Ransomware: villains checkmate on the corporate world

Image by Pete Linforth from Pixabay
Fabio Tagnin -

July 12, 2021

Although 2020 brought a significant decline in the number of users who suffered ransomware attacks compared to 2019, according to a study by Kaspersky, companies need to continue to be on the lookout for such threats, because of the risk of being attacked is getting higher and higher. In search of increasing their profits, the cybercriminal ecosystem has evolved so much that it is now one of the main threats to corporations worldwide, and could bring losses of up to $6 trillion this year, according to Cybersecurity Ventures, including downtime and recovery costs, and lost profits.

If in 2021 the number of attacks may decrease further, the threats, on the contrary, will become increasingly destructive and expensive for businesses. In addition to encrypting key data and demanding a ransom to release it, the bad guys have been using techniques to steal the data first, only to threaten to make it public if the targeted companies decide not to pay the ransom. In the first quarter of this year, 77% of attacks threatened to leak the stolen data, according to Coveware. It’s a checkmate these cybercriminals are imposing on the corporate world.

However, contrary to what common sense might indicate, that there may be some specific user or company profile that would be more susceptible to ransomware attacks, the fact is that there is no such thing. Today, virtually any person or company is vulnerable and can be the target of an invasion, whether on their computers, tablets, mobile phones, servers, or even in various types of electronic systems connected to the internet, such as security cameras, printers, and personal assistants.

We have seen attacks on companies that have a lot to lose if their data is publicly exposed, both because of business sensitivity and because it may threaten the integrity or privacy of their own customers. Most attacked targets have been medium-sized companies – 68% of ransomware attacks are aimed at companies with between 11 and 1,000 employees – which generally do not have the technical expertise or financial resources to deal with such situations or remediate them quickly enough to prevent subsequent invasions.

Distribution of attacks by company size in Q1-2020, according to Coveware

According to BlackFog, which monitors the state of ransomware and tracks attacks individually, government agencies seem to be the most targeted by these gangs because of the value their data has on the international market. But educational companies are also easy targets because they have many users and many breaches, as they often use beta systems or even experimental programs. Next come service companies, which have many clients, manufacturing companies, which can have their production paralyzed, generating huge immediate losses, and healthcare, due to the sensitivity of their patients’ data.

The ransomware scam may target a large corporation and demand large amounts of money to restart its business, or it may involve a large number of common users, demanding small values of money that are easy to pay, but in the aggregate may add up to millions of dollars. And all in untraceable electronic currencies. Forget the old line from spy movies to “just follow the money”, the job of the police is now different and much more complex.

According to Cloudwards, for USD 50 anyone can buy a ransomware kit on the Dark Web. A tiny amount compared to the average ransom of USD 5,900 asked in 2020 from small businesses to hand them a mathematical key to decrypt their data. And an abysmal difference to the largest ransom demanded from French construction company Bouygues, estimated at EUR 10 million. This year, it is estimated that a corporate attack will happen every 11 to 14 seconds, leaving targets on average 23 days out of business, while 25% of affected companies will really pay the requested ransom, amid risks that include data leakage, business downtime, and also lawsuits that may follow from customers themselves for having had their information published.

How ransomware works

Malicious software can gain access to your computer, or a computer on your network, by exploiting security vulnerabilities (such as the desktop remote control protocol, RDP, or other system or application weaknesses) or using a bit of social engineering (known as phishing). It is generally a code that needs to be executed by the victim’s computer to gain access to memory, data files, applications, or the operating system. According to Symantec, although we are always on the lookout for executable files (such as those with the .EXE extension in Microsoft Windows), many of these codes come in seemingly harmless documents such as Microsoft Word’s .DOC or .DOT.

To reach your computer, it must be inserted into an electronic message that comes over the network, downloaded through a link clicked on in an email or malicious website, or saved on some mobile storage device to be inserted into a computer port. It often uses some form of social engineering to trick the user into trusting the download or code execution. Malicious software can also be transferred over the network by exploiting a security hole in a firewall, router, operating system or application, without having any direct interaction with the target machine’s user.

Regardless of the medium, whether through the inattention of a single user, or the carelessness of the team managing the network, the malicious software reaches your systems and, between 45 minutes and 4 hours, wreaks havoc that could cost millions. The last major cyberattack of this type, executed by the REvil network (Sodinokibi), compromised hundreds of American companies by exploiting a security breach. Such a criminal variant was responsible for 15% of ransomware in 2020, followed by Maze and Phobos (accounting for 7.7% each). And the attacks won’t stop there. They have been evolving since the first on record in 1980, and over 70% of them are successful.

For the past few years, a type of software called a Trojan has been used to first steal information from infected machines (a technique known as Doxing), which is evaluated for its potential importance and value, and then opens the door to other ransomware software that encrypts that information and demands a ransom. Applications such as Emotet or TrickBot break into systems, copy their information to a remote server, and then “pull” malware such as Ruyk, used in 5.1% of attacks last year, the invasions of several US newspapers in 2018, and the well-known North Carolina water and sewerage company episode.

Types of ransomware

It is common to classify ransomware attacks into three types, according to the action they actually do inside hacked systems.

Scareware: these are often empty threats coming in email messages, adverts, or website pop-ups, which claim your computer has a problem or has been hacked and demand you make some payment. They may say that they have encrypted your files, found some kind of illegal or pornographic content on your system, threatening public exposure. As nothing was executed in the target machine, they rely on the fear that the message incites in the victim so that he/she performs automatic actions thinking that it has been invaded.

Locker: implants a mechanism that prevents access to the equipment and displays a message on the screen, sometimes disguised as an official message with the logo of some government agency. It may show messages saying that your files have been encrypted, that your computer is locked, or that some malicious content has been found on your disk. Even if you restart your computer, the message continues to appear.

Crypto: Implements a code that actually encrypts the files and prevents access to the data, explicitly displaying what has been done and demanding a ransom in some untraceable payment method such as cyber currency. This is the worst type because even if you restore your operating system and apps to factory state, the data will still be locked with a key that only the criminals possess, and to get it, you have to pay the ransom they demand.

Ransomware families, or variants

Among the lockers and cryptos are the best-known ransomware variants, families of codes that, due to their similarity in operation or common ancestry (assessed by the derivation of an initial code) are grouped and categorized. Among the best known is CryptoLocker, a botnet that emerged in 2013, was debunked in 2014, and practically gave rise to a sequence of imitations that terrorize the world to this day. WannaCry is another famous variant, still responsible for the majority of ransomware infections, having hit more than 125,000 organizations in 150 countries, with an estimated loss of at least USD 4 billion.

GandCrab was another peculiar attack of 2018 that threatened to divulge the pornographic habits of its victims, saying it had hacked the webcam of their systems and would publish the filmed content online if the requested ransom was not paid. This variant has evolved and still appears among the five most used in the world of cybercrime, alongside now a 2016 variant, Crysis/Dharma, capable of using multiple attack vectors, taking advantage of vulnerabilities in the desktop remote control protocol (RDP).

As computing systems advance, it’s not hard to imagine other variants being scattered across networks, many of them tracked by Kasperski, or lumped together and studied in groups, as in the entire team’s study with Dark Web researcher Mike Mayes, and each hitting a different computing spectrum, with sometimes unpredictable actions.

For your system to be prepared and immune to at least the most mundane ransomware attacks, you need to have a user training and awareness plan, another for disaster recovery, automatic backup of all important files and code, and an emergency plan so that if an invasion happens, it can be stopped before it’s too late. In 2020, 24% of attacks were prevented with anti-ransomware and other network blocking and monitoring systems.

A good disaster recovery plan will involve a series of documented and structured actions that need to be carried out in the event of any physical or cyber incident. It is an integral part of a business continuity plan, which takes into account the entire information technology infrastructure of a corporation and involves good insurance, a trained team of people with the resources to execute it, updated tools, and even the help of external providers.

But beware, when seeking help from third parties, watch out for companies that say they can decrypt your data. They may pay the ransom and build it into the price of their services.

Backing up your data is perhaps the most important part of preventing ransomware attacks, as the data is the very object of the ransom. If the company can recover its data from a recent backup without having to resort to paying the high price criminals demand for the (de)encryption password, it will always be one step ahead of them. A good strategy includes online and local backups, on different devices. Obviously in a situation where there’s a threat to public data exposure, just having a reliable backup is not the complete solution.

So if all else goes wrong, you need to have an automated backup plan. The recovery plan comes later. When you identify that systems are being hacked, you need to “push the red button” and immediately perform a communications outage on your internal network to prevent further spread, and your internal network with any external network to prevent infected systems from contacting other networks and the malware’s central control system. Any Remote Control Protocols (RDP) need to be turned off so that the ransomware cannot remotely access any systems. Administration passwords need to be changed and all administrative processes have to be stopped. Finally, all systems need to be shut down and then turned on one by one, disconnected, to assess the depth of infection.

Upon detecting an attack, identify the type of ransomware with a ransomware-specific tool that uses the messages displayed by the criminals and the list of damaged files to define the variant and where it came from.

After executing your backup plan, when re-connecting your systems individually, install a malware scanning system to help identify and quarantine the ransomware if possible. If not, each system will have to be restored to its factory settings and data fetched from backup files.

When in doubt, always consult an expert or a cybersecurity company. The chance of you or your company being infected by ransomware is 51%, according to most studies. It all depends on the size of your company, the sensitivity of the data it stores, how prepared your staff is, how well your employees are trained to avoid this situation, how your technology team handles the recovery and emergency plans, and a little bit of luck. In this game of chess, the longer you can avoid checkmate, the better.