Cyber criminals follow the money and have capitalised on the recent changing business environment.
If you look at the search interest for ‘ransomware attack’, it has steadily increased over the past year. This is understandable given there was a 15 per cent increase in the number of ransomware reports made last year, according to the latest ACSC Annual Cyber Threat Report.
Cyber criminals' operations are also getting smarter and doing more damage - more cybercrime reports received last year were classified as a ‘substantial incidents’ compared to the previous year.
This is exactly the case with ransomware.
It’s no longer simply a malicious software that was circulated en masse to encrypt data and demand money from a victim. Now it’s an entire red teaming operation. Dubbed ‘ransomware 2.0’, these targeted attacks rely not only on malicious software but a whole variety of techniques deployed to get into a business’ environment.
A few years ago, the advice around ransomware attacks was simple: use a good antivirus solution and backup your data. If the ransomware slipped past the antivirus, you could just restore from backup.
With ransomware 2.0, once the criminals are in they will not only encrypt but also exfiltrate a business’s data – and in this situation there's no chance to avoid any damage. Once stolen, the data is out there.
To pay or not to pay
Ransomware gangs will often demand money in exchange for not leaking data, however there is no guarantee they will actually delete the data, or send a decryption key after the ransom is paid.
In June we saw a Ransomware Payments Bill introduced to Parliament that suggested a mandatory requirement for public and private entities to disclose their ransomware payments. This is up for debate, but at Kaspersky we’ve been firm believers in not paying for ransomware, as this only fuels the fire.
Here are a few reasons why not to pay a ransomware demand:
- You’re sponsoring ransomware: Those behind ransomware attacks are cybercriminals - if you pay the ransom, you’re giving the criminals the income they need to keep doing what they do: negatively affecting the lives of innocent people. A vicious circle would set in: they encrypt you, you pay them, they encrypt others…
- They could take the money and run: Agreements with cybercriminals are never written in stone. Even if there were, can you trust criminals?
- You might not get your data back: The attackers may not be able to recover the data even if they want to — ransomware can damage files irrevocably. Or, and it’s not uncommon, cybercriminals make coding errors which prevent them from developing a decoder.
- They can come back: If they strike lucky once they may try again, and simply because they can. They’ll probably still have your data, and they may target within weeks before the business has time to patch the system. It's happened before – a company in the UK paid £5million to get its data back and two weeks later the same cybercriminals encrypted the same data again with the same methods.
Steps to take if you fall victim
So what do you do, if your business is a victim of a ransomware attack? Here are few steps to take upon discovery:
- Immediate first step is report it to ReportCyber and disconnect from the internet. Remove all connections – including wireless and wired devices, external hard drives, any storage media and cloud accounts. This can prevent the spread of ransomware within the network.
- Try to find out exactly what data might have been stolen - that will give you an idea of the severity of the situation. Talk to your security protection company to help find out how it happened and ask them for help with the decryption. Or, look for a decryptor yourself - one may already exist.
- If you back up your data externally or in cloud storage, create a backup of your data that has not yet been encrypted by ransomware.
- Ensure the latest version of operating systems and applications are installed across the business – including all employee devices. And turn on the auto-update feature. Our recent research showed one of most common methods used by cybercriminals is vulnerability exploitation, when attackers take advantage of code/logic error in an operating system or software. So enabling an auto-update feature is key.
- Ensure employees change passwords and any security questions or PIN codes attached to their accounts too. Another common method used by cybercriminals is brute force - when hackers guess login info through trial-and-error. Remember a security breach on one account may mean other accounts are also at risk, especially if they share passwords or if regular transactions are made between them.
Once you have time to reflect, be sure to develop a data breach recovery strategy for future. Assess how your organisation would detect a breach, or how you can test the detection capabilities you have.
Lastly, educate employees on the importance of regularly updating software, using strong passwords and being aware of malicious emails. This can reduce the risk of becoming a cyberattack victim by 60% according to our latest investigation. This investment in building a cyber-aware culture can significantly reduce monetary and reputational damage for your business long-term, and help your employees work together more effectively in the face of common cybercriminals.