Ransomware is a malware attack that uses a variety of methods to prevent or limit an organization or individual from accessing their IT systems and data, either by locking the system’s screen, or by encrypting files until a ransom is paid, usually in cryptocurrency for reasons of anonymity.
By encrypting these files and demanding a ransom payment for the decryption key, the malware places organizations in a position where paying the ransom is the easiest and most cost-effective way to regain access to their files. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key required to regain access to the infected system or files.
In some instances, the perpetrators may steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors or the public, something that would inflict reputational damage to the organization.
The cybercriminals who commit ransomware cybercrimes are now becoming so proficient at what they do that they use artificial intelligence in analyzing the victim’s environment to ensure that recovering files is extremely difficult if not impossible. Additionally, cybercriminals are offering RaaS (ransomware-as-a-service) to organized crime and government agencies to help them launch an attack while they reap the benefits. That may explain why large organizations, which theoretically have large sums of money to pay ransoms, are currently more likely to be targeted than individuals.
However, the landscape is changing, and ransomware is no longer just about a financial ransom with attacks being aimed at public services, utilities and infrastructure undermining public confidence.
Is Ransomware different from malware?
Ransomware is a cyber-attack where the sole purpose is financial gain. The cybercriminals ensure a path to a decryption key is available that they can sell to victims. In many cases however, the decryption key does not help or even partially help depending on the level of damage incurred by the organization trying to recover before giving up and agreeing to pay the ransom. On the other hand, the malware’s purpose is to damage the victim organization where there is no decryption key, or the malware simply encrypts or deletes the victim’s systems beyond recovery and there is no demand for a ransom.
How does ransomware work?
Ransomware can be unwittingly downloaded by visiting malicious or compromised websites or by downloading from malicious pages or advertisements. It can also be delivered as an attachment or a link in an email which is known as a phishing attack.
Once in the system, ransomware can either lock the computer screen or encrypt predetermined files. The user will see a full-screen image or notification displayed on an infected system’s screen, which states the method used to prevent the victim from using their system and will indicate how the user can pay the ransom. Alternatively, the ransomware will prevent access to potentially critical or valuable files like documents and spreadsheets.
- Ransomware is downloaded from malicious/compromised site or via an email link or attachment.
- Computer screen is locked or files are encrypted.
- Notification displayed with information on how to pay ransom to unlock computer
Implications for data protection methods and/or disaster recovery
Ransomware attacks can sometimes use what is called a “Trojan”, where there is a time lag between the first system infected and the detonation (activation of malicious code). During that time, the malicious code copies itself to all connected systems to ensure maximum damage to the victim’s environment. Depending on the frequency of replication between the production and disaster recovery environment, the malicious code will use the replication to infect the Disaster Recovery (DR) environment. For example, if the victim’s disaster recovery uses synchronous replication the malicious code will propagate immediately to the DR site, and once the malicious code is activated, both the production and DR environments will be locked.
Moreover, if there is a time lag between infection and activation, the malicious code will likely be included in the backup. Additionally, in most cases, the cybercriminal will study the victim’s environment to understand the backup retention policy and extend the time lag between infection and activation to ensure all backups are infected. Once all backup generations are infected, the cybercriminal will have full control over the victim’s environment.
So rather than acting as a data protection procedure, disaster recovery can help spread the malicious code and any recovery/backup data will be equally affected along with production data.
How to mitigate and recover from a ransomware attack
Businesses are now beginning to realize that it is no longer a question of if they will be attacked, but when. Given the scope and sophistication of current threats, what can businesses realistically do to prevent such attacks, or recover from them?
Payment of the ransom – As previously stated, depending on the motive for the attack, paying the ransom does not necessarily guarantee that the organization will get the decryption key required to regain access to the infected system or files. However, it is understandable that many organizations are placed in the unenviable position where paying the ransom is the easiest and most cost-effective path. To try and dissuade businesses from taking this path the US Treasury have issued guidelines that strongly discourages the payment of ransoms or extortion demands, with possible sanctions for businesses that do. They are instead encouraging businesses to adopt the CISA (Cybersecurity and Infrastructure Security Agency) recommendations and to report incidents to the CISA and the Federal Bureau of Investigation.
Cyber insurance – Some businesses have taken the approach of accepting they we will be attacked and lose data, and that cyber insurance will cover any loss. There is increasing evidence that the insurance companies are unwilling to meet those claims, especially where there is no motivation or strategy for risk management or at least minimum steps towards prevention of the threat.
Best practices – As an example of how to deal with a ransomware threat, CISA has issued a series of recommendations to protect networks from a ransomware attack:
- Educate your personnel. Improve the workforce awareness through training and testing so that staff understand they are a target and are aware of the nature of the threat and how it is delivered.
- Take preventative measures:
- Risk analysis: Conduct a cybersecurity risk analysis of the organization
- Incident response: Develop an incident response plan and exercise it
- Vulnerability patching: Implement appropriate and timely patching of operating systems, software and firmware
- Email: Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email and prevent email spoofing. Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Firewalls: Configure firewalls to block access to known malicious IP addresses.
- Anti-virus: Set anti-virus and anti-malware programs to conduct regular scans automatically.
- Access controls: Manage the use of privileged accounts based on the principle of least privilege
- Disable macros: Disable all macro scripts from office files transmitted via email.
- Implement software restriction policies: SRP or other controls can prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers
- Application safe-listing: Only allows systems to execute programs known and permitted by a security policy.
- Operating Systems: Execute operating system environments or specific programs in a virtualized environment.
- Logical and physical separation: Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
- Consider implementing “Zero Trust Architecture (ZTA)” in the corporate network to limit or even challenge the lateral network traffic and consequently challenge the spread of malware across all systems.
- Penetration testing: Test the security of systems and the ability to defend against attacks.
- What to do if you discover Ransomware
The next steps are to mitigate the threat through the processes of containment, eradication, and recovery. Containment means isolating the infection and so that it does not cause anything more to happen. Eradication means to eliminate and destroy all the malware software instances. Recovery tends to mean recovery from uncontaminated offline backups to regain the integrity and confidence.
The final step is to articulate the lessons learned and apply them back at the incident planning process in a cyclical manner.
- Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.
- Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
- Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
- Contact law enforcement immediately.
- If available, collect and secure partial portions of the ransomed data that might exist.
- If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
- Delete operating system configuration settings and files to stop the program from loading.
- Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having an immutable data backup can eliminate the need to pay a ransom to recover data.
Reference Material
- Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020
- SNIA Data Protection & Privacy Committee
Definitions
Malware, short for malicious software, is a blanket term for viruses, worms, Trojans, and other harmful software that attackers use to gain access to sensitive information illegally. Software is identified as malware based on its intended nefarious use (such as identity theft or even total data destruction), rather than a particular technique or technology used to build it.
SNIA Dictionary Definitions
malware [Permalink]
[Computer System] [Data Security]
Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity and/or availability. [ISO/IEC 27033-1]
Examples are a computer virus, computer worm, Trojan horse, spyware, adware, ransomware, or scareware.
ransomware [Permalink]
[Data Security]
A type of malicious software designed to block access to data until funds are paid.