For today’s cybercriminal, ransomware is a big business. According to a Cybersecurity Venture’s 2019 research, cybercriminals attacked a new organization with ransomware every 14 seconds. They estimate that number to grow to every 11 seconds by 2021 at an annual cost to the global economy of $6 trillion!
Their estimates didn’t anticipate the COVID-19 pandemic. On April 8, 2020 the FBI warned that cybercriminals and other Advanced Persistent Threat (APT) groups are using the current crisis as part of their strategy. These threats include four key areas of concern:
AllConnected encourages all of its clients to take appropriate steps to prevent ransomware attacks in their organization.
What is Ransomware?
Ransomware is a form of malicious software (AKA malware) that:
The most common ransomware encrypts files, folders, or entire hard drive partitions using military-grade encryption algorithms like RSA or The most common ransomware encrypts files, folders, or entire hard drive partitions using military-grade encryption algorithms like RSA or RC4, making them inaccessible until the victims pay the ransom.
A variation, called “extortionware” or “doxware,” also threatens to publicize the victim’s sensitive data unless a ransom is paid. This form is not as common as encryption ransomware since it requires the cybercriminal to locate and extract such information.
The ransom, usually in cryptocurrency, can range from a few hundred to several hundred thousand dollars, usually depending upon the business’ ability to pay.
Ransomware attacks come in two forms:
“Malspam” is disguised to look like a email from a reputable institution or friend, and contains what appears to be harmless PDF or Word documents. Upon opening, the attachment delivers a self-contained program that extracts other embedded application components. Examples include CryptoLocker (2013), Petya and WannaCry ransomware (2017).
“Exploit kits” contain a comprehensive set of programs that launch when the user lands on a malicious webpage, or clicks on malicious advertising (“malvertising”). The kit then scans the device for software vulnerabilities and deploys additional malware to infect it.
Exploit kits can target a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.
In some cases, users can be directed from legitimate sites to criminal servers without ever clicking on an ad. These servers catalog details about the user’s device and location in order to deliver the best suited malware.
While malspam and exploit kits dominate, we expect other forms of ransomware to emerge. For example, in August 2019, the Sodinokibi ransomware attacked a dental managed service provider (MSP) through its proprietary software. Suddenly, 400 dental offices around the country could no longer access their patient records!
Cybercriminals Won’t Stop for a Pandemic
Cybercriminals target some institutions for their ease of access. Schools, for example, tend to have smaller security teams and a disparate user base that shares a lot of files.
They target others who will probably pay the ransom quickly. Law firms, financial firms and other organizations with sensitive data may pay to keep news of the data breach quiet.
Government agencies and medical facilities need immediate access to files.
While some Ransomware groups have stated that they will not target healthcare organizations during the pandemic, one group hacked into the London-based Hammersmith Medicines Research and locked down their computers while they worked on vaccine testing.
COVID-19 ALERT: Remote Users have become Targets During the Pandemic
Just as many organizations have deployed new IT infrastructure and processes to shift a remote workforce, cybercriminals are scrambling to exploit a variety of potential vulnerabilities in VPNs and other remote working tools and software such as Microsoft’s Remote Desktop Protocol (RDP) and Citrix.
The FBI expects a large number of phishing campaigns to include:
In addition to exploit kits, the resulting website may mimic legitimate websites such as Microsoft, Google, and the federal government in order to capture a victim’s passwords, social security number, etc.
If Infected, Should you pay the Ransom?
The FBI recommends not paying the ransom. However, many unprepared businesses, local institutions and state governments pay the ransom to get their files back.
The reason? The true cost of a ransomware attack is calculated in lost company productivity, and the cost of remediation.
Osterman Research reported in 2017 that 1 in 6 infected small and midsized companies experienced over 25 hours of downtime. Since cybercriminals calculate their ransom demands based on the victim’s ability to pay, in many cases the ransom payment is preferable to losing productivity.
Some criminals also give discounts up to 50% if the company pays quickly, forcing the business to make decisions before law enforcement has time to investigate.
Plus, the cost of remediation can far outweigh the ransom. In 2018, the SamSam ransomware attack on the City of Atlanta demanded only $52,000 after knocking out several of the city’s essential services, including revenue collection and the police record keeping system. The total cost to remediate grew to $2.6 million.
On the other hand, the criminals sometimes take the money and run without sending the decryption key. Or the ransomware doesn’t come with a decryptor, or the decryption key doesn’t work.
Fortunately, these outcomes are not the norm. Arbor Networks’ network administrator Gary Sockrider estimates that around 65 to 70 percent of the time the crooks come through with the decryption key to restore the data. After all, they don’t want to hurt their reputations, and future prospects.
How to prevent Ransomware
1. Take Control of Your Personal Devices
2. Sharpen Your Email and Internet Use
3. Invest in Cybersecurity
Your organization deserves enterprise-grade cybersecurity to prevent ransomware from ever happening. Cisco cloud-based Umbrella provides uniform security across your domain, including roaming agents for your remote teleworkers, using three core features:
For Elkhart Community Schools in Elkhart, IN, Cisco Umbrella meant profoundly curtailing malware and other malicious traffic that it freed up their IT team from constant scanning, incident response and remediation.
“Umbrella made it possible for us to safeguard students from objectionable content and ensure their devices are secure whether they’re working at school or home,” says Jason Inman, Technology Director, “And most importantly, as our [Cisco Umbrella roll-out] pilot expanded to include all 19 schools, we could effortlessly scale security while reducing the amount of time and administration required from our IT team.”
4. Securely Backup and ‘Air-Gap’ your Data
Remediating a ransomware attack can be as simple as wiping and reimaging infected systems. By utilizing a combination of these three data and application techniques, your organization can quickly recover from unexpected Ransomware attacks:
– Data Backup – ensures sufficient retention to revert to copies of data prior to ransomware infection
– VM Replication – quickly failover to an alternate datacenter in the event Ransomware compromises production environment
– Verified Recoverability – Annual Validation of the technologies above ensure your organization will always be ready
A growing number of ransomware strains can attack your backups repositories or datastores before maliciously encrypting your production data. Here are some techniques proven to minimize or eliminate these risks:
For more information about this service, see our article on Co-Managed Cloud Backup.
Contact AllConnected for a Free trial of Cisco Umbrella Through July 1st
In view of the COVID-19 Pandemic, Cisco has announced that Cisco’s Umbrella product is being made available to organizations looking to better protect and secure their employees, whether on-site, remote, or using personal devices for business.
Through AllConnected, a Cisco Partner, we offer Cisco Umbrella either bundled as part of a managed service, or self-managed
AllConnected’s fully managed endpoint services goes beyond the single Umbrella DNS service and expands your security by protecting endpoints with a robust patch management service of the OS, 3rd party applications, anti-virus, inventory reporting and Southern California helpdesk support.
You can learn more about Cisco Umbrella here, and get in contact with us using the form below. For more urgent Cisco Umbrella deployment requests, please call us at 805.526.1455 option 3.
While not every solution fits every situation, AllConnected works in a variety of environments to provide your organization with an improved security framework, resilient infrastructure, data protection and recovery solutions that are comprehensive, affordable, and scalable.
If you’d like to learn more about how we prevent and mitigate ransomware, please schedule a no cost consultation with one of our technical professionals: