- What is ransomware?
- How ransomware works?
- Some of the most famous ransomware
- 1. WannaCry
- 2. TeslaCrypt
- 3. Petya and NotPetya
- 4. REvil or Sodinokibi
- 5. SamSam
- Who is at risk?
- The business impact of ransomware
- How to stay resilient?
- 1. Anti-virus software
- 2. Backup your data
- 3. Keep your systems updated
- 4. Network segmentation
- 5. Email protection
- 6. Least privilege access
- 7. Using UEM
- Featured resource
- Understanding Unified Endpoint Management
- How to prepare your organization?
- Identify and resolve
- Be prepared
- Provide security awareness training for employees
- Recovery strategy
What is ransomware?
Ransomware is a kind of malware that attacks specific devices with the intent to extort money out of the device owners. When a device is infected with ransomware, the attacker usually encrypts important user data or in some cases, the entire machine. This puts the hacker in the driving seat and the access to your device now lies with the attacker. A ransom is then demanded for the release of the user data/device. The device remains encrypted as long as the victim doesn’t pay the ransom.
How ransomware works?
Ransomware can attack a device through multiple channels and the most common way in which they attack a device is through a spammy email attachment. Other methods include social engineering, downloading malicious software from websites, or from false advertisements that install the ransomware when clicked on. After being installed on the victim’s computer, ransomware often spreads to other connected devices and establishes a connection with the command-and-control server that is established by the attacker.
Attackers use Asymmetric encryption, a secure cryptographic technique that requires two keys (a private key and a public key) one to encrypt and the other to decode data. The software often enters your network using an executable file, the downloaded file then adds an extension to your files, encrypts your data, and renders your files useless.
Victims are often notified on a lock screen to purchase cryptocurrency and the user is sent the decryption key only upon finishing the payment. The problem with ransomware is, that you never know if your data will be released. You can only pay the sum and hope that your data is released.
Some of the most famous ransomware
WannaCry is a ransomware cryptoworm cyberattack that targeted devices running the Microsoft Windows operating system. It was first detected on May 12, 2017
It was a fast-spreading virus that attacked the systems of major, well-established commercial and public businesses as well as small and midsize ones. The WannaCry virus had infected 300,000 systems in 150 countries at its peak. Users were notified on their home screen that they needed to pay a digital currency ransom for their data.
TeslaCrypt is a malicious program that uses AES encryption. Once the files are encrypted, payment for a private key is demanded. TeslaCrypt differs from typical file-encrypting ransomware in that it also encrypts video game-related files. The progress, any in-game collectibles that required hours of playing will be inaccessible when TeslaCrypt hits.
Petya and NotPetya, impacted thousands of computers globally in 2016 and 2017, respectively. They encrypt the hard disc of the target devices by infecting the master boot record to run a payload that encrypts a hard drive’s file system and stops Windows from booting, this ransomware specifically targets Windows-based computers.
REvil uses ransomware as a service (RaaS) to extort enormous sums of money from businesses. REvil, also known as Sodinokibi, originally surfaced in April 2019 and gained notoriety, after a different RaaS GandCrab shut down its operations.
Although SamSam ransomware was initially discovered in late 2015, it hit massively in 2018 by attacking carefully chosen businesses. SamSam was deployed against certain organizations, such as hospitals and educational institutions, who would be most willing to pay to have their data restored. The perpetrators of this ransomware either employed brute-force techniques against the Remote Desktop Protocol’s weak passwords to get access to the victims’ networks through weaknesses.
Who is at risk?
Any internet-connected device is susceptible to becoming the next ransomware target. A vulnerable device exposes the local network to risk since ransomware examines both local devices and any network-connected storage. If the local network belongs to a company, the ransomware may encrypt crucial system data and documents, disrupting operations and decreasing productivity. Some ransomware are created particularly to target businesses because they store sensitive customer and staff information.
The business impact of ransomware
Costs associated with ransomware are mostly driven by lost productivity. The enormous amount of resources and manpower needed to tackle the problem should also be taken into account. After ransomware infiltrates and crashes your network, it ultimately takes a lot of effort and several security experts to halt the outbreak and pick up the debris. A ransomware infestation may also damage your brand, scaring off potential customers for years after the occurrence.
One of the biggest factors of ransomware is how it halts the everyday working of an organization. The downtime an organization face leads to huge productivity losses.
The obvious one would be the financial impact of the requested ransom. Although there are insurances, it can often take months to get your claim approved and complex policies for claims can also leave your company with little to no money reimbursed
Ransomware can also act as a gateway for future attacks, once your system is breached, depending on the intensity of the attack the user can gain access to multiple systems of corporate and can always come back to attack the company again in the future.
Finally, as we’ve already stated, there is no reliable method to predict whether you will be handed the decryption key after payment; it may just as well be sold to a third party or leaked to the general public. Therefore, preventing a ransomware attack in the first place is the only real fix.
How to stay resilient?
The way to protect your business from ransomware attacks is by implementing healthy cybersecurity best practices. These include a range of things from having a capable anti-virus to using management software to manage all the devices in the organization.
1. Anti-virus software
For the simple reason that they can identify threats more effectively, antivirus software has become a need. Malicious programs are found and removed or disabled by antivirus software. Every day, thousands of new viruses are discovered, and both old and new viruses constantly evolve. In today’s technological environment, having an antivirus alone is not sufficient.
2. Backup your data
A ransomware attack is usually a gradual process, the malware operates in the background, sending information back to the attacker about critical information like your backup procedures, important file locations, everyday tasks etc. As part of your recovery plan, it is crucial to have a duplicate of the data in other places besides just your usual backup.
A cloud library is a quality external collection to use. It provides better security as it requires more skill to get your cloud user credentials and because the local administrator operating system account cannot see the cloud backup it is safely tucked away from the local systems in the event of an attack.
3. Keep your systems updated
Always use the most recent version of your operating system, web browser, antivirus program, and any other software you use. You should make sure that everything is patched and up to date since malware, viruses, and ransomware are continuously changing with new kinds that can get beyond your outdated security measures.
The main things that software updates do are:
- Fix software bugs
- Add or enhance features
- Compatibility updates
- Fix security issues
4. Network segmentation
In the case of an attack, it’s critical to prevent the spread of ransomware as much as possible because it may propagate swiftly throughout a network. Network segmentation divides a network into smaller, distinct sub-networks which enables network teams to compartmentalize. Such a network gives you greater control over the data flow, once you segment a network, every subnet functions as an independent system with unique access and security controls.
This approach reduces the attack surface and when a subnet is attacked by potential ransomware, a network that is segmented can isolate the risk by blocking off communication with the affected subnet.
5. Email protection
Traditionally emails have been one of the biggest causes of ransomware attacks through phishing scams and social engineering scams.
Protecting yourself from phishing scams has remained a high priority. Ideally using management software would be the best solution to tackling a phishing scam, but there are multiple healthy routines that you can follow to stay safe, like
- Make sure you don’t open emails from unknown sources
- Use Sender Policy Framework (SPF): This is designed to authenticate your email domains, this helps prevent spammers from sending emails under your organization’s domain.
- Use DomainKeys Identified Mail (DKIM): This is an authentication that helps the recipient of the mail verify the authenticity of the email. The email that is sent incorporating DKIM allows an organization to claim responsibility for a message in a way that can be validated by the recipient.
6. Least privilege access
The idea of limiting enterprise-wide rights to minimum access needed to complete a task is known as least privilege access. This does not just pertain to Users but also includes systems, processes, applications, services, and other devices. Even those having privileged access to the first system may not have access to any others, restricting system-wide access also ensures that a possible vulnerability in one application cannot affect other devices or apps. This reduces vulnerability exposure. The Least Privilege principle also effectively reduces the Insider Threat presented by privileged user accounts.
7. Using UEM
Unified Endpoint Management should be part of any growing business plan as it covers all the basic aspects of endpoint security. As a business grows it becomes increasingly hard for the business to maintain all the endpoints in the system. Each endpoint creates a unique opportunity for a hacker to take advantage of.
Endpoint management provides the IT administrators with information about all the devices that are deployed by the corporate from a single portal. With the help of a capable UEM like Hexnode, the corporate can monitor multiple aspects like device health, location and other attributes. Hexnode UEM provides support to multiple OS, this means that if your organization has devices that run on different OS, they can all be managed from a single Hexnode portal.
Hexnode UEM provides ransomware protection through
- Device management
- Data encryption
- Application management
- Business containerization
- Tracking and geofencing
- Threat management
- Device compliance
- Network security
Understanding Unified Endpoint Management
The requirement to manage all the devices in your enterprise has always existed and with the switch to work from anywhere models, it has become a necessity to incorporate an efficient Unified Endpoint Management solution.Download White paper
How to prepare your organization?
The first step to recovering from a ransomware attack is to first detect its presence. This can often be harder than you can imagine, with threats getting better at disguising themselves as legitimate programs. Having tools like UEM which help you regularly monitor all the devices in your corporation can help you identify oncoming threats faster.
Create an incident response strategy to describe how your business will track down, stop, and handle an incident like a ransomware attack. A backup, recovery, and communication strategy must be part of your plan as well. In the case of a crisis, your incident response plan should assign responsibilities to your staff and provide them with specific instructions.
Provide security awareness training for employees
To prevent them from falling for dangerous practices like phishing emails and malware downloads, provide staff specialized training in device management and cyber security.
By performing simulations or walk-through exercises, you can evaluate your incident response and recovery strategy. The scenario needs to evaluate how well you responded and point up any weaknesses