{"id":34227,"date":"2020-03-20T07:06:48","date_gmt":"2020-03-20T11:06:48","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=34227"},"modified":"2021-06-02T06:23:18","modified_gmt":"2021-06-02T10:23:18","slug":"how-to-ransomware","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/how-to-ransomware\/34227\/","title":{"rendered":"Ransomware: The common attack you can stop in its tracks"},"content":{"rendered":"

Holding a business\u2019s systems and information for \u2018ransom\u2019 is an increasingly common form of cyberattack. Kaspersky research shows this type of malware attack has risen 25 percent<\/a><\/u> in the past three years. Verizon\u2019s investigations agree. Their 2019 Breach Investigations Report<\/a><\/u> notes, \u201cRansomware has become so commonplace that it is less frequently mentioned in the specialized media unless there is a high-profile target.\u201d<\/p>\n

This \u2018so common it\u2019s boring\u2019 phenomenon means ransomware can slip off the radar. Now\u2019s the time to plan for what your business will do to prevent and handle these common attacks.<\/p>\n

What is business ransomware?<\/h2>\n

It\u2019s not those spam messages that claim to have your personal data. Ransomware is a sophisticated attack that involves a series of steps.<\/p>\n

First, a cybercriminal finds a way into an endpoint, usually using social engineering<\/a><\/u> or phishing<\/a><\/u> to get account credentials, or by infecting a USB memory stick. Next, they insert malware, which encrypts files and directories. Finally, the malware warns the user their machine is infected and demands a ransom to decrypt data.<\/p>\n

To heighten the sense of crisis, ransomware usually gives the user a limited time to pay.<\/p>\n<\/blockquote>\n

The attacker has often studied the target\u2019s infrastructure to understand which databases and directory services are most critical. They tie together malware products and hack in a determined order. Attackers not immediately paid now sometimes publicly post data they\u2019ve taken.<\/p>\n

Industries especially vulnerable to ransomware<\/h2>\n

No one has perfect security. Someone might have already penetrated your company\u2019s IT infrastructure, but not yet attacked. Every business is a potential target.<\/p>\n<\/blockquote>\n

Breach by ransomware is not usually an isolated incident. Often, there have been a series of IT security errors or less-than-ideal practices. If your business isn\u2019t offering enough cybersecurity awareness training<\/a><\/u> or you have delays in patching and system updates, your risk may be higher.<\/p>\n

High-profile ransomware attacks<\/h2>\n

Cybercriminals have used ransomware to attack some prominent organizations in recent years.<\/p>\n

Worming the data away<\/h3>\n

Estimated to be the most costly ransomware attack to date, NotPetya (also known as ExPetr) hit both Maersk and FedEx<\/a><\/u>, taking down their systems for weeks. It worked by way of a worm<\/a><\/u> that wiped data<\/a><\/u>, causing hundreds of millions of US dollars of damage.<\/p>\n

Now you see it; now you don\u2019t<\/h3>\n

File-encrypting ransomware LockerGoga attacked Norwegian aluminum and renewable energy company Norsk Hydro<\/a><\/u>. The malware had advanced features such as deleting itself when it detected virtual machines to prevent researchers analyzing it.<\/p>\n

Norsk Hydro said their good backups meant the attack wasn\u2019t as bad as it could\u2019ve been, but it still cost them around 90 million US dollars.<\/p>\n

A tale of 174 cities, and counting<\/h3>\n

Ransom attacks on city governments are on the increase. In 2019, cybercriminals attacked some 174 municipal organizations with ransomware<\/a><\/u> \u2013 about 60 more cities than the year before. The City of Baltimore<\/a><\/u> suffered two attacks in 2018 and 2019 that together cost an estimated 18 million US dollars.
\n\"how
\nOne of the Baltimore attacks took down the city\u2019s emergency response dispatch system.<\/p>\n

Not all patients recover<\/h3>\n

Californian healthcare provider Wood Ranch Medical announced it was going out of business in late 2019, as a direct result of a ransomware attack. The ransomware had encrypted both patient records and backups.<\/p>\n

How to avoid a ransomware attack<\/h2>\n

1.\u00a0 Have the right tools to understand your vulnerabilities<\/h3>\n

Your IT security practice needs tools to investigate what happened in an attack and what parts of your infrastructure need updating or replacing. Are you running a rogue app or access point? Do you have unmonitored and open network ports? Are privilege escalations<\/a><\/u> being tracked? Are they expected and appropriate? Understanding root causes like these means you can know your defensive posture (the security status of your networks and information, and your capability to defend it and react to changes) and monitor your incident response.<\/p>\n

2.\u00a0 Be vigilant about patching and installing updates<\/h3>\n

Attackers now scour the internet looking for outdated servers and applications. Many ransomware attacks happen within days of discovering a vulnerability.<\/p>\n

To delay is to invite exploitation. Make sure your patching program covers all endpoints, both on-premises and in the cloud.<\/p>\n

3.\u00a0 Regularly test your data recovery and emergency response procedures<\/h3>\n

Back up critical data and ensure backups are intact and recoverable. Practice recovery and develop the correct order for restoring data. Identify your most valuable assets and make sure they\u2019re backed up. Regularly review the list to make sure you haven\u2019t missed something.<\/p>\n

Data backups and recovery drills should be the start of an overall emergency response plan. The plan should include regular, scheduled practice exercises, both \u2018table top\u2019 (organized meetings with role-playing) \u2013 to iron out organizational issues, and attack simulations \u2013 to find weak links and show-stoppers that could prevent infrastructure coming back online.<\/p>\n

Your response plan should also include getting cyber insurance to protect you in case of a breach. Investigate carefully to make sure you have the right coverage.<\/p>\n<\/blockquote>\n

4.\u00a0 Start or improve your cyber awareness program and improve your overall password portfolio<\/h3>\n

W<\/a>eak passwords might have caused<\/a> a third of 2019\u2019s ransomware attempts<\/a><\/u>. Conducting regular cybersecurity<\/a> awareness training<\/a><\/u> helps users improve their password hygiene. Install a business-wide password manager or single sign-on tool, and put in place multi-factor authentication (MFA) for users handling private data and money-related tasks.<\/p>\n

What to do if ransomware hits your business<\/h2>\n

By strengthening your cybersecurity, you\u2019ll make it harder to be held to ransom. But you can do your business a favor by planning for if it happens.<\/p>\n

1.\u00a0 Plan alternative communications<\/h3>\n

Ransom victims are often immobilized because communications like corporate email, phone calls or texts may not be available. Include using alternative communication such as WhatsApp, Skype and group SMS as part of recovery drills, but bear in mind these systems may be less secure.<\/p>\n

2.\u00a0 Decide if you will pay a ransom<\/h3>\n

The case for paying<\/h4>\n

In the US, the FBI has softened its <\/a>earlier<\/a> \u201cdon\u2019t pay, ever\u201d position in its most recent guidelines<\/a><\/u>. Two cities in<\/a> Florida<\/a> voted to pay ra<\/a>nsoms<\/a><\/u> of 500,000 to 600,000 US dollars \u2013 likely less than the cost of restoring its systems.<\/p>\n

The case against paying<\/h4>\n

Your attacker may not honor their promise. You may receive further demands. The virus may already be installed in your system.<\/p>\n

While the term \u2018ransom\u2019 suggests physical threat, unless you\u2019re operating critical care facilities, it\u2019s unlikely ransomware will lead to loss of life. And it may be cost-efficient the first time, but it increases the likelihood you\u2019ll be hit again.<\/p>\n

The No More Ransom<\/a><\/u> project, whose members include Europol and Kaspersky, advises those attacked with ransomware not to pay. It works to reduce ransomware\u2019s impact by providing free decryption tools<\/a><\/u>.<\/p>\n

Despite the growing threat, with tight security and planning, you can avoid the worst impacts of ransomware, or even getting hit in the first place. Understanding ransomware\u2019s dimensions and having regular planning exercises will mean you\u2019ll know your protective measures are up to scratch.<\/p>\n

This article was published in March, 2020.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

These sophisticated attacks encrypt your data then demand money to unencrypt it. Reduce the chances of it happening to your business.<\/p>\n","protected":false},"author":2517,"featured_media":34229,"template":"","coauthors":[3467],"class_list":{"0":"post-34227","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-endpoint-security","7":"emagazine-category-safer-business","8":"emagazine-category-threat-intelligence","9":"emagazine-tag-data","10":"emagazine-tag-malware","11":"emagazine-tag-ransomware"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/how-to-ransomware\/34227\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/how-to-ransomware\/21676\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/secure-futures-magazine\/how-to-ransomware\/20480\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/how-to-ransomware\/16380\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/34227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/34229"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=34227"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=34227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}