Ransomware is a type of malicious software cybercriminals use to block you from accessing your own data. The digital extortionists encrypt the files on your system and add extensions to the attacked data and hold it “hostage” until the demanded ransom is paid. During the initial infection, the ransomware may attempt to spread throughout your network to shared drives, servers, attached computers and other accessible systems. Modern ransomware has been seen building in periods of dormancy or gestation. During this time, the cybercriminals extort company data or other PII and the malware has the potential to be backed up along with legitimate data, invalidating the use of backups for recovery. If the ransom demands are not met within the timeframe – the system or encrypted data remains unavailable, data may be deleted by the software and the decryption key obliterated. Extortion is increasingly common and in the event an organization refuses to pay the ransom, stolen data may be leaked or sold on the dark web. In short, ransomware is a potential nightmare for unprepared IT administrators.
How Ransomware Works
Ransomware enters your network in a variety of ways, the most popular is a download via a spam email attachment. The download then launches the ransomware program that attacks your system. Other forms of entry include social engineering, downloads of malicious software from the web that can be direct from a site or by clicking on “malvertising,” fake ads that unleash the ransomware. The malware can also be spread through chat messages or even removable USB drives.
Typically, the software gets introduced to your network by an executable file that may have been in a zip folder, embedded within Microsoft Office document’s macros, or disguised as fax or other viable attachment. The download file then encrypts your data, adds an extension to your files and makes them inaccessible. More sophisticated versions of the software are propagating themselves and can work without any human action. Known as “drive-by” attacks, this form of ransomware infects your system through vulnerabilities in various browser plugins.
1. There were more than 304 million ransomware attacks worldwide last year. A new organization is attacked every 11-14 seconds.
2. 73% of all ransomware attacks were successful in encrypting data.
3. 55% of attacks hit businesses with 100 or fewer employees. 75% of attacks struck organizations with less than $50M in annual revenue.
4. According to Microsoft, nearly 97% of all ransomware infections take less than 4 hours to successfully infiltrate their target. The fastest can take over systems in less than 45 minutes.
5. Downtime due to ransomware increased by 200% over the past year.
6. Downtime costs related to ransomware attacks are 2300% greater than the average ransom request.
7. 27% of businesses that fell victim to ransomware made payments to hackers.
8. The average ransom demand grew to more than $178,000 in 2020. However, average ransom demand for an SMB is only $5,900.
9. More than 95 new ransomware families have been discovered in the last 2 years.
10. The global cost associated with ransomware recovery will exceed $20 billion in 2021.
Without paying for the key, it is very difficult to decrypt files after an attack. A verified, tested, and secure backup eliminates the need to succumb to ransomware demands.
While there is a multitude of iterations across thousands of variants, we aim to shed insight on some of the most common attacks in circulation today:
1) REvil –
Also referred to as Sodin or Sodinokibi, REvil is a Ransomware-as-a-Service (RaaS) variant that accounts for a third of all ransomware incidents as per IBM’s Security X-Force. Sodinokibi spreads in several ways, including through unpatched VPNs, exploit kits, remote desktop protocols (RDPs) and spam emails. Sodinokibi became the fourth most common ransomware within just four months of its discovery.
2) Ryuk –
Ryuk is a popular variant used in targeted attacks against healthcare organizations (such as the attack against United Health Services in late 2020). Ryuk is commonly spread by other malware (e.g., Trickbot) or through email phishing attacks and exploit kits. Ryuk attacks against healthcare nearly doubled in 2020 from 2.3% of all attacks in Q2 to 4% in Q3.
3) Robinhood –
Robinhood holds a computer or computer system hostage, typically gaining access through a phishing attack or other security vulnerability. Files are encrypted and a ransom note is posted. Typically collecting payment in Bitcoin, decryption keys are provided upon receiving the ransom fee and the computer system will be restored.
4) DoppelPaymer –
This ransomware is well known for targeting enterprises by means of gaining access to admin credentials and using them to propagate the infection across the entire Windows network. In reported cases, criminals have been known to contact their victims and demand further payment.
5) SNAKE –
Gaining notoriety by wreaking havoc in the industrial sector, SNAKE ransomware was first identified in Q4 2019 and accounted for 6% of all ransomware attacks in 2020. Targeting industry control systems, SNAKE disables ICS processes, freezes VMs and steals admin credentials to further spread and encrypt files across the network.
6) Phobos –
Another RaaS variant, Phobos has been observed in attacks against SMBs, where cybercriminals gain unauthorized access to a network via unprotected RDP ports. Phobos shows similarities to CrySiS and Dharma ransomware. Unfortunately, victims report mixed results of recoverability even after the ransom has been paid due to the complexity of the recovery process.
How to defend against Ransomware
Whether you need to know how to defend against REvil, Ryuk, or any of the other thousands of daily attacks, the first component of the solution is to educate co-workers about clicking suspicious links and downloading questionable file attachments. Training and testing help, and there are even solutions to help provide visual cues and feedback to further empower front line employees. This won’t prevent all attacks, but it will help. It is also critical to ensure that your servers are being patched regularly, as many security gaps that ransomware hackers take advantage of are often protected in the latest Microsoft patches. Failing to stay up to date can cause major issues down the line. No matter what, you have to prepare for the reality that you may be attacked. It’s critical you not only have backups but secure, tested backups and a well-documented disaster recovery plan – detailing the steps to remediate an attack. On the data protection side of things, keep these 5 components in mind:
Use backup! Follow the 3-2-1-1 rule. Maintain three copies of your data on 2 different types of media with 1 version stored off-site and one copy that is immutable (unable to be modified). Immutable media may be rotational media such as a disk or tape which is disconnected from the network and taken off-site to a secured secondary location. Some vendors offer immutable storage via a cloud service. If you do get hit by ransomware, having secure offsite copies will help you have an easier recovery. When considering offsite options, keep in mind recovery times are longer from offline backups, and offline backups can be more difficult to test. Faster recovery times can be achieved by replication to a hot target such as a secondary appliance or cloud service where backups are stored in a state that is readily available for recovery.
Ransomware predominantly targets Windows OS. Recent findings show more than 83% of malware is designed to penetrate Windows systems. As backup systems can require many role-based instances for centralized management, data movement, reporting, search and analytics, securing all those machines can be complex. Consider locking them down to do only what they are required, and nothing more. Newer solutions based on integrated backup appliances typically remove that complexity and come hardened out of the factory. Security can be far simpler in those newer architectures.
Regularly test the viability of your backup and disaster recovery strategy. Many factors can impede successful recovery, including attempting to restore from backups of machines that are already infected. Automated recovery testing is becoming a trend in the data management and data protection industry. These features must be used more as security threats become more impactful to IT.
Early ransomware detection means faster recovery. More backup vendors are starting to use predictive analytics and machine learning to recognize possible attacks and alert administrators of abnormal fluctuations of data as backups are ingested. Analyzing data based on several heuristic characteristics provides insight into threats traditional security tools don’t catch and can be particularly helpful in identifying catching slower burning infections.
If you’ve effectively backed up your data and tested its recoverability, you will be ready to roll back your network to a safe restore point and avoid downtime, data failure and revenue loss.
Ransomware attacks are ferocious. It’s not a matter of if, but when…be prepared with Unitrends exhaustive line of defenses.