Ransomware has circulated in the news and become quite a hot topic. Ransomware is one of the biggest security problems on the internet and one of the most effective cybercrimes to date. The severity of the threat can go as far as damaging your business reputation or completely shutting down. Here we will look at how ransomware works, its impact, and things you can do to prevent it.
You might be familiar with the term malware, or the specific term is malicious software. Ransomware is malware that prevents users from accessing their system, files, or documents by encrypting them. It can affect a single PC all the way up to an entire network, including servers.
If you are the victim, there are not many you can do. You can either regain access to your encrypted network by paying ransom to the criminal or restoring your data from backups.
While ransomware sounds like a trendy new threat and exploded in recent years. It’s not new at all. These malicious programs have been around for more than 30 years.
The first documented instance of ransomware was the 1989 AIDS Trojan, also known as PC Cyborg.
Harvard-trained evolutionary biologist Joseph L. Popp took advantage of widespread interest in AIDS and sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to the World Health Organization’s international AIDS conference attendees.
The ransomware counted the number of times the PC was booted. Once it hit 90, the AIDS Trojan became active, encrypting file names (including extensions) on the C: drive of the infected computer. At the same time, the malware displayed a message on the screen, demanded the user to renew their license with ‘PC Cyborg Corporation’ by sending $189 or $378 to a post office box in Panama.
Joseph Popp was arrested, but the court found him mentally unfit to stand trial. He did, however, publish the book Popular Evolution: Life-Lessons from Anthropology a decade later.
Ransomware must bypass the device security system to gain access by exploiting gaps in the security system or tricking the user into putting the malware on the device.
The latter methodology is the most common for ransomware. The malware will hide in an innocent-looking file, email, or website.
You will find emails or sites that disguise themselves as legitimate-looking emails from official or well-known entities, if you are aware. For example, these can be the Malaysian Government, bank entities like CIMBClicks, PDRM, or even your place of employment.
Ransomware works on a variety of devices. While ransomware is most commonly used on computers, one form of ransomware on Android phones gains access through SMS messages. These messages will spam the user with malicious links to trick them into downloading the malware onto their phone.
The malware will encrypt the victim’s files, demand a ransom, and then use the contact list to spam others.
Ransomware can also access the victim’s device through physical ports, such as USBs or public cell phone chargers, known as juice jacking.
In the late 80s and early 90s, ransomware instances relied on symmetric encryption, where the same key is used to encrypt and decrypt the data. The Vigenère Cipher is one of the simple examples of symmetric encryption techniques. The cipher uses an easy keyword or keyphrase to encrypt the text into ciphertext. As long as you have the keyword, you can encrypt or decrypt the text.
Now, more advanced ransomware works by using asymmetric encryption, also known as public-key encryption. This type of encryption uses symmetric and asymmetric encryption methods to make it harder to decrypt ransomed files.
To make it easier to understand, at the base of most asymmetric cryptography systems is usually an algorithm requiring computationally heavy operations without a shared secret key. Yet, the complex computational nature makes it unfeasible for large sets of data.
So, most ransomware authors will use a combination of both: symmetric encryption with a randomly generated key, usually referred to as the session key, to encrypt the actual message or files, then an asymmetric algorithm to encrypt the session key used.
Bear in mind, not all ransomware is build to encrypt the victim’s file. Once the ransomware author has access to the system on a level they can encrypt the files, they can do almost anything. Sometimes, they will use crafty methods such as leakware and doxware, where the attacker threatens to release a victim’s sensitive files to the general public.
This is incredibly impactful for organizations with sensitive information, such as financial records, medical information, or personal employee information, resulting in severe monetary damage and heavy fines if these files are compromised.
If an organization is attacked with ransomware, it is not just a matter of paying the ransom. Remediating can be expensive, involving downtime, labor, product cost, network cost, lost opportunity, ransom paid, and other damages. The cost of ransomware recovery may vary depending on organization size, the attack severity, and the country in which your business is located.
According to the Sophos State of Ransomware 2021 report, with an independent survey conducted with 5,400 IT decision-makers across 30 countries, the global average ransomware remediation cost is US$1.85 million (~RM7.41 million) and US$0.77 million (~RM3.17 million) here in Malaysia.
According to a survey made by Sophos, ransom payments vary. The most common payment was US$10,000 (~RM41,165), with the highest amount a massive US$3.2 million (~RM13.2 million).
While the most obvious cost of a ransomware attack is the ransom demand, it is not necessarily the most significant factor in the overall cost that ransomware imposes on its victims.
Reconnecting the backup and restoring a large amount of data can be very time-consuming. Many weeks will be spent on remediating and restoring the encrypted systems.
According to Intermedia research, nearly three out of four companies infected with ransomware suffer two days or more without access to their files. Around 30% go 5 days or longer without access.
In addition, according to the Coveware report, the average number of days a ransomware incident lasts is 16.2 days – up from 12.1 days in the third quarter of 2019.
Be aware that the data privacy law fines may be more considerable than the ransom demanded. For example, in the United States, willful neglect of data privacy standards has a maximum penalty of US$1.5 million. In Malaysia, non-compliance to the Personal Data Protection Act can lead to up to RM500,000 in fines and up to three years in prison, and the list goes on.
An example of this is Marriott Hotel fined £18 million (~RM104.5 million) for their data loss. In addition, British Airways were fined £20 million (~RM116.1 million) for failing to protect the personal and financial details of more than 400,000 customers. Both these cases were not ransomware attacks but gives you an idea of the fines on organizations who lose control of data in their possession.
Ransomware attacks are highly destructive and visibly affect business operations, leaving the victim with no choice but to release the news to the public that they have been breached.
That results in disappointment and objection from every person, including customers, investors, and other stakeholders.
Building a trusted brand is not cheap, and losing public trust will cause a significant loss. It takes quite some time to restore public confidence again in the future.
This can have adverse effects on retaining existing clients, generating future business, and even negatively affect the company’s stock prices.
When many unhappy clients have been affected by the data breach, most likely, they could resort to legal means for some compensation. Hence, this could lead to additional costs for the organization if they covered these claims.
For example, what happened to DCH Health Systems after a ransomware attack on Alabama Hospitals in December 2019. Later, patients filed a class-action lawsuit against the company, alleging privacy violations, negligence, and medical care disruption.
The fact that ransomware was involved during the data breach incident will make the case easier for compensation.
Now you are aware of the essential things about ransomware and the risk it brings to your company. AXO experts recommend you follow these best practices:
Ransomware is highly prevalent. No sector, country, or organization size is immune from the risk. 44% of Malaysian organizations say they fell victim to a successful cybersecurity attack in the last 12 months, and 64% say it took longer than a week to remediate. Therefore, it’s better to be prepared but not hit than the other way round.
Based on Sophos’ findings, 92% of the victims did not get their data back after paying the ransom. A robust and secure data backups solution is your primary method for you to regain access to your data after an attack. If your systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent.
However, it is crucial to protect your data backup solution so that it will not be encrypted. Your backups should be stored offsite and offline where attackers can’t find them, or you can keep them in a read-only format to prevent ransomware spread to drives containing recovery data.
The WannaCry attack is the best example of how crucial it is to patch your system as soon as possible. It was believed that the attack started on a single computer in Europe and spread rapidly closed to 250,000 Windows computers in the first 24 hours by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol.
Ironically, Microsoft already released a patch for the EternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in the “biggest ransomware attack in history.”
Take a lesson from this incident, make sure to keep your computers up-to-date, and applying security patches, especially those labeled as critical. Your vigilance can help to limit your vulnerability to ransomware attacks.
Employees are the most vulnerable aspect of a ransomware attack. Prevention is always better than cure. Train your employees to identify cyber threats to be aware of suspicious and malicious messages to lower their chance of being tricked by hackers.
Try to hold frequent cybersecurity awareness training to protect your organization against ransomware. This training should instruct employees to do the following:
In the face of the alarming increase in extortion-based attacks, you need to be well-prepared to keep the attackers out of your business environment. Even a slight carelessness would throw your business at risk.
Ransomware is the type of threat that “slips through the cracks” and consists of a multi-layered attack that touches several areas of your network. Use layered protection to prevent, protect and detect cyberattacks, advance detection response who watch your networks 24/7.
The key to stopping ransomware is having a combined effort of anti-ransomware technology and human-led threat hunting. While technology allows you to scale and automate, human experts are the best at predicting and detecting skilled attackers’ tactics, techniques, and procedures when attempting to get into your environment.
Reach for a specialist cybersecurity company to support you if you don’t have any cybersecurity experts in-house. It’s wise to leverage their Security Operation Centre (SOC) service instead of setting it up by yourself.
We know that it is not easy to not pay the ransom when your company has been tied to the ground due to a ransomware attack. There is no guarantee that you will get your data back. Even many organizations did not get their data back even after they paid the ransom.
Although when you get your data back after paying, it will give the cybercriminals a strong message that your company is an excellent gold mine to dig repeatedly.
Preparing in advance is the best way to stop a cyberattack from turning into a complete breach. Having an incident response plan helps your organization prepare, respond, and follow up on any cyberattack so that you don’t have to halt your operation, at least not for very long. It defines who should be doing what, where, and in what situation.
Many organizations that fall victim to an attack often realize they could have avoided a lot of cost and disruption if they had a plan in place.
