While the majority of movie theaters around the country remain closed and you’re nearing the end of shows to binge on Hulu or Netflix. We felt it was only right to provide you with a story of our own.
Allow me to set the scene...
You burst through the office doors on a bright and sunny Summer day. Pour yourself a cup of coffee to get the day started and share a laugh with Dennis from Accounting before heading off to settle in at your desk. It’s Friday, arguably the best day of the week, life is good.
You log in to your sleek, 21.5 inch screen, desktop computer only to find a BIG RED MESSAGE flashing at you…
Your personal files are encrypted!
If you see this message, your files are no longer accessible.
To decrypt and recover your files you must obtain the private key for this computer.
To obtain the private key for this computer, you must submit a payment of $2500 USD or similar currency.
This type of sinister message is a telltale sign that you have become a victim of ransomware. It is, to say the least, a very scary time for you and your business.
Let’s take a closer look at how this could have happened and what you can do to keep your business better protected.
What is Ransomware?
Ransomware is a type of malware that encrypts the files on your device (or network storage devices) making them useless. A user is then provided with a set of directions they must follow to restore their encrypted files, which usually requires paying a “ransom” to the cybercriminals that have infected your system before a deadline expires. Payments can range from a couple hundred dollars to many thousands of dollars.
Payment often takes place through an electronic payment method such as Bitcoin, due to its difficulty to trace. Despite security researchers having determined how to map the traffic flow of Bitcoin transactions—finding and identifying the actual owner of a Bitcoin or similar cryptocurrency account is extremely difficult.
How Ransomware Spreads
There are a number of ways ransomware can gain access to your computer, maybe the most common being when ransomware is distributed through a spam email attack known as a phishing email. This occurs when an email includes an attachment that appears to be a genuine file but is in fact only disguised that way. Ransomware is then activated as soon as the attachment is opened and will immediately begin to encrypt files on your computer. Similarly, Ransomware may also be concealed within a link inside the body of an email. In this case, after the link is clicked, the user is directed to a website where ransomware enters the device without any visual cues or warning signs.
Regardless of how the malicious software finds its way into your network. It ultimately utilizes what is referred to as an exploit kit (a toolkit for hackers). Which is used to find and attack vulnerabilities in the security of your operating system or programs that can be used to facilitate ransomware attacks.
Cybercriminals have also been known to utilize existing vulnerabilities in your system, similar to what we saw in the 2017 WannaCry ransomware attack. During this event, hackers took advantage of a well-known and documented Windows vulnerability known as EternalBlue, which was originally developed as an exploit by the United States National Security Agency. Businesses that did not apply the latest patches from Microsoft or were still using Windows systems that had reached their end of life date were targeted in an attack that impacted more than 200,000 computers, in more than 150 countries, causing nearly a billion dollars in damages. Yikes!
The Impacts of Ransomware
In recent years, we have witnessed a significant (and costly) spike in the number of successful ransomware attacks against organizations. In 2019 alone, Ransomware attacks jumped 41%, affecting just shy of 1,000 U.S. businesses with an attack occurring every 14 seconds. And, shows no signs of slowing down as Cybersecurity Ventures predicts that the global cost of ransomware could surpass $20 billion as soon as next year.
The influence of a ransomware attack on an organization extends well beyond the cost of having to pay up to the cybercriminals that have breached your system. These losses include the less obvious costs associated with temporary or permanent loss of data, remediation efforts, PR efforts, legal fees, higher insurance premiums, operational disruption, diminished productivity, reduced customer value, regulatory fines, and irreparable damage to a company’s reputation. You can see how quickly things can get out of hand.
For example, in 2019, a massive Ransomware attack struck the Baltimore City Government leaving it’s systems useless for over a month. A ransom demand was made by hackers to Baltimore City for the cost of $76,000 in Bitcoin. Damages from this event ended up reaching $18 million due to lost revenue, recovery efforts, fines, and improved defenses to prevent a future breach.
A Ransomware Attack Timeline
One of the first widespread ransomware families, CryptoLocker, dates back to 2013. That type of malware was usually delivered as a hidden email attachment or installed on systems that had been previously compromised. When activated, CryptoLocker would begin encrypting specific files on both local and network drives. The victim was then elicited to pay a ransom fee within a set period of time or the actual decryption key would be deleted forever. Meaning there would be no way to ever retrieve their data again. What made the situation even worse was that in most cases, even when the ransom was paid, victims would rarely receive the decryption key.
Eventually, a joint industry law enforcement and government agency collaboration named Operation Tovar was able to take down the Gameover Zeus Botnet that was initially used to distribute CryptoLocker ransomware. However, other variants of ransomware soon followed to take its place.
One of those variants came to be CryptoWall, infamously known for the attacks that impacted Australia throughout 2014. This particular attack was distributed as a phishing email that used links posing as if they were being “sent from” various government agencies. To avoid being blocked by security products, the creators of these malicious emails used a Captcha form before the malware was downloaded.
First seen in early 2016, Locky was shared via email featuring a false invoice attachment. This attachment was normally disguised as a Word or Excel file. When opened, a prompt would populate requesting macros be enabled in order to view the invoice. Enabling this would cause the file to run an executable which then downloaded the ransomware. Victims were then directed to a website to download a browser that they could use to gain access to a specific payment site. This case of ransomware was actually one of the first attacks to gain major public media attention due to a US-based hospital having its patient data encrypted and having to pay to recover the files.
In May of 2017, WannaCry created headlines after infecting a reported 400,000 computers worldwide. These cases included a combination of public and private organizations that were heavily impacted—most notably a Spanish telecommunication company, the United Kingdom’s National Health Service, and a major German bank.
Fortunately, a discovery was made early on by a security researcher that led to a kill switch in the malware, stopping the attack after only a few days. The spread was facilitated through a security vulnerability in Windows known as EternalBlue which already had a security patch available for several months, yet most organizations had failed to install it. This went on to serve as a great reminder for why businesses should always stay up to date with security patches.
Shortly after the WannaCry incident in June 2017, NotPetya, a variant of Petya ransomware, entered the scene in Ukraine. NotPetya was spread by using a PDF attachment in emails that took advantage of the same EternalBlue vulnerability that WannaCry utilized. Again, public and private organizations were impacted on a global scale, including a major US pharmaceutical company, a multinational law firm, and the United Kingdom’s largest advertising firm.
In 2019, Norweigan-based company, Norsk Hydro, lost an estimated 60-70 million dollars due to a ransomware strain known as LockerGoga. This particular strain of ransomware caused significant issues in the company’s manufacturing space. And, forced them to switch from a digital system to a manual process in order to continue reporting, billing, and invoicing.
How to Minimize Your Risk
The first step to minimizing your risk against ransomware attacks is to embrace the culture of data security and train your employees to be your greatest asset in keeping your data safe. Strengthen your frontline defense by providing education to your employees, especially those that may not be as well versed in technology. A refresher course is always a good idea to keep security top of mind.The majority of ransomware attacks require someone to be lured into taking an action that activates the payload. Keeping your employees informed on how to not only recognize, but defend against these types of cyberattacks is critical to your security.
An effective way for businesses to train their employees against these increasingly common attacks is with simulated “phishing” attempts. These are emails sent from faux accounts using links and attachments that attempt to bait your employees into accessing or downloading them. This can be a powerful exercise in helping employees distinguish between genuine communication and phishing attacks.
Another must for minimizing your risk against cyber attacks is to always, and I cannot stress this enough, always, update and patch systems and individual programs. This is one area you never want to relax on because the impact can be devastating. Maintaining security patches can be so simple if you make it a priority to update regularly and stop clicking remind me tomorrow. The importance of regular updates was most apparent in cases like the WannaCry attack, where falling behind on updates or failing to maintain a disciplined approach to updates and patches left too many businesses exposed. And then, to let it happen again during the NotPetya attacks, despite all of the media coverage and a security patch available to fix the vulnerability is a true head scratcher. Instead, an estimated 38 million computers were left unpatched and remained open to an attack. This “it won’t happen to me” attitude can leave you and your company susceptible to devastating attacks.
Primary and secondary backups is another approach to help protect yourself against ransomware. This might sound obvious to some, but ransomware can encrypt backups stored on network servers making it necessary to review your current management of backups. You should be asking questions like, are your employees backing up anything important to network drives? Are those backups then backed up to a cloud backup service? And, are those backups regularly verified for restoration? In the event of a ransomware attack that encrypts all local and backup files, this will help your business avoid costly consequences and restore important data quickly.
Counter ever-increasing ransomware threats with a robust security foundation made up of multiple layers of defense to stop hackers from breaching your systems and vital data. Cybercriminals spend vast amounts of time, money, and energy working to develop more complex forms of malware designed to sneak past your security. To rely on a single layer of protection against such an advanced threat would not be considered best practice. By utilizing additional layers of defense to cover your business and countermeasure tools to reduce vulnerabilities, your business can mitigate threats in a much more efficient and safe manner.
How much will ransomware cost your business? Most organizations can’t afford to find out.
With increasingly sophisticated methods being used by cybercriminals, it’s not a matter of if, but when you’ll be breached. One Step Secure IT does everything possible to keep your system safe, and if a breach occurs, takes the lead to remediate according to mandated regulations while maintaining business continuity with minimal downtime or disruption. By implementing the right technology and processes, One Step Secure IT can monitor your system 24/7 while proactively working toward greater security awareness with your employees. One Step Secure IT also goes a step further, looking for breached personal information on the Dark Web so we can help you take immediate steps to minimize your risk.