What is Ransomware?
Ransomware has been all over the news lately with the Colonial Pipeline and JBS ransomware attacks. It seems like everyone from the local grocery store clerk to top government officials have been discussing ransomware since it has hit the mainstream news headlines. Today, we will take a quick look at what ransomware is, how it works, and what you can do to help mitigate the risk associated with it.
So what exactly is Ransomware?
The Cybersecurity and Infrastructure Security Agency (CISA) defines Ransomware as:
“…an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”
This is no different than someone being kidnapped and the kidnappers demanding a ransom, which always brings to mind the classic Mel Brooks movie, Ransom….
Essentially, bad guys find a way into your network and deploy malware to lock files so users can no longer access them. Users are subsequently unable to complete day to day tasks which essentially forces portions of a company or the entire company to shut down. The threat actors then demand payment, usually via Bitcoin or some other form of cryptocurrency, in exchange for the keys required to decrypt the files. All ransomware variants and groups deploying this malicious software behave differently, though. For example, while some threat actors are known to actually provide the encryption keys following payment and have technical support to help you recover your files, others will simply take your payment and run or the ransomware could encrypt the files such that they are impossible to recover.
It all comes down to business for these groups most of the time. They are targeting everything from high profile companies to smaller “mom and pop” shops. Often, the money they receive from ransom payments is reinvested into the business to create more advanced malware or improve their talent pool of folks to execute these attacks. They are able to improve their technology with more sophisticated attacks and the process is perpetuated.
How does Ransomware Work?
One of the most common avenues of attack is via social engineering. The bad guys will send phishing emails and once someone clicks a link or downloads a file, they are able to take over that system or exploit that particular user in order to deliver the malware. Attackers can also take advantage of unpatched systems, known vulnerabilities, and zero day vulnerabilities in order to gain a foothold on the network and deliver malware.
Once ransomware is deployed, it generally begins by indexing (and sometimes downloading) all of the files the malware has access to. Once complete, it will begin encrypting all of the identified files. After that, it will usually put a big ransom note or instruction files in a conspicuous location of each infected system. This spread will include all networked systems or file shares that the compromised user account deploying the malware has access to. This is one of the reasons it is imperative to ensure you conduct ongoing security assessments to evaluate your implementation of least privilege, as well as have an incident response plan in place to quickly contain ransomware that is identified.
How to Prevent Ransomware
As we have previously discussed, there is no silver bullet in security that can completely prevent ransomware, or any other security incident for that matter. But there are steps you can take to help mitigate the risks of ransomware:
- Ongoing Penetration Testing – Penetration testing is key to ensure both your external perimeter and internal network are being tested for security vulnerabilities.
- Security Awareness Training – Employees are often targeted by attackers because they represent the fastest way to internal network access. Ensure employees have an appreciation and understanding of their role in your security program.
- Incident Response Plan and Training – Your organization should have an incident response plan in place in case a security event occurs. This plan should be tested annually with a tabletop exercise to ensure all stakeholders understand their roles and everyone is not scrambling with no clear direction during a real incident.
- Disaster Recovery and Backups – It is imperative that you have a disaster recovery plan in place and you have offline backups that are not network accessible, such that they cannot be encrypted. More times than not, we see backups that are on the corporate network and can be easily accessed and encrypted by ransomware, rendering them unusable. Offline backups ensure you are able to restore operations even in the worst case scenario.
Ransomware is not going away any time soon, and is only getting more sophisticated over time. Your organization needs to be prepared and remain resilient to ensure you do not become a victim. Interested in a Ransomware Assessment to determine your risks? Reach out today to discuss more!