For today’s cybercriminal, ransomware is a big business. According to a Cybersecurity Venture’s 2019 research, cybercriminals attacked a new organization with ransomware every 14 seconds. They estimate that number to grow to every 11 seconds by 2021 at an annual cost to the global economy of $6 trillion!

Their estimates didn’t anticipate the COVID-19 pandemic.  On April 8, 2020 the FBI warned that cybercriminals and other Advanced Persistent Threat (APT) groups are using the current crisis as part of their strategy.  These threats include four key areas of concern:

Phishing, using the subject of coronavirus or COVID-19 as a lure
Malware distribution, using coronavirus- or COVID-19- themed lures
Registration of new domain names containing wording related to coronavirus or COVID-19, and
Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.

AllConnected encourages all of its clients to take appropriate steps to prevent ransomware attacks in their organization.

What is Ransomware?

Ransomware is a form of malicious software (AKA malware) that:

Prevents users from accessing their system or personal files AND
Demands a ransom in order to regain access.

The most common ransomware encrypts files, folders, or entire hard drive partitions using military-grade encryption algorithms like RSA or The most common ransomware encrypts files, folders, or entire hard drive partitions using military-grade encryption algorithms like RSA or RC4, making them inaccessible until the victims pay the ransom.

A variation, called “extortionware” or “doxware,” also threatens to publicize the victim’s sensitive data unless a ransom is paid. This form is not as common as encryption ransomware since it requires the cybercriminal to locate and extract such information.

The ransom, usually in cryptocurrency, can range from a few hundred to several hundred thousand dollars, usually depending upon the business’ ability to pay.

Ransomware attacks come in two forms: 

“Malspam” emails deliver the ransomware through attachments or links to malicious websites.
Malicious websites host “exploit kits” that use vulnerabilities in web browsers and other software to install the ransomware.

“Malspam” is disguised to look like a email from a reputable institution or friend, and contains what appears to be harmless PDF or Word documents. Upon opening, the attachment delivers a self-contained program that extracts other embedded application components. Examples include CryptoLocker (2013), Petya and WannaCry ransomware (2017).

“Exploit kits” contain a comprehensive set of programs that launch when the user lands on a malicious webpage, or clicks on malicious advertising (“malvertising”). The kit then scans the device for software vulnerabilities and deploys additional malware to infect it.

Exploit kits can target a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.

In some cases, users can be directed from legitimate sites to criminal servers without ever clicking on an ad. These servers catalog details about the user’s device and location in order to deliver the best suited malware.

While malspam and exploit kits dominate, we expect other forms of ransomware to emerge. For example, in August 2019, the Sodinokibi ransomware attacked a dental managed service provider (MSP) through its proprietary software. Suddenly, 400 dental offices around the country could no longer access their patient records!

Cybercriminals Won’t Stop for a Pandemic

Cybercriminals target some institutions for their ease of access. Schools, for example, tend to have smaller security teams and a disparate user base that shares a lot of files.

They target others who will probably pay the ransom quickly. Law firms, financial firms and other organizations with sensitive data may pay to keep news of the data breach quiet.

Government agencies and medical facilities need immediate access to files.

While some Ransomware groups have stated that they will not target healthcare organizations during the pandemic, one group hacked into the London-based Hammersmith Medicines Research and locked down their computers while they worked on vaccine testing.

cdc-k0KRNtqcjfw-unsplash

COVID-19 ALERT: Remote Users have become Targets During the Pandemic

Just as many organizations have deployed new IT infrastructure and processes to shift a remote workforce, cybercriminals are scrambling to exploit a variety of potential vulnerabilities in VPNs and other remote working tools and software such as Microsoft’s Remote Desktop Protocol (RDP) and Citrix.

The FBI expects a large number of phishing campaigns to include:

Email messages purporting to come from the World Health Organization (WHO) or individual doctors that come with subject lines related to Coronavirus updates, new confirmed cases, emergency instructions and/or government aid packages
 Mobile text messages purporting to come from “COVID” and government entities that link directly to a phishing site
WhatsApp and similar messenger services providing the same

In addition to exploit kits, the resulting website may mimic legitimate websites such as Microsoft, Google, and the federal government in order to capture a victim’s passwords, social security number, etc.

If Infected, Should you pay the Ransom?

The FBI recommends not paying the ransom. However, many unprepared businesses, local institutions and state governments pay the ransom to get their files back.

The reason? The true cost of a ransomware attack is calculated in lost company productivity, and the cost of remediation.

Osterman Research reported in 2017 that 1 in 6 infected small and midsized companies experienced over 25 hours of downtime. Since cybercriminals calculate their ransom demands based on the victim’s ability to pay, in many cases the ransom payment is preferable to losing productivity.

Some criminals also give discounts up to 50% if the company pays quickly, forcing the business to make decisions before law enforcement has time to investigate.
Plus, the cost of remediation can far outweigh the ransom. In 2018, the SamSam ransomware attack on the City of Atlanta demanded only $52,000 after knocking out several of the city’s essential services, including revenue collection and the police record keeping system. The total cost to remediate grew to $2.6 million.

On the other hand, the criminals sometimes take the money and run without sending the decryption key. Or the ransomware doesn’t come with a decryptor, or the decryption key doesn’t work.

Fortunately, these outcomes are not the norm. Arbor Networks’ network administrator Gary Sockrider estimates that around 65 to 70 percent of the time the crooks come through with the decryption key to restore the data. After all, they don’t want to hurt their reputations, and future prospects.

How to prevent Ransomware

1. Take Control of Your Personal Devices

Apply the latest updates to your operating systems and apps
Educate your employees so they can identify social engineering and spear-phishing attacks
Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
Keep your OS and applications updated and install all security patches. The WannaCry ransomware outbreak took advantage of a Microsoft software vulnerability. While the company had released a security patch in March 2017, many users didn’t install the update, which left them open to attack.
Disable unneeded services (CryptoLocker often targeted machines using Remote Desktop Protocol. If you don’t use RDP, disable it)
Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
Get rid of “abandonware” and replace it with software still being supported by the manufacturer
And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.

2. Sharpen Your Email and Internet Use

In Advanced Settings in your folder options, select “Show hidden files, folders and extensions” so executables can’t be disguised as other file types
Authenticate inbound email
Don’t click on links in email, texts, and on web sites you don’t trust
Implement ad blocking on web browsers since malware is often delivered through “malvertisements,” even on legitimate sites
Don’t visit questionable web sites (porn, bit torrent, piracy sites, hacker forums, etc.)
Don’t download mobile apps from untrusted sources
Train your employees on how to create strong passwords, to detect malspam, suspicious websites, and other scams. As a partner with KnowBe4, AllConnected can assist your organization in testing the ‘cyberattack readiness’ of your end-users, launching simulated attacks, and determining the best areas to focus on for end-user training.
Restrict remote meetings (over Zoom, Skype, Cisco Webex) to specific people. Do not conduct public meetings, or at least, require a meeting password or use the waiting room feature and control the admittance of guests.
Manage screensharing options. Change screensharing to “Host Only.”

3. Invest in Cybersecurity 

Your organization deserves enterprise-grade cybersecurity to prevent ransomware from ever happening.  Cisco cloud-based Umbrella provides uniform security across your domain, including roaming agents for your remote teleworkers, using three core features:

Web Filtering. When you access the Internet, your requests pass through Umbrella’s global DNS filter first, shielding your browser from accessing malicious sites, and selectively routing requests using intelligent proxy.
Content Categories allow you to prevent employees from visiting unwanted sites.
Command and Control prevents already infected devices from communicating back to the attacker’s servers.

For Elkhart Community Schools in Elkhart, IN, Cisco Umbrella meant profoundly curtailing malware and other malicious traffic that it freed up their IT team from constant scanning, incident response and remediation.

“Umbrella made it possible for us to safeguard students from objectionable content and ensure their devices are secure whether they’re working at school or home,” says Jason Inman, Technology Director, “And most importantly, as our [Cisco Umbrella roll-out] pilot expanded to include all 19 schools, we could effortlessly scale security while reducing the amount of time and administration required from our IT team.”

4. Securely Backup and ‘Air-Gap’ your Data

Remediating a ransomware attack can be as simple as wiping and reimaging infected systems. By utilizing a combination of these three data and application techniques, your organization can quickly recover from unexpected Ransomware attacks:

 – Data Backup – ensures sufficient retention to revert to copies of data prior to ransomware infection

 – VM Replication – quickly failover to an alternate datacenter in the event Ransomware compromises production environment

 – Verified Recoverability – Annual Validation of the technologies above ensure your organization will always be ready

A growing number of ransomware strains can attack your backups repositories or datastores before maliciously encrypting your production data. Here are some techniques proven to minimize or eliminate these risks:

“Air Gap”: Ensure that one backup not be physically connected to the production environment, so ransomware is unable to reach it
“Immutability”: Cloud storage (such as our CloudConnect Backup service for Veeam) can be configured to “read-only” for a defined period of time, preventing outside deletion or encryption
“Insider threat protection”: Even if a cybercriminal or rogue employee succeeds in trashing a backup, prevents the deletion from the protected Cloud Backup Repository. Data is kept for 7 to 30 days prior to permanent deletion.

For more information about this service, see our article on Co-Managed Cloud Backup.

Contact AllConnected for a Free trial of Cisco Umbrella Through July 1st

In view of the COVID-19 Pandemic, Cisco has announced that Cisco’s Umbrella product is being made available to organizations looking to better protect and secure their employees, whether on-site, remote, or using personal devices for business. 

Through AllConnected, a Cisco Partner, we offer Cisco Umbrella either bundled as part of a managed service, or self-managed

AllConnected’s fully managed endpoint services goes beyond the single Umbrella DNS service and expands your security by protecting endpoints with a robust patch management service of the OS, 3rd party applications, anti-virus, inventory reporting and Southern California helpdesk support.

You can learn more about Cisco Umbrella here, and get in contact with us using the form below.  For more urgent Cisco Umbrella deployment requests, please call us at 805.526.1455 option 3.

Conclusion

While not every solution fits every situation, AllConnected works in a variety of environments to provide your organization with an improved security framework, resilient infrastructure, data protection and recovery solutions that are comprehensive, affordable, and scalable.

If you’d like to learn more about how we prevent and mitigate ransomware, please schedule a no cost consultation with one of our technical professionals: