Ransomware – Take an informed decision. Consult the experts
Ransomware attacks have gone up by 150% in recent months, as many cyber groups are finding it a lucrative business to be in.
There is no code of conduct to these cybercriminals or groups, their methods of attacks and the selection of their targets have no logic. This is an all-out attack and every opportunity you provide, or loophole left open could cost your business. No organization is too small or remote not to be a target.
What is ransomware and how does it work?
Ransomware as the name suggests is a type of malware installed by an attacker to prevent you from assessing some or all of the data on your system or locks you out from controlling any part of your network and demands a ransom for its release.
The most common steps in a ransomware attack are:
- The attacker either uses a fake website or a phishing email or a trojan to trick you to download a malicious file or malware.
- The malware infects enters the network to infect other systems (generally doesn’t infect the first system).
- Depending on the type of ransomware, it either encrypts the entire operating system or some selected file or file types.
- A message demanding ransom is displayed or sent to the victim.
The RaaS model
One of the primary reasons why Ransomware is becoming more dangerous is the evolution of the Ransomware as a Service or RaaS model. Gone are those days when an attacker had to develop their own codes and keys to infect or attack a business.
There are third-party ransomware developers who either sell, lease out, or partner with other bad actors to perform a ransomware attack.
Why is this bad news?
There are many reasons why this evolution of RaaS is worrying organizations all over the world. A few reasons include:
- Now everyone, without any technical knowledge can launch a Ransomware attack just by subscribing to this model on the dark web. All you need is the intent and way to insert this ransomware into a network. (Read bad exit or ill-intended competitor)
- Both increases in the number of attacks and the success rate have contributed to the popularization of RaaS with two out of every three attacks currently using RaaS.
- With so many players being part of the ransomware, it makes the already difficult task of tracing the source code or ransom even harder.
- Reports are suggesting that the demand for ransomware as a service, has brought in 15 new ransomware affiliate schemes in 2020 alone.
- RaaS competition and the adoption of new business models, where up front monetary commitments to launch an attack are not required, are making the availability of Ransomware easier and cheaper for cybercriminals.
- RaaS competition and the lucrative monetary benefits are encouraging coders to develop more sophisticated malware.
- The in-built customizability that RaaS brings is making the introduction of new variants of existing ransomware easy.
Assess the sensitivity of data
Many times companies are extorted for sensitive information like intellectual property rights, patented information, client data, privileged data, and other organizational secrets that these fraudsters obtain.
Alliant’s Incident response team carries extensive experience in dealing with such scenarios, our quick evaluation can give a appropriate estimation and assessment of the situation.
Our Rapid Response & Advisory team (RAA Team) will discuss with you:
- How to handle the attack (the steps to follow for legal and insurance compliance)
- How to react (speaking to the hackers)
- How long it might take to restore data
- How to reduce the downtime drastically.
We are with you throughout your journey, whatever the decision you take. We understand many factors might influence the decision, including culture, the business continuity practices in place, the brand image, and more. We will provide you with all the necessary information to decide, analysis of the process, the data at stake and valuation, the sensitivity of the information, and more.
To pay or not to pay
Our team is experienced in dealing with both the options out there: Either not to give in to the attackers, restore normalcy with whatever we have and live with the risk, or to pay the ransomware. The decision needs consultation with your insurance providers, IPR and legal team, IT team, and Board.
- Only 29% of the victims get data back in perfect condition.
- 13% of victims lose all or most of their data.
- There is evidence that attackers leave so-called “breadcrumbs,” loopholes or trojan worms in the data to create back door entries for future attacks.
- Around 80% of organizations that pay ransoms get attacked again.
If you decide to pay you should consider the following:
- Acquiring the required currency from authorized or compliant sources on demand
- Negotiating flat exchanges or charges
- Negotiating and investigating the payments
- Making sure all other parties involved do not make profits
Prevention is always better than a negotiation
As you can see the process of paying a ransomware attack is not easy or reliable. Estimates say that there will be a ransomware attack every 11 seconds in 2021 and the average cost of payment following a ransomware attack in 2020 rocketed up 171% to $312,493 compared to $115,123 in 2019. The global cost associated with ransomware recovery will exceed $20 billion in 2021.
Defense is the best way to stay afloat!
Here are a few steps you can follow or ask your cybersecurity vendor to provide:
- Back up your data. Backups won’t prevent ransomware, but they can mitigate the risks to a large extent. You may be able to restore the files when infected and you will have an added advantage to consider against paying the bad actors. It is important to make sure you meticulously and regularly make backup copies; these copies preferably should be in the cloud and on an external hard drive. Some schools of thought even recommend going old school by use of tapes since they cannot be tampered with digitally, but the cost involved, and effort are steep.
- Secure your backups. Securing your data and keeping them as isolated from your network as possible is equally important. Most ransomware malware is programmed to look for data backups to encrypt or delete them. To keep the victims away from using them to restore infected data, you must ensure that the backups are not accessible for modification or deletion.
- Begin with awareness. Take security awareness seriously. Similar to how you endorse and train for HR best practices, make sure each employee at every level, especially new hires, undergo regular mandatory training on best security practices. Train them to browse safely, report every suspicious email to the IT department, never click on links from unknown emails, and don’t plug unsecure USBs and hard drives into the office system.
- Use security software and keep it up to date. Make sure all the office-related systems including BYODs have comprehensive security software on them and this software is set on auto-update mode. Also, install regular updates on other software including Windows OS.
- Practice safe surfing and best email practices. Be careful where you click. We cannot stress the importance of this enough, phishing is still the most used technique for delivering ransomware emails. Either through email or fake websites or links.
- Only use secure networks. Consider using a VPN, to secure your internet connection anywhere and everywhere. This will save you from many forms of cyberattacks.
- Stay informed. Keep a lookout for the latest Ransomware in the news. Also, keep some decryption tools handy and up to date with your IT and Incident response team. These tools are developed by tech companies and industry experts to help victims.
After an attack, during and after the restoration process, Alliant acts as a compliance manager to comb through your assets and network to conduct a detailed analysis of the attack and restore systems to make sure your infrastructure is shielded enough from future attacks. Reacting to a ransomware attack with rapid precision is of utmost necessity and Alliant Cybersecurity’s advisors are here to guide you through this with empathy.
Our Rapid response team quickly analyzes the situation to understand the method of the breach, provide you with an assessment of the exposure caused by the malware or loss of data, analyze the indicators of compromise (IOCs) and make a logical conclusion of the attacker’s plan of action towards the end of the attack.
Our team also helps you investigate the extent of a breach that has damaged backup systems and try to recover backups to restore normalcy.