Member News

Marks Paneth | What to Do When Your Data is Held Hostage? To Pay or Not to Pay?

Information is the lifeblood of our economy. It enables us to run our businesses more efficiently, to sell smarter and to innovate. In parallel, our digital economy has also revolutionized the business of cybercrime. Instead of stealing information and going to all the trouble of selling it or using it themselves, cyber thieves are holding our systems and data hostage and demanding ransom for their release.

With ransomware, digital files are virtually stolen, and a monetary ransom is demanded in the form of cryptocurrency before the files are restored or returned. For thieves, it’s the perfect crime – ransomware is much harder to spot and prevent than other malware, and they get near-instant payoff in untraceable cryptocurrency. For the victims, it’s the perfect storm. As opposed to a typical data breach, where business operations can continue while you sort things out, everything grinds to a halt, and even after ransom is paid there can be days or weeks of system cleanup.

On the positive side, there are ways to protect your organization against the 100,000 new variants of ransomware that are released every day. Forewarned really is forearmed and following is a tour of the ransomware world – the software, the criminals, and their tactics; the thorny question of whether to pay ransom; and ways to prevent or mitigate the threat.

In 2020, the FBI’s Internet Crime Complaint Center received 2,474 ransomware complaints, and those are just the ones that were reported. Compounding the trend, more people are working remotely as the global pandemic continues to change business environments, and cybercriminals capitalize on the opportunity to attack users working outside the corporate firewall. An uptick in scams and phishing attempts across all platforms indicated that attackers leveraged issues related to COVID-19 to exploit fear and misinformation. Attacks were focused on COVID-19 related messaging in the first half of 2020 before shifting to impersonations of banking, delivery, and travel services in the second half.

Higher Ransom Demands

Ransom amounts are also reaching new heights. Attempts have gone as high as $50 million—the largest attempted ransom ever. By late 2020, the astronomical demands had many companies saying “enough is enough” and refusing to make payments. This trend was perhaps attributable to the eroding belief that hackers will actually delete sensitive data, as well as many reports of data being released to the public after payments are made.

Ransomware affects all industries, from technology to healthcare, and oil and gas to higher education. Even during a global pandemic, in Q4 of 2020 the healthcare sector was the most common industry targeted by ransomware, followed by professional services and the public sector. So, if there’s any expectation that a business’s mission or service to the world might deter malicious actors, that’s an assumption to leave in the past.

How Does Ransomware Work?

Ransomware typically spreads via spam, phishing emails or through social engineering efforts. It also can be spread through websites or drive-by downloads to infect an endpoint and penetrate the network. Infection methods are constantly evolving and there are countless ways one’s technology can become infected. Once in place, the ransomware locks all files it can access using strong encryption. Finally, the malware demands a ransom (typically payable in Bitcoin) to decrypt the files and restore full operations to the affected IT systems.

The typical steps in a ransomware attack are:

  • Infection – After it has been delivered to the system via email attachment, phishing email, infected application or other method, the ransomware installs itself on the endpoint and any network devices it can access.
  • Secure Key Exchange – The ransomware contacts the command-and-control server operated by the cybercriminals behind the attack to generate the cryptographic keys to be used on the local system.
  • Encryption – The ransomware starts encrypting any files it can find on local machines and the network.
  • Extortion – With the encryption work done, the ransomware displays instructions for extortion and ransom payment, threatening destruction of data if payment is not made.
  • Unlocking – Organizations can either pay the ransom and hope for the cybercriminals to actually decrypt the affected files, or they can attempt recovery by removing infected files and systems from the network and restoring data from clean backups. Unfortunately, negotiating with cyber criminals is often a lost cause as a recent report found that 42% of organizations who paid a ransom did not get their files decrypted.

You’ve been attacked. What should you do?

  • Isolate – The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data. Prevent the infection from spreading by separating all infected computers from each other, shared storage, and the network. Crypto worms actively seek out connections and other computers, so you want to prevent that happening. Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or it may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.
  • Identify – From messages, evidence on the computer and identification tools, determine which malware strain you are dealing with.
  • Report – To the authorities to support and coordinate measures to counterattack. You can file a report with the FBI at the Internet Crime Complaint Center.
  • Determine Your Options – To pay the ransom, to try to remove the malware and/or to wipe the system(s) and reinstall from scratch. It’s generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and in many cases the unlocking of the encrypted files is not successful.
  • Restore and Refresh – Use safe backups and program and software sources to restore your computer or outfit a new platform.
  • Prevention – Assess how the infection occurred and what you can do to put measures into place that will prevent it from happening again.

In a recent survey, more than three-quarters of respondents said their organization is not likely to pay a ransom to recover their data (77%). Only a small minority said they were willing to pay some ransom. Three percent of companies have already set up a Bitcoin account in preparation.

That leaves two other options: removing the malware and selectively restoring your system or wiping everything and installing from scratch.

  • Restore or Start Fresh – You have the choice of trying to remove the malware from your systems or wiping your systems and reinstalling from safe backups and clean OS and application sources.
  • Get Rid of the Infection – There are internet sites and software packages that are able to remove ransomware from systems.

Whether you can successfully and completely remove an infection is up for debate. The surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain. If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.

Understand Your Malware

Be sure to determine the date of infection as well as you can from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.

Select a backup or backups that were made prior to the date of the initial ransomware infection. With extended version history, you can go back in time and specify the date prior to which you wish to restore files. If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you are sure were not connected to your network after the time of attack and, hence, would be protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud.

You might be tempted to use a system restore point to get your system back up and running, but this is not a good solution for removing viruses or other malware. Since malicious software is typically buried within all kinds of places on a system, you can’t rely on system restore being able to root out all parts of the malware.

Finally, you will need to reinstall your OS and software applications from the source media or the internet. If you’ve been managing your account and software credentials in a sound manner, you should be able to reactivate accounts for applications that require it. If you use a password manager to store your account numbers, usernames, passwords, and other essential information, you can access that information through their web interface or mobile applications. You just need to be sure that you still know your master username and password to obtain access to these programs.

How to Prevent a Ransomware Attack

“Ransomware is at an unprecedented level and requires international investigation,” according to the European police agency Europol. A ransomware attack can be devastating for a home or a business. Valuable and irreplaceable files can be lost and tens or even hundreds of hours of effort can be required to get rid of the infection and get systems working again. Ransomware attacks continue to evolve and attack methods get more sophisticated all the time. You don’t have to be part of the statistics. With good planning and smart practices, you can prevent ransomware from affecting your systems.

To be prepared, you need to know how ransomware can enter your system. These methods of gaining access to your systems are known as attack vectors. Attack vectors can be divided into two types: human attack vectors and machine attack vectors. Often, viruses need the help of humans to enter computers, so they employ what’s known as social engineering. In the context of information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, people can be fooled into giving up information that they otherwise would not divulge.

Common human attack vectors include:

  • Phishing – This method uses fake emails to trick people into clicking on a link or opening an attachment that carries a malware payload. The email might be sent to one person or many within an organization. Sometimes the emails are targeted to make them seem more credible. The attackers take time to research individual targets and businesses, so their emails appear legitimate. The sender might be faked to be someone known to the recipient or the subject matter relevant to the recipient’s job.
  • SMSishing – This method uses text messages to get recipients to navigate to a site or enter personal information on their devices. Common approaches use authentication messages or messages that appear to be from a financial or other service provider. Some SMSishing ransomware attempt to propagate by sending themselves to all contacts in a device’s contact list.
  • Vishing – In a similar manner to email and SMS, vishing uses voicemail to deceive the victim. The voicemail recipient is instructed to call a number that is often spoofed to appear legitimate. If the victim calls the number, they are taken through a series of actions to correct some made-up problem. The instructions include having the victim install malware on their computer. Cybercriminals can appear professional and employ sound effects and other means to appear legitimate. Like spear phishing, vishing can be targeted to an individual or company using information that the cybercriminals have collected.
  • Social Media – Can be a powerful vehicle to convince a victim to open a downloaded image from a social media site or take some other compromising action. The carrier might be music, video or other active content that once opened infects the user’s system.
  • Instant Messaging – Can be hacked by cybercriminals and used to distribute malware to the victim’s contact list.

Machine Attack Vectors

The other type of attack vector is machine to machine. Humans are involved to some extent as they might facilitate the attack by visiting a website or using a computer, but the attack process is automated and doesn’t require any explicit human cooperation to invade your computer or network.

  • Drive-by – As the moniker suggests, all it takes for the victim to become infected is to open a webpage with malicious code in an image or active content.
  • System Vulnerabilities – Cybercriminals learn the vulnerabilities of specific systems and exploit those vulnerabilities to break in and install ransomware on the machine. This most often happens to systems that are not patched with the latest security releases.
  • Malvertising – Is like drive-by but uses ads to deliver malware. These ads might be placed on search engines or popular social media sites to reach a large audience. A common host for malvertising is adults-only sites.
  • Network Propagation – Regardless of how a piece of ransomware enters a system, once it has, it can scan for file shares and accessible computers and spread itself across the network or shared system. Companies without adequate security might have their company file server and other network shares infected as well. From there, the malware will spread as far as it can until it runs out of accessible systems or meets security barriers.
  • Propagation Through Shared Services – Online services such as file sharing or syncing services can be used to propagate ransomware. If the ransomware ends up in a shared folder on a home machine, the infection can be transferred to an office or to other connected machines. If the service is set to automatically sync when files are added or changed, as many file sharing services are, then a malicious virus can be widely propagated in just milliseconds. It’s important to be careful and consider the settings you use for systems that automatically sync, and to be cautious about sharing files with others unless you know exactly where they came from.

Best Practices to Defeat Ransomware

Security experts suggest several precautionary measures for preventing a ransomware attack.

  • Use anti-virus and anti-malware software or other security policies to block known payloads from launching.
  • Make frequent, comprehensive backups of all important files and isolate them from local and open networks.
  • Immutable backup options such as Object Lock offer users a way to maintain truly air-gapped backups. The data is fixed, unchangeable and cannot be deleted within the time frame set by the end-user. With immutability set on critical data, you can quickly restore uninfected data from your immutable backups, deploy them and return to business without interruption.
  • Object Lock functionality for backups allows you to store objects using a Write Once, Read Many (WORM) model, meaning after it’s written data cannot be modified. Using Object Lock, no one can encrypt, tamper with, or delete your protected data for a specified period, creating a solid line of defense against ransomware attacks.
  • Keep offline backups of data stored in locations inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents them from being accessed by the ransomware.
  • Install the latest security updates issued by software vendors of your OS and applications. Remember to patch early and patch often to close known vulnerabilities in operating systems, browsers, and web plugins.
  • Consider deploying security software to protect endpoints, email servers and network systems from infection.
  • Exercise cyber hygiene, such as using caution when opening email attachments and links.
  • Segment your networks to keep critical computers isolated and to prevent the spread of malware in case of attack. Turn off unneeded network shares.
  • Turn off admin rights for users who don’t require them. Give users the lowest system permissions they need to do their work.
  • Restrict write permissions on file servers as much as possible.
  • Educate yourself, your employees, and your family in best practices to keep malware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors.

At this point, the technology behind ransomware is formidable as developers employ stronger encryption and more tactics to elude detection. Eventually, security technology will catch up, but in the meantime organizations and individuals need to avoid giving in to fear because that is the ransomware criminal’s greatest weapon. Just as the earliest forms of ransomware extorted users with non-existent threats, much of today’s ransomware is not as invincible as it seems, which is why attackers keep coming up with scarier tactics for their malware. While there is no perfect defense against ransomware, there are remedies that your organization can try before facing the ultimate question: To pay or not to pay?

Author:

  • Hassan Khan, Principal, Technology Services | hkhan@markspaneth.com

Compliments of Marks Paneth LLP – a member of the EACCNY.