Over the past few years, ransomware has become a more and more common form of cyber attack. In part, this is because hackers have started to sell pre-made packages that anyone can buy on the dark web and run without a lot of technical know-how. While this form of ransomware allows malicious code to spread automatically, it’s not always the most sophisticated form of attack. This may be why human-operated ransomware has become more popular over the past few months. Unlike pre-coded ransomware that blindly crawls through infected networks, human-operated ransomware attacks tend to play more of the long game. Once attackers gain access to a victim’s system, they take their time to gather as much intel as possible about their target, often waiting months before launching their attack. This helps them gain access to other areas within the network and ultimately make it extremely difficult for the victim to put a stop to the attack once it starts.
The key to combatting these more sophisticated attacks, then, is to stop them from accessing your systems in the first place. Often, ransomware attacks gain access by taking the path of least resistance, such as unpatched applications. This has been an especially big problem for the healthcare industry recently. As hospitals continue to be overwhelmed by COVID-19, they have not had the time and resources to safeguard security systems and update applications quickly.
For example, recently human-operated ransomware attackers are using out of date virtual private networks (VPNs) to gain access. In fact, Microsoft identified “several dozens of hospitals” that were vulnerable to attack because of outdated VPN applications. To help combat this issue, Microsoft has developed a new alert system to notify hospitals that have unpatched applications and other vulnerabilities.
With ransomware attackers playing the long game, it’s vitally important to ensure your systems and applications are patched and that you fix any known vulnerabilities. In addition, any potential compromise to your system, however small, should be investigated and dealt with as soon as possible. Otherwise, hackers can spend months moving throughout your networks undetected and make it near impossible to remove once they launch their attack.
When you think about different types of cyber attacks, ransomware might not be the first thing to come to your mind. It’s the sort of thing you might expect to see in a movie, but not in real life. The truth is, however, that ransomware is an increasingly common form of cyber attack. Government agencies, for example, are now a prime target for ransomware. However, it’s not just governments that should be worrying. According to one report, ransomware attacks against businesses rose by a whooping 263% in 2019. Business everywhere should therefore ensure they take precautions to prevent a ransomware attack and also have a plan in place if one does happen. To help, here is a list of 5 ransomware tips that all businesses should consider.
Ransomware Tip #1: Back It Up
Perhaps the most crucial way to protect yourself against ransomware is to have a robust and regular backup system in place. Any data that is sensitive or essential to business operations should be backed up on a regular basis. However, you have to be smart about it. Make sure your backups are stored offline or somewhere separate from your other networks. If a hacker gains access to your systems, you want to ensure they won’t be able to reach your backups. You should also regularly test your backups to ensure there is no corruption in the data. That way, if an attack occurs and they encrypt your data, you can be sure you have a backup to avoid paying the ransom.
Ransomware Tip #2: Use Security Awareness Training
Ransomware attackers often gain access to systems by first conducting phishing attacks or other forms of social engineering exploits. The key to the attackers success are employees who are not sufficiently trained in detecting emails that contain malicious links. This is just one of the many reasons more businesses should invest in security awareness training programs. For many forms of cyber attacks, your employees are your first line of defense, so making sure they have the tools needed to spot phishing attacks is a must.
Ransomware Tip #3: Stay Up to Date
Operating systems and software are constantly being updated to patch any known security vulnerabilities, but it can be easy to miss an update or put it off for another day. The problem is that attackers are constantly looking for these vulnerabilities and will prey on anyone who hasn’t updated their systems. Updating software, operating systems, and applications should therefore be a priority. In many cases, you are able to set up your systems to update automatically when a new patch is released.
Ransomware Tip #4: Segment and Limit Access
If an attacker gets into your system, you want to ensure they can’t access everything. It’s therefore important to segment your networks. This essentially just means keeping different elements of your network separate from each other so you can control how information flows from one to the others. This also involves implementing access controls so that users on your network are only able to access what they need for their job. These controls should be regularly evaluated. That way, if an attacker steals one of your user’s credentials, they won’t be able to access your entire network.
Ransomware Tip #5: Plan Your Response
Lastly, when it comes to ransomware, it’s important to not just try and prevent an attack, but also have have a plan in place in case one actually happens. Ransomware response should be included in every organization’s overall incident response plan, and you should have a team dedicated to carrying out the plan if an attack happens. Every organization’s response to a ransomware attack will be different, so response teams should sit down with members of the organization at various levels to ensure everyone is on the same page.
A hacker got into your system, but you spot the problem before the hacker has a chance to carry out an attack. Best case scenario, right? Well, it all depends on what you do next. The government of Florence, Alabama found themselves in this exact situation, but their response is now costing them nearly $300,000. Here’s what happened:
In late May, cybersecurity report Brian Krebs received a tip that hackers known for ransomware attacked gained access to Florence’s IT system. Krebs made numerous attempts to contact city officials before finally receiving a voicemail thanking him for the tip and telling him that the city took care of the issue. However, on June 5th the city announced that a ransomware attack shut down the city’s email system. The city plans on paying the hackers the nearly $300,000 ransom to restore their system.
So, what went wrong? According to city officials, when the attack hit, the IT department was in the middle of securing approval for funds to investigate and stop the attack. Local governments are often slow to act, to be sure, but officials knew about the hacker 10 days before the attack and they still weren’t prepared. The bottom line is, given the rise in ransomware attacks on public institutions, Florence officials needed to have a detailed plan in place before an attack took place. Instead, they scrambled. And, to add insult to injury, hackers accessed to the city’s systems by stealing the Florence IT manager’s credentials through a phishing attack.
How to Beat the Hackers
So, what should you do if you know you’ve been hacked but haven’t yet been attacked? Here are just a few steps you can take:
1. Have a Plan in Place
One of the main reasons Florence was slow to act is because they waited until after the hack to figure out a game plan. Instead, the city needed to have a detailed incident response plan in place. This involves first identifying what types of attacks you are most vulnerable to. Then, you need to create a detailed step-by-step response for each type of attack, and create a team of employees responsible for carrying out each of the steps. You also need to ensure you have contingency funds readily availble to carry out the plan quickly. Finally, it is important to simulate each type of attack so that the team can practice carrying out their response. Overall, the goal of an incident response plan is to deal with potential attacks as quickly and efficiently as possible.
2. Shut Down and Isolate Infected Systems
In order to keep the hackers from accessing other systems, it is important to shut down and isolate infected systems and any devices connected to it. Remove the system from your network. Disconnect the system’s wireless and bluetooth capabilities. Any devices previously connected to the infected systems should be shut down and removed from the network. Along with keeping the hack from spreading, this also limits the hacker’s ability to encrypt or damage the infected systems.
3. Secure Your Backups
Having updated and secure backups are especially important for ransomware attacks. If a hacker encrypts your data, having a recent backup of that data could save you from having to pay the ransom. There are two important caveats, however. First, it’s important that you regular test your backups to ensure your data isn’t corrupted in the backup or restoration process. Second, keeping the copies of your backups secure and offline is essential. Otherwise, it is possible for hackers to gain access to your backups and encrypt of remove them from your systems.
4. When in Doubt, Rebuild
The hard truth is, the most reliable way to shut down a hack before an attack is to completely remove the infected systems and rebuild them from scratch. Of course, the time, resources, and personnel required to do this makes it a difficult pill to swallow for many organizations. However, it is the only way to guarantee that a hack is removed from your systems.
The Bottom Line
Spotting a hack before the attack can give you the leg up on the hackers. But, as the ransomware attack on Florence, Alabama makes clear, knowing that someone accessed into your systems is not enough. You need to have a game plan ready to go and carry it out as fast as possible. Using your time and resources to prepare for an attack now will give you piece of mind, and potentially reduce the cost of a hack later.
In October, the FBI warned that ransomware attacks are becoming “more targeted, sophisticated, and costly.” Now, a new survey shows that small business are baring the brunt of these attacks, with 46% reporting that they have been targeted.
Ransomware is a form of cyber attack in which the attacker steals or encrypts the victim’s data and demands payment in order to regain access to that data. The new survey highlights two issues that small businesses in particular at a high risk for further attacks and even irreparable data loss.
1. No Data Protection in Place
Perhaps the most troubling trend the survey found is that 20% of small business do not have data protection systems in place. Using solutions such as data backup or disaster recover tools are essential for a variety of potential issues, but especially for ransomware. According to Russell P. Reeder, the CEO of the company behind survey, “every modern company depends on data and operational uptime for its very survival…Data protection and operational uptime have never been more important than during the unprecedented times we are currently facing.”
With a strong backup system that is tested regularly, small businesses faced with a ransomware attack are in better position to recover their data without succumbing to the demands of the attackers. Without proper data protection systems in place, however, businesses are left in the hands of the bad guy, with no other means to recover their data. And the truth is, the more small businesses that leave themselves unprotected, the more they will be targeted. Ransomware attackers are looking for easy money, and are therefore far more likely to target those who leave themselves the most vulnerable.
2. To Pay or Not to Pay
The survey also found that a whooping 73% of small businesses targeted by ransomware opted to pay the ransom in order to get their data back. One reason for this is that, if a business does not have proper data protection in place, the cost to restore data may end up being more costly than simply paying the bad guys. However, this solution is misguided on a number of fronts.
First of all, there is no guarantee that paying the ransom will result in regaining all or even any of the data stolen. The survey found that 17% of those who paid the ransom did not recover all of their data. Secondly, paying the ransom is a short-term solution to a long-term problem. Paying the ransom signals to attackers that they can squeeze money out of that business in the future. Reporting by ProPublica also found ransomware payments were substantially lower than they are now, and that the number of businesses willing to cough up the dough has led to an increase in the price of the ransom.
Prevent and Defend
In order to defend against ransomware attacks, small businesses should first and foremost ensure they have strong data protection solutions in place. However, this is only one piece of the puzzle. Taking measures such as awareness training can help prevent these attacks in the first place. Ransomware attackers often gain access to systems through malware installed via phishing campaigns. If you and your staff are properly trained to spot deceptive practices, you already have a leg up on the bad guys. Attackers also hope that their victims will panic and make rash decisions. There is no question that falling victim to ransomware is scary stuff, but taking a few breaths, reviewing your options, and responding rationally might help keep your money and data in your hands and prevent further attacks from taking place in the future.
Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.
WHO Malware Attempt
Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.
Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”
Ransomware Attack Against HMR
Unlike the attack on the WHO, a recent ransomware attackwas successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.
Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.
Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that. The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access. And certainly, make sure you are testing your incidence response plan.
At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”
Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.
So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.
However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.
Protect and Prepare
Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.
Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.
However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.