What is Ransomware?

What is ransomware?

Ransomware is one of the main threats to companies and their users today. This malware mainly infects a company’s information system, through either user desktops or internal infrastructure (or both), and then requires the company to pay a ransom to regain control of their system. The malware is unfortunately very easy to obtain nowadays and is even offered as a ransomware-as-a-service. Attackers have several modes of infiltrating and infecting a system, such as phishing, code injection, or advanced threats, and will employ one or another depending on their objectives, which could be data extortion, data lock, information system lock, and so on. Ransomware can have a huge negative impact on companies. The question for them today is not whether they will be attacked, but when, as the threat has become omnipresent. In this article, we will explore how ransomware works and how companies can protect their systems and data.

How does ransomware work?

Ransomware is primarily defined by its purpose: to extort money. There are two primary types of ransomware, which are cryptolockers and screen lockers. While cryptolockers encrypt all or part of a company's data, screen lockers target more specific functions of the information system by blocking access. Regardless of which approach is used, the affected company will be asked to pay a ransom to the attackers if they want to recover its data or access. In some cases, especially with the attacks seen recently such as those against the Guardian, the blocking is accompanied by threats that the attackers will broadcast extorted data directly online.

To install their ransomware on the information systems of their victims, malicious actors use several techniques, often with phishing at the forefront. According to a study conducted by Forrester at the request of the insurer Hiscox, 62% of the companies surveyed reported that phishing was attackers’ “number one point of entry”, far ahead of the theft of credentials (44%) and intrusion by a third-party provider (40%). Once attackers gain entry into the system, ransomware can penetrate systems more deeply and go undetected via advanced obfuscation techniques, such as dead code insertion, encryption, and run-time decryption. Attackers are thus able to precisely target critical components while remaining invisible in the information system for long periods, even several weeks or months. Once the targeted systems are reached, the attacker can then decide to launch the attack and, at that point, it is already too late for the company to prevent it.

Who is a target for ransomware?

Today, companies of all sizes and from every industry are targeted by ransomware. UK suffers third highest number of ransomware attacks globally. Ransomware attacks can target a wide range of entities in the UK, including individuals, small and medium-sized businesses, large corporations, government agencies, hospitals and healthcare providers, educational institutions, and non-profit organisations. The recent attacks disclosed in the press show that any sector can be targeted, whether it is a small family business or a large multinational enterprise. 

Cybercriminals typically use ransomware to encrypt victims' data and demand payment in exchange for a decryption key. The attacks can be highly disruptive and costly, and can even result in the loss of important data if the victim is unable or unwilling to pay the ransom.

How common is ransomware?

The fact that the number of attacks reported in the press is skyrocketing proves that the frequency of attacks is increasing significantly. But more than the number of attacks, which can be difficult to quantify for researchers, it is the growing propensity of malicious actors to target the same companies multiple times that should be taken most seriously. According to the study conducted by Hiscox and Forrester, 36% of companies that had been hit by ransomware and paid the ransom were attacked again. Thus, even after being targeted, companies cannot assume they’re now safe from further attack. They must continually reinforce and improve their remediation and protection measures.

Ransomware examples

In order to defend your company, it is best to understand your attackers and, above all, their weapons. By analysing how ransomware works, companies as well as vendors can acquire a solid tactical basis on the techniques and exploits used by malicious actors, and thus better protect themselves. Here are some examples of past attacks:

• LockBit

  Probably one of the most talked about at the moment, LockBit ransomware is malware designed to block users' access to computer systems and lift the block in exchange for a ransom. LockBit automatically scans important resources, spreads an infection, and encrypts all accessible computer systems on a network. This ransomware is used for highly targeted attacks against companies and other important organisations that are often threatened with having their sensitive information published on the dark web. 

• CryptoLocker

  This is one of the first ransomware applications of the current generation that required payment in crypto-currency (such as Bitcoin) after encrypting users’ disks and connected network drives. CryptoLocker spread via an email containing an attachment that purported to be a tracking notification from FedEx or UPS. While a decryption tool has been released to counter the ransomware, various reports suggest that over $27 million has been extorted by CryptoLocker to date.

• NotPetya

  Considered one of the most damaging ransomware attacks, NotPetya exploited the tactics of its namesake, Petya, by infecting and encrypting the registration of Microsoft Windows systems. NotPetya exploited the same vulnerability as WannaCry to spread quickly, requiring payment in Bitcoin to undo changes. It has been classified by some as a wiper, as NotPetya cannot undo changes to the master boot record and renders the target system unrecoverable.

• Bad Rabbit

  Considered a cousin of NotPetya and using similar code and exploits to spread, Bad Rabbit appeared to target Russia and Ukraine, primarily affecting media companies in those countries. Unlike NotPetya, Bad Rabbit allowed decryption if the ransom was paid. The majority of cases indicate that it spread via a fake Flash player update that can impact users via a drive-by attack.

• REvil

  REvil is the work of a group of financially motivated attackers. It exfiltrates data before encrypting it, so targeted victims may ultimately be forced to pay even if they initially choose not to pay the ransom. The attack originated from compromised IT management software used to patch Windows and Mac infrastructures. The attackers compromised the Kaseya software used to inject the REvil ransomware into corporate systems.

• Ryuk

  Ryuk is a manually distributed ransomware application primarily used for spear-phishing. Targets are carefully selected by reconnaissance. Emails are sent to the chosen victims, and all files hosted on the infected system are then encrypted.

The impact of ransomware on UK businesses

The impact of ransomware on a company's operations, finances, and reputation is colossal. The most obvious impact is typically a halt in operations or a slowdown in the company's services. Whether attackers use cryptolockers or screen lockers, if they gain entry into vital systems, the victimized company simply cannot function, which impacts its financial results as well as its image with customers and partners. Weir Group, a multinational engineering firm based in Scotland, suffered a ransomware attack in early September 2021 that forced the company to shut down its IT systems, enterprise resource planning operations, and engineering applications. In its Q3 trading update, the company revealed that it had incurred direct losses of 5 million GBP (6.8 million USD) due to the incident, with an expected 40 million GBP (55 million USD) loss in profits as a result. A loss of $55 million could have major implications for Weir Group, which had predicted annual profits between $316 million and $336 million. This event serves as a stark reminder of the devastating effects of ransomware on corporations.

Beyond these obvious impacts, it’s important to also consider the personal impact on the employees of the targeted company. Experiencing such an attack can be very traumatic for teams who suddenly find themselves locked out of their work tools and do not know when they will be able to recover them. Customers of attacked companies are also affected, as attackers often threaten to leak highly confidential personal data about customers to the public.

How to prevent ransomware

oday, protecting against ransomware requires adherence to a set of best practices and technologies that work together. Gone are the days when perimeter security alone was sufficient to protect information systems. Companies must prioritise cloud security and apply protection against ransomware across their entire infrastructure and educate employees on how to maintain security in daily operations. 

Ransomware protection best practices:

• Segment the information system:

  In the fight against ransomware, microsegmentation in the cloud and on-site, is becoming a "must have." Logically isolating critical areas of the information system can help prevent attacks from spreading horizontally.

• Perform regular vulnerability scans:

  Every day, cybersecurity researchers and malicious actors discover new vulnerabilities that can be exploited to launch and spread ransomware. It is therefore essential to scan your information system to detect, at the very least, the known vulnerabilities and take the necessary measures to plug them.

• Keep software up to date:

  In line with the previous point, it is important to keep all system software up to date. Publishers and manufacturers frequently include patches to eliminate known vulnerabilities in their product updates. All too often, ransomware attacks succeed by relying on old systems that are not kept up to date. 

• Protect and isolate backups:

  Ensuring that backups are isolated and protected from ransomware allows companies to avoid paying ransom and quickly restore data that has been encrypted by cryptolockers. Using WORM (write once, read many) storage also prevents malware from rewriting stored and backed-up data. 

• Protect employees:

  Ransomware infections are spread primarily through the ends of the information system. Adopt solutions to protect endpoints, including computers, mobile devices, and especially employee email clients. 

• Raise team awareness:

  A large portion of the ransomware attacks that have hit companies have relied on phishing to succeed. The adoption of an impeccable security hygiene already allows companies to protect themselves from a large number of attacks. 

• Test disaster recovery (DR) and business continuity (BC) plans:

  Since the possibility of a successful attack is unfortunately very high, companies need to have solid and, above all, tested business continuity and disaster recovery plans. Too often, companies have relied on DR plans that work in theory, but because they have not been tested in real-world conditions, they failed when they were needed the most.

Should we protect ourselves against ransomware?

This may seem like a strange question, given the alarming picture we have painted of the threat.  However, some companies still ask themselves this question, or at least they wonder if the required investments are really necessary, especially because it is still difficult to measure the impact of a ransomware attack precisely. However, the answer is obvious: yes, every company must take the threat seriously and protect themselves. Above all, you should not think that in case of an attack, you will simply pay the ransom. Paying the ransom is absolutely no guarantee of remediation and, even worse, it does not guarantee that you will not be attacked again in the months following the first attack.

What to do after a ransomware attack? 

As said above, the potential of experiencing a ransomware attack is almost certain considering the number of attacks. That's why you need to have a clear plan on what to do in case of an attack.

Restrict the attack:

As soon as the attack is detected, isolate the infected areas as much as possible to prevent it from spreading further. In the most extreme cases, some companies have even gone so far as to directly disconnect network switches to prevent propagation. Microsegmentation solutions can usually quickly isolate the elements that may be affected. 

Alert the authorities:

This step, which has become a legal obligation, must be done as quickly as possible, and you must specify what data may have been impacted or stolen. In addition, organisations such as NCSC can also dispatch teams and support affected companies, thanks to the solid experience they have acquired in recent years.

Don't pay the ransom:

As long as possible, you should put off paying the ransom. Paying in exchange for recovering the data or preventing it from being distributed is no guarantee that the promises made will be kept. Moreover, paying the ransom only encourages hackers to continue.

Investigate affected systems:

Before thinking about restarting a compromised system, it is important to understand how and when it was infected and which assets are affected. It is essential to have this information to be able to rebuild the system. Not only do you want to ensure you’re not restoring elements that are still infected, but you also need to know which parts of the system can be restarted without having to be restored (which significantly limits the workload and speeds up the restart time. Whenever possible, avoid having to restore the entire system and focus solely on the damaged parts. 

Rebuild and restore:

Once the investigation phase is complete, companies can begin to rebuild their information systems. If their DR plan is ready and functioning, companies can build on it to restore the impacted parts of the information system that have been cleared of all traces of ransomware. In other cases, a whole new architecture may need to be put in place.

The ransomware threat can no longer be ignored. Not only do companies need to protect themselves against it, but they also need to make sure they are prepared in case they are hit. While good ransomware protection cannot eliminate all risks, preparation and awareness can help minimise the impact of attacks in many cases. Moreover, the threat landscape is not static. Every day, hackers are looking for new vulnerabilities and new techniques to exploit to achieve their goals. The fight against ransomware must therefore be a long-term effort that requires constant review of your security posture, as well as a solid plan of action ready to be executed in case of an attack.