Ransomware: what is it and how can we prevent it?

In recent years cybercriminals have developed a new and highly profitable form of extortion – by kidnapping companies’ data and demanding a hefty ransom fee.

The most successful attacks can net millions of dollars and the culprits are becoming more brazen all the time – even contacting the media, threatening to publish stolen data if organisations fail to pay up and selling it online via their own auction sites.

Following the attack on foreign exchange provider Travelex on New Year’s Eve 2019, the attackers – known as the Sodinokibi or REvil gang – alerted the BBC about which reported their demands for a £4.6m ransom.

In May 2020 the same gang encrypted data from the US law firm Grubman Shire Meiselas & Sacks, whose celebrity clients include Lady Gaga and Madonna, and threatened to release data on President Donald Trump if their $21m ransom demand wasn’t paid within a week.

Data is the lifeblood of modern businesses, and many find it easier to give in to the ransom demands but either way, attacks can be very costly. Earlier this year the University of California San Francisco (UCSF) admitted paying around $1.14m to a gang who encrypted some of its servers.

Meanwhile in the UK, Redcar and Cleveland council had to build a new server and website after ransomware disabled its IT system. The cost is estimated at millions of pounds, leaving the council with a major hole in its budget.

Indeed in the US, where there were an estimated 960 attacks on  local government, educational and healthcare providers last year, senators are calling for cybersecurity co-ordinators to be appointed for each state.

The nature of attacks is changing all the time. We are now seeing malware used for corporate espionage and criminals holding intellectual property such as patents and other high-value assets to ransom until the company pays for them to be released.

Why are ransomware attacks on the rise?

A number of factors are likely to play a part in the growth of ransomware. Firstly the nature of cybercrime has changed and criminal gangs have moved into the market.

Coders who create the ransomware are now selling their products on the darknet and letting criminals carry out the attacks.

Ransomware kits are available on the darknet with prices starting at just €500. Each kit has its own private key, so with each purchase, a new type of ransomware is released. And the package includes an online payment service with helpdesk to allow the victims to buy bitcoins and pay the ransom.

Vulnerabilities in IT systems have also played a role (see below) and ironically, so has the increasing use of cyber insurance. Criminals are aware that many companies will have insurance in place and will therefore have the means to pay the bill.

How does it enter the system?

Phishing attacks are one way for it to get into the network, but there are also some vulnerabilities in systems that the criminals can exploit, for example BlueKeep in Microsoft’s Remote Desktop Protocol and EternalBlue in smb file share or Citrix, another remote desktop-like software.

EternalBlue was the entry point for the WannaCry attacks which disabled parts of the UK’s health service network in 2017 and also the NotPetya attacks two years later which cost businesses an estimated US$10 billion.

Once inside the network, the malware spreads and often lingers undetected for months as it is only activated after a certain period of time or once many of the backups are infected. The company’s data is then suddenly encrypted and the victims receive a ransom demand. The business comes to a standstill and must either fix the problem rapidly or go bankrupt.

What type of businesses are at risk?

Organisations of all types, public and private sector, can be victims but criminals are more likely to target bigger firms as they can demand a bigger ransom. According to the UK government’s Cyber Security Breaches Survey 2020, of those businesses which had suffered some type of cybersecurity incident in the previous 12 months, 8% reported ransomware attacks. However that rose to 14% amongst medium-sized businesses and 16% amongst large firms.

By contrast attacks on smaller firms tend to be more random – the culprits may have sent out millions of phishing emails and the victims are the ones who happen to click through. That said, small businesses may suffer a greater impact as they are less likely to have the funds to resolve the situation.

It is worth remembering that the firms most at risk are also those which fail to safeguard their backups – they don’t test them or offload them to a safe cold storage place. This puts them in a vulnerable position and without access to their backups, it is often cheaper to pay the ransom than find other ways to resolve the situation.

What is the best form of defence?

While there are some very effective solutions, they tend to be very expensive and not appropriate for all environments like laptops and desktops. Standard cybersecurity advice such as firewalls, endpoint security and training staff to help prevent phishing attacks will provide some defence but it is difficult to protect against every eventuality.

Therefore the ultimate solution is to be able to detect the problem as quickly as possible by using cybersecurity monitoring. By identifying unusual behaviour in the internal network traffic, lateral movement and file changes, it can detect ransomware entering and spreading through the system.

This will ensure that problems are identified and contained as quickly as possible before the data is encrypted and with minimal impact on the business.