With a decade of experience, he plays a key role in transforming the organization’s Cybersecurity Services and Information Security Risk Management (ISRM) program. He has a M.Eng. is certified in PMP, NPDP, CISSP, CISA, CSSBB & ITILv3. Cybersecurity, Cloud Computing, AI/ML, and Project & Program Management are his areas of expertise.