How to defend against a ransomware attack
It’s Monday morning. SmartBrief on Cybersecurity arrives in your inbox. You open it, wondering who’s been hit recently and for how much money or data.
The brief includes news about four breaches. If malware is involved in all four, there’s a 27% chance one of them is a ransomware attack. If so, the criminals have probably struck a hospital, a school, a city government or a manufacturing plant, and they might get paid a sizable ransom.
The entity that was struck probably had insurance. ProPublica reported that “[o]ne cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance.” That insurance probably paid out because paying is cheaper than trying to reconstruct everything, when reconstructing is even possible.
You might not have heard much about ransomware, which accounts for less than 1 in 20 cyberattacks. But it’s so well-known in the cybersecurity world that Merriam Webster has gone through the trouble of defining it: “Malware that requires the victim to pay a ransom to access encrypted files.” If the encrypted files are the files your business uses to make money, you may have just lost everything.
The basic concept behind ransomware is that when someone receives an email, often from an official-looking source, the cybercriminal hopes that the user clicks or taps on something that seems legitimate. Here’s an example:
The email looks normal, but if you are on your phone or if you’re not looking closely, you might not see that the “Reset Password” link begins with “clk.messaging.go.com,” rather than an official Disney domain.
You try to change your password, the malware gains access to your system and your files get encrypted almost instantly. In order to get your files back, you will need to pay the ransom. Some criminals may even increase the pressure to pay by threatening to leak your data online.
Unfortunately, you are not alone in thinking Disney was actually emailing you about suspicious activity. The Association of Certified Fraud Examiners notes that “ransomware often employs a convincing professional interface, commonly emblazoned with police insignia or an official government logo.”
We know that ransomware encrypts your files, but what if you have backups? Unfortunately, that might not help much, as datto reported more than two years ago. Thankfully, CSO Online put together this resource on how to safely back up your files.
Now that we understand ransomware better, let’s look at its common targets and fiscal impact.
Ransomware isn’t a huge part of the cybersecurity world. As BlueFin reported in summarizing Verizon’s 2020 data breach report, “ransomware only accounted for 3.5% of the unique malware samples.” Verizon’s report added that 18% of organizations blocked ransomware between November 1, 2018, and October 31, 2019 -- meaning that 82% of organizations did not.
But ransomware attacks have been increasing and are now targeting people who serve the public, particularly during the coronavirus pandemic. Those organizations (which ICMA SmartBrief covers) often don’t have the money for firewalls, employee training or other protections that the private sector uses, so they get targeted often.
Ransomware that targets US organizations might fetch cybercriminals more than $1.4 billion this year. An Emisoft report estimated the 2020 number to be $1.37 billion, based on an average payment of $84,000 in the fourth quarter of 2019.
However, that dollar amount is rapidly growing. The Q1 2020 ransom average was $111,605, and the number of ransomware attacks is projected to increase this year. Unfortunately, outlooks for the ransomware landscape are not getting better. Ransomware attacks aren’t just lucrative, they’re also very easy to launch.
This 2017 Times of India article notes the existence of ransomware-as-a-service: “Not only can you subscribe to ransomware-as-a-service (RaaS) on what is known as the dark web, the providers will also give you step-by-step instructions on how to launch an attack. Even a novice can launch sophisticated, and often profitable, attacks.”
Three years later, all you need to start using ransomware is money and the ability to use Google, as SmartBrief noted recently, courtesy of a Forbes article. “CyberNews researchers found it was possible to buy ransomware building packages designed for attacking large corporates for a monthly $800 (£645) fee,” award-winning technology journalist Davey Winder wrote.
Given that massive payoff -- $800 to launch cyber attacks that, when successful, can pay $111K per ransom on average -- it’s no wonder that the threat of a ransomware attack is now showing up in SEC filings, with “companies … now incorporating [the possibility of million-dollar ransoms] into risk management.”
Further trouble surfaces with the way the coronavirus pandemic has changed AI-based cybersecurity. “Most cybersecurity software designed to detect fraud, money laundering, malware and ransomware is based on artificial intelligence algorithms that recognize deviations from normal patterns,” SmartBrief explained. But if “normal patterns” no longer exist for you, good cybersecurity solutions are needed to determine the difference between a hacker and someone just working late.
Adding to the concern are the manufacturing plants and government agencies that don’t have the resources to protect themselves, with CIO Dive noting Q1’s “156% quarter-on-quarter increase” in ransomware targeting manufacturing.
The advent of ransomware deepfakes also is concerning, with TechRadar reporting, “Based on its analysis of underground communities, Trend Micro believes the use of deepfakes for extortion-based ransomware is set to take off in the near future.” A recent Facebook competition yielded an algorithm that detected almost two-thirds of deepfakes, meaning more than one-third were too convincing to detect.
In terms of fighting ransomware threats, here’s the usual advice:
- Train your employees not to click or tap on links in emails from people they don’t know
- Practice good network security
- Use a strong firewall
- Patch your software
- Back up your data in several places
- Have a plan for if you are attacked
The FBI is one of innumerable organizations and cybersecurity writers recommending those basic steps. The FBI adds this advice:
“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any [encrypted] data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
- Paying a ransom isn’t always effective. One in six businesses that pay don’t get all of their data back and not all encryption keys work smoothly.
- Cyberinsurance does help, but it’s arguably making the situation worse. As GCN notes, “[cyberinsurance] policies make ransomware attacks more enticing to bad actors … . [In Q2] 2019, governments that paid ransoms shelled out 10 times more than their commercial counterparts.” Insurers are more than happy to take public-sector and private-sector money.
Despite the earlier $111K/ransom figure, plus other costs, cyberinsurance policies are almost twice as lucrative as other policies. “The loss ratio for U.S. cyber policies was about 35% in 2018 … . In other words, for every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims. That compares to a loss ratio of about 62% across all property and casualty insurance, according to data compiled by the NAIC of insurers that report to them.”
Cyberinsurers are still looking to cut their losses. Their opponents are criminals, and loss/risk avoidance is a big part of business. Increasingly, cyberinsurers are making sure clients are following basic cyberhygiene practices. Clients that don’t have the resources to protect themselves may get quoted cyberinsurance premiums that are too high, if they’re even offered policies at all.
Additional ransomware avoidance practices include careful selection of multiple cybersecurity products. Don’t just use as many cybersecurity solutions as you can find. You should use several solutions, as CompTIA SmartBrief noted recently courtesy of this Fortune article, while also ensuring those solutions work well together.
Lastly, back up your files in multiple places, following the instructions here and elsewhere to ensure your backups are “offline and physically [disconnected] … from an online connection.” Use multiple authentication systems and multiple passwords. Otherwise, you risk shelling out big bucks to criminals, and potentially losing your business.
If you found this article interesting, sign up for ISACA SmartBrief on Cybersecurity or SmartBrief for CFOs to receive more quality news content. For even more informative coverage, subscribe to any of SmartBrief’s 275+ free newsletters.
Patrick Hopkins writes about transportation and public technology and copy edits technology news. He has been copy editing professionally for more than a decade and reading technology news for longer.