AXEL.org

Ransomware: Give us back our files!

Ransomware: Give us back our files!

Ransomware attacks are on the rise. By 2021 they’re expected to cost companies over $20 billion per year[1]. With that kind of money at stake, it becomes evident that prevention is crucial. Let’s look into some background on ransomware and what companies can do to prevent catastrophic hacks.

What is ransomware?

Ransomware is a type of malware that has gained popularity over the past five years. The general progression of a ransomware attack goes like this:

  1. The targeted computer network is delivered a malicious payload. The majority of the time, this means an employee falls for a phishing scam, clicks a bad link, and accidentally opens access to the system.
  2. The computer virus maps out the connected drives (both local and networked) and encrypts data as it goes. Depending on the strain of malware, the infected computers may transmit the encrypted data back to the hackers.
  3. The hackers contact the company to inform them about their misdeeds and demand a ransom to unlock the files. Usually, this is on a strict time limit, and the demand increases if not met promptly. If the bad actors stole the data and not just encrypted it, they also threaten to leak or sell it on the Dark Web when no payment is received.

The encryption used in ransomware attacks is practically impossible to brute force crack. If there are no backups, or the organization doesn’t want the information leaked and sold, favorable response options are limited.

Common types of ransomware in 2020

There are many different flavors of ransomware, and all of them are disgusting. But, the most popular versions in 2020 include:

Sodinokibi. Also known as REvil, this malware comprised up to 29% of ransomware attacks this year[2]. It is thought to be a ransomware-as-a-service (RaaS) package that different affiliated hacker groups purchase. These groups focus on U.S. businesses and have demanded ransoms of up to $42 million. Analysts estimate this virus has generated approximately $81 million in profit through September.

Maze. Here’s another RaaS. Maze made up 12% of ransomware attacks so far this year. It incorporates similar tactics to Sodinokibi but, starting recently, is known to utilize a program called the Buer Loader. The Buer loader is especially insidious. Once installed on the target network, it can execute additional malicious payloads while establishing persistence in the system. This means that while the infected computers remained attached to the network, that entire system is compromised.

EKANS. Let EKANS slither into your network, and you’re in for an awful time. Discovered in late 2019, it’s involved in 6% of ransomware attacks in 2020. It’s unique in that it can terminate critical processes, including some Industrial Control System (ICS) functions. This makes it very dangerous to industrial organizations that rely on automation.

Ways to prevent attacks

The best way to protect yourself from ransomware is to build a strong defense plan against it. Doing so puts you well ahead of most companies, as a recent survey concludes 77% of IT professionals feel their organizations don’t have consistent response plans[3]. Here are our top six tips:

Maintain current offline backups. It may be a pain to set up redundant backup file storage, but it’s well worth the effort to prevent a successful ransomware attack. You should back up your important files regularly to offline hard disks. This allows you to wipe infected systems and reload your sensitive information back onto the clean drives. This alone offers full protection against many attacks, although if the hackers obtained the data for themselves and threaten to sell it online, you still have problems.

Implement quarterly phishing training. As previously stated, phishing is responsible for the majority of data breaches. It’s doubtful you will prevent all phishing, but providing the proper training will help. Employees should take mandatory quarterly classes that inform them about new phishing techniques and how to spot fraudulent communications.

Test the system to find weaknesses. We recommend frequent penetration tests from internal or third-party experts. Consider penetration testers ethical hackers. They will poke and prod your network to expose vulnerabilities. Once they are known, your company can fix the issues and solidify your defenses against the unethical hackers out there.

Monitor file systems and mail servers to pinpoint suspicious activity. With recent advances in AI solutions, monitoring network traffic is easier than ever. Block unknown or suspicious connections immediately. You can always unblock connections after they are confirmed safe. Email is the primary attack vector for phishing, so ensure that you monitor it sufficiently as well.

Use up-to-date, patched antivirus software. Antivirus programs are critical defenses against ransomware, but you should update them frequently to their current versions. Hackers continuously attempt to find new exploits that can go undetected by older software. They also develop new ransomware to evade antivirus programs. Be as safe as possible by keeping things patched.

Do not pay ransoms. This advice may not seem preventative, but it is in the longer term. If you ever do get attacked, we recommend not paying the ransom unless absolutely necessary. Paying criminals will put a bigger target on you for other cyber thieves in the future. Furthermore, if businesses worldwide stopped paying altogether, the market would dry up, and the malicious actors would have no incentive to keep trying. We understand that not all circumstances are created equal, but as a general rule, you should not negotiate with crooks. Can you even trust them to do what they say they’ll do after you pay the ransom? Think about it.

What to do if successfully attacked

Nobody wants to boot up their computer to find a ransom demand. However, there are steps you should take if you ever find yourself in this unenviable position, such as:

Isolate infected computers. Figure out which machines have encrypted data and decipher their network connections. Then, disconnect the affected computers as soon as possible. Many ransomwares attempt to connect to peripheral networks, so you want to quarantine them quickly.

Identify the type of ransomware. Hopefully, the malware is known and documented. If it’s older, someone may have leaked the decryption keys online. In these lucky cases, you can decrypt your data within paying a dime. Even if that isn’t the situation, you still want to know exactly which ransomware is infecting your system.

Talk to law enforcement. Contact your local authorities, or if it’s a more considerable ransom, federal law enforcement. Federal agencies especially may have access to common decryption keys and can give more information about the perpetrators’ tactics.

Wipe infected drives and install recent backup data or recover data from damaged drives. Organizations with reliable backups should wipe the compromised drives and reinstall their most current data. Those without backups may have to use specialized IT firms to recover information from damaged and cleaned drives.

Conclusion

To protect your company from ransomware, you need to have robust security and threat response strategies. New file storage solutions like AXEL Go should play a part as well. AXEL Go uses the decentralized AXEL Network to store and transfer files. Instead of holding data on a central server farm, the information gets spread around a vast collection of network participants (Masternodes). This results in data storage without a single point of failure. Even if a particular server gets compromised, your data has redundant backups throughout the world. It makes for a much more secure way to store sensitive information. Visit axelgo.app to learn more about this exciting technology.

[1] Steve Morgan, “Global Cybersecurity Spending Prediected To Exceed $1 Trillion From 2017-2021”, Cybercrime Magazine, June 10, 2019, https://cybersecurityventures.com/cybersecurity-market-report/

[2] Camille Singleton, Christopher Kieer, Ole Villadsen, “Ransomware 2020: Attack Trends Affecting Organizations Worldwide”, Security Intelligence, Sept. 28, 2020, https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

[3] “IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them”, IBM News Room, April 11, 2019, https://newsroom.ibm.com/2019-04-11-IBM-Study-More-Than-Half-of-Organizations-with-Cybersecurity-Incident-Response-Plans-Fail-to-Test-Them