The Ransomware Survival Guide for Business

Ransomware attacks have increased exponentially, causing loss to businesses worth billions of dollars each year. Though there are ways to recover from a ransomware attack, “Prevention is better than cure” is the best way to minimize financial loss and damage to your company image. ‘Dealing with ransomware’ can fill a whole book and can seem complicated. So, we have put together a list on how best to protect your business and personal information from ransomware.

What is Ransomware

Ransomware is malicious software that can work in one of two ways; it can encrypt and block your system files; or lock you out of your operating system making your desktop, apps and files inaccessible. Money is demanded usually in Bitcoins to decrypt or unlock your system. There is no way to guarantee that your data will be unlocked even if you pay the ransom. Our advice is never to pay the ransom demand – seek professional advice first.

How does Ransomware work?

Infection

Ransomware usually infiltrates your system through an email attachment, phishing email, infected application etc. Once ransomware successfully enters, it installs itself on any accessible endpoint and network devices.

Cryptographic key generation

Afterwards, the ransomware will set up a communication line back to the cybercriminals behind the attack. They may use this communication line to download additional malware to the system and then start to create the cryptographic keys for encryption.

Encryption

The next step is the process of encryption. The ransomware begins to search and encrypt files on the infected device and the network. Some ransomware variants go to the lengths of deleting backup and other copies of files to make the recovery of data complex without a decryption key.

Ransom demand

Once encryption is done, the ransomware will display instructions asking for ransom and threatening data destruction if the victims won’t make payment.

If the demand is met, the attacker will provide a copy of the cryptographic key. You will be then asked to enter this information into a decryptor program provided by the attackers to decrypt the data.

However, we will never suggest accepting the criminal’s demands. Remember that you are dealing with criminals – you can never be sure that they will release your system or data even after the ransom payment. If the criminal intends to make some financial gain quickly, they might not have even taken the trouble to enable decryption. Also, making ransom payment gives a signal that you will be willing to pay in future attacks too. Agreeing to ransomware demands will only encourage cybercriminals more.

Popular Ransomware Variants

Here are some examples of ransomware that you should be aware of.

Ryuk

Ryuk ransomware infiltrates through spear-phishing emails or using stolen credentials to log into the company network. It is one of the most expensive types of ransomware and demands ransoms of an average of over $1 million from the victims.

WannaCry

WannaCry is another widely known ransomware. It has infected around 125,000 businesses in over 150 countries. It targets devices running the Microsoft Windows OS. Similar to the above method, it also encrypts data and demands ransom payments. WannaCry ransomware is also known as WCry or WanaCrypt0r.

Maze

The Maze ransomware is a variant that combines file encryption and data theft. Maze collects confidential data from the infiltrated network before encrypting it. So, it can sell or expose it publically if the victims don’t meet the ransom demands.

Cerber

Cerber is ransomware-as-a-service (RaaS) and targets cloud-based Office 365 users. There are millions of Office 365 users who have been victims around the world. It mainly infects the devices through phishing campaigns, infected websites or malvertising.

GoldenEye

GoldenEye is similar in many ways to WannaCry. It spreads through engineering campaigns and targets human resources departments. The difference between WannaCry and GoldenEye is the former encrypts the infected files, while the latter encrypts the files and the infected device’s entire file system using two distinct layers of encryption.

CryptoLocker

The CryptoLocker ransomware uses a complex encryption algorithm and is usually very difficult to decrypt. This leads to victims paying the ransom in most cases to get back their confidential data. CryptoLocker ransomware occurred from September 2013 to late May 2014.

CryptoWall

CryptoWall is the advanced form of CryptoLocker ransomware that came to exist after the downfall of CryptoLocker. CryptoWall infiltrates through emails with ZIP attachments where the virus is hidden as PDF files. Once installed, it then proceeds to threaten the victim to pay a ransom to decrypt the files. It has multiple variants, including CryptoDefense, CryptoWall 2.0, CryptoWall 3.0 and CryptoBit. 

Who Gets Attacked by Ransomware?

Ransomware targets businesses of all sizes. This means small and medium-sized businesses to enterprises of all sectors are vulnerable to ransomware.

The attackers choose their targets by different means:

Based on the matter of opportunity: For example, small or medium organisations like schools or universities tend to have smaller security systems. This makes it easy for hackers to penetrate.

Based on ransom: They target organisations that can pay the ransom quickly. For example, medical sectors that need the files immediately will tend to pay ransom more easily.

Ransomware has increased so much that it is undeniable that most companies will be exposed to some level of ransomware or malware attack. 

How to Protect Your Business from Ransomware Attacks

1. Prevention

Malware usually infects a system through spam/phishing emails, backdoors or software vulnerabilities. An accidental click on malware click by an unsuspecting employee can infect the whole network. So, it’s important to identify system vulnerabilities, potential risk areas, and the training needs of employees to prevent an attack. Regular Security Audits and Penetration testing should be done to ensure that your business is amply protected against ransomware attacks. You also need to identify and put in place an effective Risk Management Strategy for your organization.

2. Protect

• Backup – Perform regular backups for your system and ensure that the data is stored, preferably, in multiple locations. The best way is to have a cloud backup solution as well as a local server backup. The cloud gives you the advantage of redundancy and additional protection.
• Disaster Recovery Plan – It’s also essential to have a disaster recovery plan in place for your organization. A good IT company can assist you to put one of these in place and ensure it is tested at regular intervals.
• Train Employees – A lack of knowledge in identifying potential threats or inattentiveness is one of the major reasons why an attack gets through to your network. Stress the importance of being up-to-date on security issues. Security training for all staff should be conducted at regular intervals to ensure that they are aware of the latest threats and how to recognize and deal with them.
• Install adequate anti-ransomware / security software and update it regularly.
• Use firewalls to block unauthorized access to your computer.
• Get a spam filtering software in place to prevent malware from phishing emails.
• Ensure that you download and install software and OS updates or patches regularly to repair vulnerabilities and improve security.
• Ensure strong password security is followed across your organization, and passwords for personal and official use is kept entirely different.

3. Detect

Update your ransomware and security software regularly. Schedule and run frequent security scans to detect any malware that may have escaped detection at the first level scan. You can then take further steps to quarantine and delete the ransomware.

4. Respond

In the unfortunate event that your system is attacked, the first step is to disconnect the machine from the network to prevent it from infecting other systems, before you start the recovery process. Then call a professional IT company.

It is essential that you do not pay any ransom demand associated with the event. People who commit these crimes are unscrupulous and you should not assume that they will comply just because you have paid. In the majority of cases, they will simply disappear after a ransom is paid.

5. Recover

You will need to do a backup download, system restore or reinstallation if you are locked out. It would be a good idea to have a professional cyber-security service provider assist you to minimize damage and speed up the recovery process.

Ransomware attacks are merciless and affect not only businesses but also personal users. These attacks continuously evolve and keep updating features to escape detection software.

Keeping yourself one step ahead of security threats can take up a lot of your time and focus, away from your core business. Let us help you.

Computing Australia has vast experience in cybersecurity; we provide you comprehensive cybersecurity services including Security Audits, Penetration Testing, Staff Training, Firewall and Security Software supply and installation, and Recovery assistance if you have been hit with a ransomware attack. Talk to our security analyst or email us at helpdesk@computingaustralia.group.

Jargon Buster

Phishing – is a type of social engineering where a fraudulent message is sent to manipulate the receiver to reveal sensitive information.
Spear phishing – a targeted and personalised phishing attack on a particular individual, group, or business.

Revised by Blake Parry on 11/08/2021
Added new sections:
How Ransomware Works?
Popular Ransomware Variants
Who Gets Attacked by Ransomware?
Jargon Buster