The truth about ransomware

An abstract image showing a person trying to connect to a computer which has a large padlock attached to it, as a ghost wearing a fedora floats menacingly out of it and demands money
(Image credit: Shutterstock)

There’s nothing new about ransomware. It dates back at least to 1989 when the AIDS trojan started spreading across the globe. Today, more than three decades later, ransomware is identified as one of the most dangerous cyber security threats facing businesses of any size.

Since COVID-19, the risk of ransomware has increased dramatically thanks to the mass shift to remote working. With weaker security as a result of home IT setups and criminals increasingly switching to COVID-themed lures to exploit anxiety due to the pandemic, it's important to be more vigilant than ever. In November 2020, the UK's National Cyber Security Centre (NCSC) revealed that more than a quarter of the incidents it responded to were linked to COVID. Ransomware incidents were three times more prevalent than the previous year, with a growing trend for such attacks to be more targeted and aggressive than before.

Examples of today's ransomware attacks include financial scams offering government payment assistance during lockdowns, fake information on vaccines and 'offers' on commodities like face masks and hand sanitiser gels, and downloads for technology applications like video conferencing platforms.

It's an entirely new environment, and therefore critical to look at preventative and detective measures, while also making sure staff are given ample training about what to do should they find themselves compromised. With any such threat, forewarned is forearmed, and it’s important to understand just how dangerous and prevalent ransomware is, what its impact could be and how you can stay secure.

The evolution of a cyber threat

The AIDS trojan seems quaint now. This floppy disk-based virus locked up the contents of your hard drive, then invited you to post a cheque or money order for $189 to an address in Panama to have it decrypted. The idea was ingenious, but the virus used simple symmetric cryptography, and it wasn’t long before helpful souls started sharing free decryption tools.

Things have changed since then. 2006 saw the emergence of the GPcode trojan, which used a very strong 660-bit RSA key – later upgraded to an effectively uncrackable 1,024-bit one. By 2013, CryptoLocker 2.0 was not only using 2,048-bit encryption but asking for payment in Bitcoin.

Then, on 12 May 2017, the stakes were raised again. Using a Windows exploit developed by the US National Security Agency (NSA), a ransomware worm called WannaCry infected a quarter of a million machines across 150 countries within days. In the UK, it brought swathes of the NHS to a halt: it’s estimated that governments and businesses worldwide spent billions coping with the fallout. Meanwhile, the public Bitcoin ledger indicates that the hackers themselves received only around £110,000 in ransoms – a comparatively paltry return on such global mayhem.

Today, the latest attacks can be far more lucrative. It’s reported that Travelex paid £1.8 million to the REvil crime group earlier this year, while the University of California confirmed that it paid around £900,000 to the NetWalker ransomware operators in June 2020. There’s also the Garmin attack, which reputedly cost $10 million (£7.7 million).

If you’re wondering why anyone would pay such vast sums, the answer is that it’s not just about recovering your data – it’s ensuring it remains private.

Data exfiltration: It gets worse

Until a few years ago, ransomware operators relied on blunderbuss strategies. The idea was to attack as many computers as possible, and hope that some victims would pay up. As WannaCry’s relatively modest takings show, however, this was never the most efficient approach. Ransom demands were kept fairly low to encourage victims to pay, but most individuals chose to give up their files rather than play along. Businesses were far better targets because they were less able to write off their data, and much more likely to have the funds on hand to pay ransoms. The challenge was that well-run businesses also have backup and recovery regimes.

A new approach was needed. Taking down whole networks was one option since this could also prevent access to backup servers, and proved profitable enough for a while. But the biggest businesses had continuity plans for even this scale of attack. Eventually, a masterstroke of evil ingenuity emerged, introduced by the Maze ransomware group in 2019, but quickly adopted by others. Maze’s malware encrypted data as before, but simultaneously sent copies of the original files back to the ransomware operators.

This gave the criminals a whole new sort of leverage, which can be summed up in one word: blackmail. Even if your business could continue functioning without the encrypted files, non-payment now meant that your most confidential data could be made public, or passed on to unknown parties. And hackers have followed through on such threats: at least one data auction site exists on the dark web where files from those who don’t pay the ransoms are offered to the highest bidder. At the time of writing, legal documents purportedly relating to Mariah Carey, Nicki Minaj and Bruce Springsteen are up for sale, with a starting price of $600,000 each.

How do you get hit?

Knowing how these attacks work is the first step to defending against them. Let’s start by looking at a very active ransomware threat known as DoppelPaymer. Its operators are sophisticated, using the kind of tactics more commonly associated with nation states than opportunist criminals. Before trying to drop their malware onto your network, they start with reconnaissance, probing for vulnerabilities and scouring publicly available data sources for information that could be used in phishing and social-engineering attacks.

Perhaps surprisingly, however, they don’t make much effort to stay under the radar. When they’re ready to launch the attack, they’ll often use what you might call “commodity malware” – generic exploit code of the sort that can be easily bought on the dark web. They don’t care if their intrusion prompts a flurry of updates and patches, as they only need the exploit window to be open long enough to implant the software that will perform the exfiltration and encryption. And if their first attack is blocked, they can just switch to a different method and carry on until something gets through.

Does this approach actually work? You bet it does because there are plenty of security holes out there waiting to be exploited. One recent report found that 80% of organisations surveyed had at least one unpatched vulnerability, 70% had more than one and 20% had more than ten. What’s more, some of the most commonly exploited vulnerabilities are ones for which patches have long been available – often for many years.

If that sounds shocking, we’re not just talking about the sort of Windows vulnerabilities that get fixed on Patch Tuesday. Ransomware actors also look for weaknesses in application servers and collaborative tools. The lesson: make sure you keep all your software and services up to date. Don’t focus solely on issues rated as critical either, as the bad guys have been known to target supposedly non-critical vulnerabilities. These are less likely to be patched quickly, yet can still be used as part of a multi-stage attack process.

RELATED RESOURCE

The IT Pro Podcast: How do we fix security?

We discuss why firms keep making the same security mistakes with guests Graham Cluley and Stu Peck

FREE DOWNLOAD

Finally, even if your systems are water-tight, you can never entirely protect against human fallibility. NetWalker is a ransomware threat that has claimed some big scalps by using phishing emails to get privileged access to internal networks. As with DoppelPaymer, the perpetrators identify specific individuals who could compromise the system. Their fraudulent messages are perfectly tailored to the recipient, making them very hard to recognise. And, of course, it only takes one mistake to open the exploit window.

The cost of being unprepared

If you’re hit by ransomware, the payment demanded may not seem huge: WannaCry asked for just $300. But it’s just one part of the cost.

Another major issue is potential reputational damage. This doesn’t just mean that outsiders will perceive your business as careless: they might suffer as a result of their association with you. Earlier this year, DoppelPaymer attacked Visser Precision, a parts maker supplying the automotive, aeronautics and aerospace industries; as part of the ransom leverage, some stolen data was released into the public domain, including documents relating to Visser’s work with Lockheed Martin, SpaceX and Tesla.

Clearly, this ramps up the pressure, and that’s before you think about issues arising from the EU General Data Protection Regulation (GDPR). Companies can face fines of up to 4% of their annual global turnover if they allow protected information to leak into the public domain, a threat that further inflates the potential cost of not complying with the criminals’ demands. If the cybercriminals are smart, they can calculate a steep ransom that’s still less than the potential GDPR penalty – and remind the business that a public breach could prompt a regulatory compliance investigation, leading to additional impositions and penalties.

Of course, with a security incident of this magnitude, it’s highly likely the facts will come to light anyway. Your business will not only have a regulatory compliance investigation and a fine to deal with, but the additional reputational damage of succumbing to a data breach, and trying to buy your way out of it.

To pay or not to pay?

Ransomware operators will assure you that, if you just pay up, you’ll receive the decryption key promptly, and all exfiltrated copies of your data will be deleted. And by all accounts, the decryption does normally work. Often there’s even technical support on hand, should you need help restoring your files.

Let’s not forget, though, that when you accept the terms, you’re putting your trust in the word of a criminal organisation. There’s no way to prove that stolen data is not kept, nor to be confident that it won’t be sold to the highest bidder at some later date.

What you can be sure of is this: if you pay the ransom, you’re effectively supporting the criminal industry, and promoting the development of the next ransomware threat. Of course, it may be very difficult to take a principled stand if you find yourself in a position where the future of your business hinges on paying a ransom. That’s why it’s crucial to properly plan ahead to ensure that you never find yourself in such a situation.

Managing the threat

Good backups are invaluable in mitigating the immediate impact of a ransomware attack. Unfortunately, ransomware actors know this and will try to delete or encrypt any backups they can access, both locally and in the cloud. You should ensure, therefore, that your backup plan follows what I call the “Dusty Bin rule” – also known as “3-2-1”. This means retaining three separate copies of your data, stored on at least two different media or services, with one copy located off-site and isolated from the network. All of that may sound cumbersome, but it ensures your data won’t be lost in the eventuality of a ransomware attack – or a burglary, natural disaster or what have you.

RELATED RESOURCE

Ransomware report

The global state of the channel

FREE DOWNLOAD

Sadly, sorting out your backups isn’t enough to save you from a ransomware attack that includes data theft. Consequently, it’s best to focus on preventing exploits from getting through in the first place. As usual, there’s no silver bullet, but getting the basics right can go a long way towards stopping your business becoming the latest ransomware statistic.

Start by addressing the human factor, with a focus on security awareness and training. Everyone needs to know the common social engineering signs to look out for, and the consequences of ignoring them – although in a context of ensuring awareness, rather than victim-blaming. Make sure the message goes all the way up to the boardroom, as attackers will be keen to target senior staff with privileged access.

Within the IT department, it goes without saying that you need multiple layers of intrusion prevention: that means everything from spam filtering and anti-malware detection through to DNS protections and the closing or securing of remote desktop ports.

Rigorous patch management is a must too, with a formal process in place encompassing OSes, software and device firmware. As we’ve noted, vulnerability criticality cannot be the only metric: keep your patching priority in a real-world, attacker-oriented context. Instituting a system like this might seem complicated and costly, but in terms of what it could save you, it’s a sound investment.

Another project worth undertaking is the elimination of weak passwords, and the introduction of multi-factor authentication. An additional layer of authentication protection is often all it takes to completely stymie an attempted ransomware attack before it gets off the ground.

Even when users do login successfully, you should apply the principle of least privilege – for everything. This means that if access to a file, directory or network share isn’t critical for a person to do their job, it should be closed off. If someone needs additional permissions, these can be enabled on a granular, time-

limited basis. In this environment, any attempted ransomware attack will be severely limited in its ability to move around the network and cause trouble. Similarly, if you have multiple networks and data stores, these should be logically and physically separate.

When the worst happens

Hopefully, all of these measures should ensure that your business is never brought to its knees by ransomware. However, in order to be fully prepared, you need to have a response plan in place for that very eventuality. We can’t tell you exactly what your plan might include, but as an example you should have statements ready for immediate communication to staff, customers, the police, the media and so forth. You also need to have network and device isolation measures in place to ensure the ransomware can’t spread any further. And you need a plan for fully neutralising the malware, while also preserving as much information as possible for the investigation that should follow.

Having such a plan worked out ahead of time ensures that mistakes aren’t made in the heat of a major attack – and the process of developing your plan should shine a light on any gaps in your current security measures, helping you to reduce the risk in the first place. Just remember that a procedure is just a piece of paper unless it’s actually put into practice: once you’ve drawn up your plan, test it properly so that everyone knows what they need to do before the very stressful crisis hits.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.