The COVID-19 pandemic created fertile soil for the growth of ransomware. Virus-creators often use issues of high anxiety to lure people into an attack. The shift towards remote working due to social distancing restrictions also exacerbates the situation. Coveware’s Q2 Ransomware Report saw a 60% increase in attack over Q1. Trend Micro’s monitoring showed that cyber threats that used the virus as a lure increased exponentially in September.
It is no surprise, then, that we’ve seen a rise in high-profile attacks. Unfortunately, not everyone has the resources and in-house know-how that Tesla has. Translink, Metro Vancouver’s transport body, recently confirmed that they were the victim of a ransomware attack. They have joined the ranks of K-Mart, Barnes & Noble and Ubisoft, having been attacked by the Egregor ransomware, which appeared in September 2020.
So, what exactly is ransomware?
Ransomware is a type of malicious software, or malware, that enters a device or network and forcibly encrypts all of the data held on it. In order to get access to your files, bad actors demand you pay a ransom for the decryption key.
There are forms of ransomware called scareware that appear to be anti-virus messages or fake law enforcement notices that require you to pay a “fine” for illegal or infected files on your machine. However, enterprise ransomware attacks usually use the threat of leaking the data to get the payment out of companies. If you’re interested in learning more, the Infosec Institute delves into the different types of ransomware here.
Often, hackers will demand payment in Bitcoin or other cryptocurrencies that are (practically) impossible to trace. Some may try to extort credit card details to add another layer of financial loss.
It is important to remember that, famously, there is no honour among thieves. There is no guarantee that once the ransom is paid, that you will get a working decryption key. A survey from Datto found that 25% of the surveyed that paid ransoms did not have their data unlocked.
Who do the hackers attack?
The short answer: everyone. Smaller scams aim to extort a couple of hundred dollars from users not in the know. However, enterprise attacks have a much better return on investment. Certain industries are more highly targeted.
- An estimated 45% of ransomware attacks were against healthcare organizations, where loss of access is a matter of life or death. By the same token, 85% of malware infections at healthcare orgs are ransomware.
- Financial institutions and law firms are also popular targets, as the cost-benefit analysis often turns in the favour of paying the ransom.
Norton noted that,
“Cybercriminals go for the bigger payouts, which means targeting corporate entities. Part of this involves focusing on the United Kingdom, the United States, and Canada due to greater wealth and personal-computer use.”
How do they infect machines?
As with most forms of malware, human error is the most likely culprit of infection. Many ransomware attacks start with a simple phishing scheme. Of late, notably, many of these phishing scams prey on the fear surrounding COVID-19.
Outdated firewalls, system and software releases often leave holes that make it much easier for brute-force attacks to gain access to machines and networks.
Remote working set-ups also increase vulnerabilities through poorly secured networks and more relaxed boundaries between personal and professional use of machines.
The rise of Internet-of-Things devices has also revealed some vulnerabilities. In Translink’s recent attack, hackers were able to take control of networked printers and instruct them to print the ransom note continuously throughout the attack.
What to do if you’re attacked by ransomware
- Disconnect your machine from the internet. This will stop any communication between your (infected) computer and a hacker’s server. It can potentially stop the spread of the malware.
- Next, if you are using a computer owned by your organization, you should reach out to your IT team. Let them know it is urgent. Unless you are an expert, do not try to remove the virus. If the virus is removed, you lose the chance of getting the decryption key. If leaked data is the threat, this is a possibility when removing the software.
- Don’t log in to any services if you believe your computer is infected.
- Do not pay the ransom. There is no guarantee it will get you your data back.
Tips for staying safe
While hackers have found many ways to infect computer systems, an enterprise backup program is the first and best way to recover from an attack. But this is not the only way to mitigate the damage.
Technology:
- Make sure your antivirus is up-to-date and running – stop ignoring the update alert that’s been popping up;
- Consider adding a whitelisting software that will stop unauthorized apps from starting;
- Use Virtual Private Networks (VPNs) to provide remote employees with a secure channel to business systems;
- Monitor, measure and record network data meticulously. It is a good time to invest in threat-detection upgrades;
- Define restrictions on the data that can, and cannot, traverse the VPN. For example, very sensitive data may be more securely transferred by voice call;
- Instate backup and disaster recovery (BDR) plans; and
- Double-check that backups are working properly and stored securely off the network.
People:
- Train, retrain and train again. Cybersecurity best practices should be communicated clearly and frequently to your staff. Education around common phishing techniques and password etiquette can help you shore up your defenses;
- Reinforce the importance of not using home computers to access work files;
- Enable multi-factor authentication for any systems in use; and
- Digital Guardian suggests ensuring proper credential-based access. “Turnover, failure to update passwords, and improper restrictions can result in even higher probabilities of attack at these points.” (source) This should be in place in all systems to eliminate the ability for bad actors to gain access to other systems, like your backup.
Many things lay great foundations for ransomware attacks. Fluctuations in cryptocurrency rates, for example, can lead to more attacks. The global coronavirus pandemic also opened many doors for large-scale attacks. Vigilance, employee education, prompt updates of all critical systems, proper decentralized backups, and an airtight BDR plan are your best form of defense against this kind of attack. If you do not have the resources in-house, consider partnering with an MSP that can help you stay safe. Our team can help you.
We’ve created this useful handout with some of our best tips for cybersecurity. We recommend sending it to your employees to keep as a desk-side resource.