Logo

The Ransomware Survival Guide for Business

Ransomware attacks have increased exponentially, causing loss to businesses worth billions of dollars each year. Though there are ways to recover from a ransomware attack, “Prevention is better than cure” is the best way to minimize financial loss and damage to your company image. ‘Dealing with ransomware’ can fill a whole book and can seem complicated. So, we have put together a list on how best to protect your business and personal information from ransomware.

What is Ransomware?

Ransomware is malicious software that can work in one of two ways; it can encrypt and block your system files; or lock you out of your operating system making your desktop, apps and files inaccessible. Typically, money is demanded in cryptocurrencies, often Bitcoins or other digital currencies, to decrypt or unlock your system. However, paying the ransom doesn’t guarantee that your data will be restored, as many attackers may not provide the decryption key even after payment. Our advice is never to pay the ransom demand – seek professional advice first.

How does ransomware work?

Infection

Ransomware typically infiltrates your system through phishing emails, malicious attachments, infected applications, or by exploiting software vulnerabilities. Once the ransomware gains access, it installs itself on any accessible endpoints, network devices, or cloud storage, allowing it to spread quickly across your system.

Cryptographic key generation

Afterwards, the ransomware will set up a communication line back to the cybercriminals behind the attack, often using encrypted channels to avoid detection. They may use this communication line to download additional malware to the system and then start to create the cryptographic keys for encryption.

Encryption

The next step is the process of encryption. The ransomware begins to search and encrypt files on the infected device and the network. Some ransomware variants go to the lengths of deleting backup and other copies of files to make the recovery of data complex without a decryption key.

Ransom Demand

Once encryption is done, the ransomware will display instructions demanding a ransom payment, often threatening to destroy or publicly release your data if payment isn’t made within a specified timeframe.

If the demand is met, the attacker will provide a copy of the cryptographic key. You will be then asked to enter this information into a decryptor program provided by the attackers to decrypt the data.

However, we will never suggest accepting the criminal’s demands. Remember that you are dealing with criminals – you can never be sure that they will release your system or data even after the ransom payment. If the criminal intends to make some financial gain quickly, they might not have even taken the trouble to enable decryption. Also, making ransom payment gives a signal that you will be willing to pay in future attacks too. Agreeing to ransomware demands will only encourage cybercriminals more.

Popular Ransomware Variants

Here are some examples of ransomware that you should be aware of.

Akira Ransomwar

Akira has been active since March 2023 and has targeted a wide range of businesses and critical infrastructure. It initially focused on Windows systems but later expanded to Linux, specifically targeting VMware ESXi virtual machines. Akira uses a double-extortion model, encrypting files and threatening to publish exfiltrated data if the ransom is not paid

RansomHub

Emerging in February 2024, RansomHub is a rebranding of the Knight ransomware. It quickly established itself as a prominent extortion group, with significant activity in Brazil, Italy, Spain, and the UK. RansomHub uses sophisticated encryption techniques and has been linked to numerous high-profile attacks

8Base Ransomware

8Base has been active in 2024 and is known for its aggressive extortion tactics. It ties with BlackBasta in terms of the number of declared victims. This ransomware group targets various sectors, including healthcare, technology, and finance.

Chaos Ransomware

A new variant of Chaos ransomware has been identified, which appends the .DumbStackz extension to encrypted files. It drops a ransom note named read_it.txt, demanding payment for decryption

MedusaLocker

MedusaLocker continues to evolve, with new variants emerging in 2024. It typically encrypts files and demands a ransom for the decryption key. MedusaLocker is known for its persistence and ability to evade detection.

These ransomware variants highlight the evolving tactics and techniques used by cybercriminals. It’s crucial to stay informed and implement robust cybersecurity measures to protect against these threats.

Who Gets Attacked by Ransomware?

Ransomware targets businesses of all sizes. This means small and medium-sized businesses to enterprises of all sectors are vulnerable to ransomware.

The attackers choose their targets by different means:

Based on the matter of opportunity: For example, small or medium organisations like schools or universities tend to have smaller security systems. This makes it easy for hackers to penetrate.
Based on ransom: They target organisations that can pay the ransom quickly. For example, medical sectors that need the files immediately will tend to pay ransom more easily.
Ransomware attacks have become increasingly sophisticated, and many organisations across industries face a heightened risk. The shift towards remote work and cloud-based systems has expanded attack surfaces, making comprehensive cybersecurity measures more crucial than ever.

How to Protect Your Business from Ransomware Attacks

1. Prevention

Malware usually infects a system through phishing emails, malicious links, compromised websites, backdoors, or exploiting unpatched software vulnerabilities. An accidental click on malware click by an unsuspecting employee can infect the whole network. So, it’s important to identify system vulnerabilities, potential risk areas, and the training needs of employees to prevent an attack. Regular Security Audits, Vulnerability Assessments, and Penetration Testing should be done to ensure that your business is amply protected against ransomware attacks. Additionally, you should implement an effective Cybersecurity Risk Management Strategy that includes a Zero Trust model and multi-factor authentication (MFA) to minimise potential risks
Ransomware Protection for Business Prevention-Computing Australia Group

2. Protect

3. Detect

Update your ransomware and security software regularly to ensure they can detect the latest threats. Implement continuous, real-time monitoring with advanced Endpoint Detection and Response (EDR) solutions to identify suspicious activity or abnormal behaviour across your network. Schedule and run frequent security scans to detect any malware that may have escaped detection at the first level scan. You can then take further steps to quarantine and delete the ransomware.

4. Respond

In the unfortunate event that your system is attacked, the first step is to immediately disconnect the infected device from the network, including any Wi-Fi or Bluetooth connections, to prevent the ransomware from spreading to other systems. Next, switch off any shared drives or cloud storage that might be connected. Then call a professional IT company.

It is essential that you do not pay any ransom demand associated with the event. People who commit these crimes are unscrupulous and you should not assume that they will comply just because you have paid. In the majority of cases, they will simply disappear after a ransom is paid. Reporting the incident to relevant authorities, such as the Australian Cyber Security Centre (ACSC), is also an important step in helping to combat ransomware on a broader scale.

5. Recover

You will need to do a backup download; system restore or reinstallation if you are locked out. It would be a good idea to have a professional cyber-security service provider assist you to minimize damage and speed up the recovery process.

Ransomware attacks are merciless and affect not only businesses but also personal users. These threats continually evolve with new variants and tactics designed to bypass even the most advanced detection software. Staying informed and implementing comprehensive cybersecurity measures is crucial to mitigate the risks.

Keeping yourself one step ahead of security threats can take up a lot of your time and focus, away from your core business. Let us help you.

Computing Australia has vast experience in cybersecurity; we provide you comprehensive cybersecurity services including Security Audits, Penetration Testing, Staff Training, Firewall and Security Software supply and installation, and Recovery assistance if you have been hit with a ransomware attack. Talk to our security analyst or email us at sales@computingaustralia.group.

Jargon Buster

Phishing – is a type of social engineering where a fraudulent message is sent to manipulate the receiver to reveal sensitive information.

Spear phishing – a targeted and personalised phishing attack on a particular individual, group, or business.

Revised by Rhan Robles 09/26/2024
Added updated information

Revised by Blake Parry on 11/08/2021
Added new sections:
How Ransomware Works?
Popular Ransomware Variants Who Get Attacked by Ransomware?