Is Ransomware Holding Your Data Hostage?
Ransomware is a malware attack that is uploaded to your computer by clicking an infected email or visiting infected sites on your computer. Once infected with the hostage virus, a computer cannot be used until the infection is scrubbed or the “ransom” is paid. Files are encrypted by the virus and cannot be accessed, or, in some cases, a user’s screen is locked on the “ransom” note. All of your data has been locked and the only way to release a file that has been infected with ransomware is to unlock a key to unencrypt the files, usually by paying the ransom.
Ransomware is a disturbing and frightening malware that, because of its encryption of all your company’s data, can have implications that last long after the virus has been scrubbed. The disruption to your company’s systems can be devastating. Not only will ransomware block users from accessing important data, it can wipe some data from the system permanently, result in lost income from unplanned downtime, affect emails, disrupt billing cycles, and more. It can take days, weeks or even months to clean up the mess after a ransomware attack.
Because it’s expected that companies and businesses have security in place that will stop these types of cybercrimes, once the public hears that a company has been infected with a ransomware its confidence in that business will plummet.
Ransomware: Not a New Threat
With all the recent focus on cyberattacks, you might think cybercrime is a relatively new trend. The reality is a bit more sobering: while cybercriminals continue to evolve and up the game, cybercrime has been around for decades.
The first known ransomware attack hit the healthcare industry in 1989 when Joseph Popp, PhD, sent over 20000 infected floppy discs to 90 countries across the globe. The malware wasn’t immediately apparent; the infected computers had to be turned on 90 times before the ransomware message was displayed. Payment of $189 was demanded to release the networks, along with a demand for an additional $378 for a “software lease.” The payment was to be mailed to “PC Cyborg” in Panama.
Joseph Popp was an AIDS researcher who targeted other Aids researchers with his attack. He cleverly hid the virus in discs titled “AIDS Information: Introductory Diskettes” and handed them out to the attendees of the World Health Organization’s AIDS Conference.
This ransomware attack became known as the AIDS Trojan, or the PC Cyborg virus. It was a very basic virus and, while it affected many networks, the files were easily decrypted without paying the ransom.
Over time, ransomware has evolved. Many notable ransomware attacks have targeted big, established companies, banks, healthcare organizations and even governments from the mid 2000’s to the present day.
In 2013, the devastating ransomware Cryptolocker earned its creators over $3 million. It was stopped when its running platform, Gameover ZeuS botnet, was taken offline. That might have been the end of the story, but other creators quickly replicated the ransomware in copycat programs such as Cryptowall (which earned its creators $18 million) and TorrentLocker. Gameover ZueS re-emerged to continue the spread of malware and spam.
In 2017, the WannaCry ransomware attack hit over 200k computers across the globe, costing companies billions of dollars. This cryptoworm targeted Microsoft users who continued to use outdated software and Windows versions that had passed End of Life. Even though the attack lasted only a few days, the damage was devastating. It was revealed that North Korea was behind this ransomware attack. The Wannacry cryptoworm made a brief reappearance in 2018 at Taiwan’s Semiconductor Manufacturing Company. It spread through over 10,000 computers before finally being stopped.
Baltimore City Maryland found its government crippled for months following a ransomware attack known as RobbinHood in 2019. Financial information, billing, some payroll services and much more were affected. Some of the data was lost forever.
Ransomware Trends: Ever Evolving
In 2017, U.S. Deputy Attorney General Rod Rosenstein revealed that every day, over 100,000 endpoints are impacted by ransomware.
There are several different types of ransomware, but the most common are:
- Scareware: This is usually a pop-up form of ransomware. It warns the user that their computer is infected and suggests running a PC scan immediately. Once the user clicks the button to run the “scan,” the virus is introduced into the device and networks.
- Doxware: Doxware hijacks sensitive data, with the actors threatening to release it publicly unless payment is made.
- Mobile Devices: A user’s mobile device is locked down, usually by downloading a malicious app, and payment must be made to release the functionality of the device.
- Lockers: When your network is infected by a locker, all users are locked out of the ability to access their devices.
- Crypto Malware: Crypto malware affects your files and data, encrypting it and offering a decryption key in exchange for payment.
Do you want to learn more about malware? Check out our in-depth Ultimate Malware guide and learn more about the threats to your network.
According to research conducted by IBM, Ransomware attacks have been decreasing throughout 2018 and 2019, dropping from an affected 48% of companies across the globe to only 4%. This is largely due to increased security measures, early detection, and the increased understanding of how ransomware is spread. While this drop in ransomware incidents is a good thing overall, it’s important to remember that it’s an ongoing cyber threat that’s still very much in play.
Lifecycle of a Ransomware Attack
A ransomware attack is not just a random occurrence. These actors do their homework before identifying potential victims. Specifically, they look for companies that are:
- Most likely to pay a ransom
- Using outdated platforms
- Reliant on their reputation in the public sector will suffer
- Not using proper security on their networks
Businesses specializing in finances, healthcare, and manufacturing remain the top targets, alongside governmental agencies.
Once a potential victim is identified, ransomware actors do more research to discover the best way to infect the network. Employees are consistently the most common targets for an infection.
Next, the malicious code is introduced, and the network is encrypted and locked down. The entire network is scanned as the virus looks for files to infect. Changes are made to the network itself, rendering data inaccessible by normal users. This process can take several hours to complete.
Once the ransomware actor has encrypted your files, your business is at a complete standstill and you are at the mercy of the cybercriminal. It’s at this point the ransom note will be introduced, demanding payment in exchange for the decryption key. If you haven’t backed up your data, you will most likely lose many important functions and files permanently, even if you pay the ransom.
The average ransom demand in 2018 for ransomware was around $115,000 per incident. Some ransom demands were far higher, however, and ranged upwards of several billion dollars. Victims are usually given a very short window of time to pay the ransom before the actors destroy data permanently.
Ransomware demands are usually paid in a virtual currency, most notably bitcoin. Bitcoin is a fast and reliable form of payment that the actors can watch in real-time; they will see exactly when the ransom has been paid. The downside for these cybercriminals is that bitcoin transactions are closely monitored by the global community, meaning that transferring bitcoin into physical payments may be tricky. Law enforcement can trace a bitcoin transaction right back to the cybercriminal.
Payday for ransomware actors does not automatically mean you will regain access to your data. Kaspersky Labs reports that one in five victims pay the ransom and do not receive a decryption key. The FBI strongly urges victims not to pay the ransom.
The lure is there, however, and the panic companies feel in the face of losing all their data may be worth the risk. In some minds, the ransom may be comparatively small compared to the potential data loss. Sadly, the reality is that after the initial payment is made the attackers may demand a second payment and still not give the victim the key after payment.
Ways Your Network Can Be Infected by Ransomware
Like most cybercrimes, ransomware infects your network using several different approaches. Ransomware common attack methods include:
Social Media Ransomware Attacks
Savvy cybercriminals use social media platforms, such as Facebook, to trick the user into clicking a link. Criminals hack into a Facebook user’s account or create a fake one with the user’s name and send out private messages in Facebook Messenger to the user’s friends. The messages may vary, from an invitation to see a funny picture to “tagging” someone in an attachment.
Once the unsuspecting user clicks the link, ransomware spreads through the user’s device and potentially the entire connected network, locking down data and sensitive information.
Pop-Up Ransomware Attacks
Other ransomware attacks come from a pop-up window that “advises” a user that his system is infected with malware. These windows are realistic and closely mirror the systems and platforms the user is familiar with. The user will click the call to action, usually a “PC Scan,” and infect his device.
Email Attachment Ransomware Attacks
This is probably the most well-known weapon for cybercriminals. A ransomware email is sent to users with a clickable attachment. Once the attachment is opened, the ransomware is released into the device and the network.
The emails tend to be urgent in nature, such as overdue bills or time sensitive information, and will appear to be from a source the user trusts.
Unfortunately, employees continue to be the most common source for infecting networks with ransomware. Reusing passwords, lax security, and overall complacency all play big parts in these threats.
How to Know Your Network Has Been Infected
Sometimes the signs that you have been infected with ransomware are as plain as a banner splashing across your home screen. Other signs are far more subtle and can involve files you are trying to open.
Common Signs of Infection
Some signs can be quite subtle, such as changes to your file names.
If you try to open a file in Windows, you may see the notification:
“Windows can’t open this file. To open this file, Windows needs to know what program you want to use to open it. Windows can go online to look it up automatically, or you can manually select from a list of programs that are installed on your computer.”
This doesn’t automatically mean your network is infected, of course, but alongside other signs it can be an indicator.
File extensions, such as .jpeg, .doc and .pdf may be altered. If you spot unfamiliar file extensions, including .cryptor and .crypted, or a blank where the extension should be.
If you have missing files or can’t find files in your libraries, you may have been infected with ransomware.
Most obviously, if you receive a notification and a demand for payment, you have been infected.
What to Do if You Suspect a Ransomware Infection
If you suspect your computer has been hit with ransomware, there are a few things you can do to try to mitigate the damage before it gets too far.
- If you think your network has been hit with ransomware, it’s important to stop using the computer at once. Isolate it from the main network to stop the spread of the malware through your network.
- Notify IT immediately.
- Try to identify the ransomware family if possible. You may be able to do this by cross referencing file names, the message used, etc.
- Your IT company may attempt to wipe the device and reinstall files and software. They may also have knowledge of the ransomware family and already have a decryption key available.
- Notify authorities.
Chances are, however, by this point you should be planning on using your backup data to recover from the attack. Listen to the authorities when it comes to paying the ransomware and tracking the actors.
Preventing a Ransomware Attack
Baltimore Maryland’s ransomware attack came on the heels of several warnings regarding haphazard security. If they had updated security features in place, chances are the attack would never have happened at all.
Companies can invest in anti-virus programs, but many of these are easily overcome by a dedicated cybercriminal. Outsourcing your IT needs is a better way to protect your network, your employees, your reputation, and your data.
An MSP is a team of pros that understands the trends in ransomware, the latest threats and families of ransomware, and how to effectively block them from ever taking hold of your network. MSPs have access to cutting edge technologies and security features for your network.
MSPs will also make sure your data is safely backed up, meaning minimal disruption to your workflow if a cyberattack happens.
Since most cyberthreats are introduced to the network unwittingly by workers, employee education is a priority for MSPs. Employees need to learn to be watchful for potential cybercrime schemes as well as to be able to identify if their device has been infected.
Learn everything you need to know about ransomware here.
Iconic IT Can Help Protect You From Ransomware
No one expects their network to become infected from ransomware, so it’s possible your cybersecurity strategy isn’t up to the task of blocking it. Iconic IT offers a free, no obligation IT consultation to help you see if your security solutions are where they need to be to protect your network against ransomware.
Iconic IT doesn’t believe in skimping on coverage for our clients. Unlike most MSPs that offer bare-bones services, we have plans as vast as the national parks they are named after. To us, anything else is underserving. We give you have the guidance and supplies you need, like a park ranger helping you through the forests and mountains of your IT issues and needs.
Want to check your cybersecurity strategies on your own? Download our comprehensive Do-It-Yourself Cybersecurity Audit Checklist and see where you stand.