Ransomware attacks are on the rise and have recently been front-page news with attacks on the Nvidia, Toyota and Costa Rica Government. This ever-evolving malware can encrypt your files and block access to them. Previous ransomware attacks stole or accessed data and held that hostage while demanding a ransom and threatening to leak or sell the data.
However, more recent attacks have a change of strategy and target specific companies and encrypt the data, often causing severe disruption to service and often society in general. In exchange for decryption, and service returning to normal, malicious actors demand a ransom. The adjustment in strategy by cybercriminals is largely due to the booming world of cryptocurrency.
Why is Cryptocurrency Used for Ransomware?
Using cryptocurrency, cybercriminals can transport vast amounts of money across international boundaries within seconds. The ease and quickness of transactions, coupled with lack of traceability, have made it the go-to solution for ransomware hackers.
With the rise of cryptocurrency in recent years, cybercriminals have shifted from conducting small-scale theft – stealing money from individual bank accounts or credit cards – to extorting huge ransoms from leading corporations and governments (NPR).
“In recent years, cybercriminals have shifted from conducting small-scale theft to extorting huge ransoms from leading corporations and governments.”
How Does a Ransomware Attack Work?
There are several variants of ransomware (WannaCry, CryptoLocker, Bad Rabbit, GoldenEye, Jigsaw, etc.) with the same goal: gain access to a network, encrypt the data and demand a ransom. Bad actors use different methods for gaining access, with phishing, stealing employee login information, and exploiting vulnerabilities such as the zero-day vulnerability of VPN appliances, as some of the more common attack methods.
Using phishing as an example, the main steps to a ransomware attack are:
- Hackers deliver ransomware to victims via email attachments masquerading as trustworthy files. By downloading and opening the file, access is given to your system.
- The malware then begins encrypting files that cannot be decrypted until the attacker sends you a decryption key.
- Once the files are encrypted and the attack is complete, the victim receives a ransom notification with instructions. This is embedded in the malware and often it will replace the computer screen background with a ransom note. Another common method is the malware will place text files with the ransom note in each encrypted directory.
- The attacker requires payment via Bitcoin or another form of cryptocurrency in exchange for a decryption key to unlock and release your data.
If paid, the cryptocurrency transactions occur on exchanges, which are organized markets where people exchange cryptocurrencies amongst each other or into dollars (or other currencies). The cryptocurrency is deposited into an anonymous private account or “wallet.” These transactions are recorded on “public ledgers” where anyone can watch transactions take place online. However, while anyone can view the transactions taking place, because the wallets are anonymous, they can be challenging to identify and trace. In addition, most cybercriminals have several wallets enabling them to move currency from one account to another while staying under the radar and out of reach of law enforcement.
This visibility into payments on public ledgers, even without knowing the recipient, and seeing a success rate for cybercriminals in their attacks may lead some companies to see no other way to deal with an attack than to pay.
What Can Be Done Regarding Crypto and Ransomware Attacks?
While ransomware attacks continue and the amounts demanded increase, there are several defensive moves companies and governments can make to help prevent ransomware attacks in the future.
1. Create Consistent Policies for International Cooperation
It’s time to recognize that this is an international issue and that the most effective way to stop ransomware is by developing a global solution. Leaders must work together to readily share information, develop prosecution agreements for cybercriminals and impose sanctions against rogue nations that harbor cyber pirates.
2. To Pay or Not to Pay
Law enforcement agencies encourage individuals and organizations not to pay fees to cybercriminals. However, many organizations choose to pay anyway to restore their data ASAP and protect their data, people, and reputation. However, keep in mind that before paying criminals any money that:
-
- What appears to be ransomware may actually be scareware; a fake attack.
- Criminals may take your money and run without restoring your data. Or they may partially restore your data and request more ransom for the rest.
- Your business may appear weak and become a target for a repeat attack or other cybercriminals down the road if you pay the ransom.
- The more “wins” cybercriminals get, the more emboldened they become to commit more attacks.
3. Integrate Advanced Tracing Skills
How to Protect Your Business from Ransomware
As an individual business, you also have steps you can take to defend your company against cybercrimes.
- Develop a detailed incident response plan so you’re prepared if you face an attack and can act immediately to minimize damage.
- Backup all systems and consider where the backups are stored. Ensure the backups themselves are not accessible by hackers. When an attack happens, being able to go back by six hours, or one day to the time before the attack happened will help restore systems to working order quickly.
- Segregate Network access and ensure that employees are only given access to the systems that they need. Putting different systems on different networks, that are only accessible by the groups of employees that need them, is important to ensure that if a breach does happen, fewer systems can be compromised.
- Update software and install patches immediately to protect your network. Attacks often take advantage of vulnerabilities that may have been reported and have fixes, yet companies procrastinate on updating.
- Provide Continuous Employee Training. Employee behavior is a top cause for breaches, so training is a critical step to protecting your network. Teach employees about how to recognize suspicious emails, not to open attachments from unknown senders, and to report anything out of the ordinary to the IT team.
- Use a Next Generation Firewall to scan all network traffic for ransomware and block it before it can get a hold on devices.
- Secure your corporate network at the edge. Ensure that edge devices, such as your SD-WAN routers in branch offices are secure with a robust security gateway or with their own edge security such as Threat Prevention to block traffic that could harm your network – even if traffic is encrypted.
- Extend security policies to remote workers. With today’s hybrid working environments, ensure that employees are accessing your corporate network securely as they go between the corporate office and their home office using technologies such as VPN.