Is there any protection against ransomware

Security

Ransomware is malware that infects devices, networks and data centers and blocks access to users. In order to reactivate the systems, the attackers extort a ransom. The malware can get into the system in a number of ways, with web-based malware replacing the more traditional vector of email delivery as early as early 2020. Another strategy is drive-by download: if a user visits an infected website, the malware is downloaded and installed without their knowledge. So not only devices, but also web browsers are the main targets of cyber criminals. Especially now, when attackers continue to target employees in remote locations.

In connection with the global pandemic, COVID-19-related messages and attachments that were used as bait in a number of different ransomware campaigns were also observed. This suggests that ransomware will continue to pose a major threat.

Ransomware is generally based on one of several existing approaches:

  • Crypto ransomware infects an operating system and prevents the affected device from booting.

  • Other versions encrypt drives or multiple files or file names.

  • Some particularly malicious versions come with a timer that deletes files one by one until the ransom is paid.

  • A new technique of inserting phishing emails into an active email thread to increase the likelihood that the thread will be clicked is known as spear phishing. If the target is a member of the executive board, it is called "whale phishing".

Reading tip:Spear Phishing - How to Spot E-Mail Scammers

What all strategies have in common is that a ransom must be paid before the locked or encrypted system unlocks or releases the files or data again.

Take action against ransomware

Here is a list of ten pieces of advice to keep businesses safe from ransomware:

  1. Creation of a backup and recovery plan to back up the systems regularly and to save backups offline on a separate device.

  2. Use of professional email and web security tools that scan attachments, websites and files for malware and block potentially dangerous advertisements and social media pages of no relevance to the company. These tools should include sandboxing capabilities so that new or unknown files can be run and analyzed in a secure environment.

  3. Operating systems, devices and software must always be patched and up to date. At remote workstations, it can be difficult to get users to apply patches. However, this is essential to stop ransomware.

  4. Antivirus programs, IPS and antimalware tools for devices and networks should always be running with the latest update.

  5. Use application whitelists to prevent unauthorized applications from being downloaded and executed.

  6. Segmentation, i.e. dividing the network into security zones so that one infected area cannot easily spread to another.

  7. Creation and compliance with access rights so that as few users as possible can infect business-critical applications, data and services. Companies should rethink their approach and introduce a zero trust model - first of all, don't trust anyone and strictly regulate access rights to critical assets.

  8. Implementation of a ByoD security policy with which devices that do not meet certain security standards are checked and blocked (no client or no antimalware installed, outdated antivirus, operating system needs critical patches, etc.).

  9. Use forensic analysis tools after an attack to check a) where the infection came from, b) how long the malware has been in the environment, c) whether it has been completely eliminated on all devices, and d) ensure that it has not can return.

  10. Employees cannot be relied on when it comes to security issues. It is extremely important to constantly train and improve employees' security awareness so that they do not carelessly download files, click on e-mail attachments, or follow web links in e-mails. Nevertheless, the "human factor" is the weakest link in any security chain. It should be noted that for many employees it is part of everyday work to open attachments and search for relevant information on the Internet. In addition, phishing attacks have become very convincing and it should be emphasized that studies have shown that users believe that security is the job of others.

Reading tip:IT security - these employees endanger your security

What if it does happen?

In the best case scenario, there is a current backup so that the device can be formatted and reloaded with a clean version. Below is a list of the things that need to be taken into account:

1. Report criminal offense

With an online search, you can quickly find the website on which cyberattacks can be reported for the respective country. For Europe, Europol provides a page here.

2. Paying the ransom is not a guarantee

Paying the ransom is no guarantee that the files will actually be released. The only thing that is certain is that the offenders will receive their victim's money and, in some cases, their bank account information as well. In addition, decrypting the files does not automatically mean that the malware has been uninstalled.

  1. Emergency and rescue services
    Authorities warn of cyber attacks on hospitals, fire stations and other emergency and rescue services. In these cases, the function of the IT systems can make the difference between life and death. This makes them very promising targets for ransomware campaigns.
  2. The average user
    Humans are not only seen as the weakest link in the field of IT security. This is also because average users are both the most productive and the easiest to manipulate sources for hackers. This is especially true for those who are easily pressurized and / or are not too technically skilled. The normal user becomes a ransomware target because almost everyone keeps personal and / or company data on one or more of their devices in the age of digitization.
  3. Companies
    No matter whether large or small: almost every company today has to rely on its IT systems in order to be able to handle the daily business processes. These systems usually contain valuable information, which is why companies are also the ideal target for ransomware. In addition, many companies simply cannot afford downtime - so it is very likely that this will be the reason why they will respond to ransom demands.
  4. Law enforcement and government institutions
    Criminal hackers target law enforcement agencies, secret services and other government institutions primarily for reasons of revenge - after all, it is they who persecute the cybercriminals. Although large organizations such as the BND or FBI have the resources to set up appropriate defense mechanisms, the situation is different with smaller authorities - for example police stations or local administrative authorities. Correspondingly, the ransomware attacks on such organizations have increased.
  5. Healthcare
    At the beginning of 2016, the ransomware attacks on two hospitals in North Rhine-Westphalia made headlines. The consequences of the cyber attack were serious: the IT systems had to be switched off completely, the offline mode forced hospitals into the predigital era and ensured that major operating theaters had to be postponed and emergency patients had to be admitted to other clinics.
  6. Educational institutions
    Schools and universities are also increasingly being targeted by ransomware hackers. After all, they usually have sufficient resources to respond to ransom demands - especially in the US. In February 2016, several schools in the United States were hit by crypto ransomware. A school in South Carolina paid around $ 8,500 to get the data on its 25 servers back.
  7. Religious institutions
    The networks of religious institutions are becoming increasingly attractive to blackmailing hackers. After all, their staff is typically not trained in dealing with cyber threats such as phishing emails. At the end of February 2016, two parishes in the USA were affected - one by the headline-grabbing crypto Trojan Locky. The congregation paid a ransom of $ 570 to get their data back.
  8. Finance
    The banking and financial sectors are regularly targeted by ransomware hackers and botnets - after all, there is usually a lot to be gained here as well. The cyber criminals behind the TeslaCrypt ransomware initiated a spam email campaign in mid-February 2016. A JavaScript downloader was hidden behind an infected attachment that smuggled the TeslaCrypt malware onto the victim's system.

3. Consult an expert

Many providers of operating systems, software and security solutions have experts among their employees who can advise companies if their systems should be infected with ransomware. There are also outside forensic experts who can help restore the system.

4. Have a plan B.

What should you do if the computer systems or the network are no longer available? Is there a failover plan? Is there some way to keep things going, albeit with some restrictions, while the systems are being repaired? What is the cost per hour that the systems are not available? Does the IT security budget match these costs? Companies should definitely consider these issues in their security guidelines.

  1. Determine metrics
    Be able to demonstrate the success of your efforts. You can only do this if you define key figures before you start your awareness program. Questionnaires on behavior in certain situations or phishing simulation tools that simulate one attack before and one after the training measures are possible. Incidents triggered by employees can also be counted - such as attempted visits to blocked websites.
  2. Stay flexible
    Don't just focus on prevention work. The idea of ​​the "human firewall" is widespread, but it only comes into play when an attack occurs. Why not rely on "human sensors" and try to detect impending attacks? Have your employees look out for indicators that indicate a possible attack. When phishing simulations take place, one should also pay attention to how many test participants recognize and report the attack.
  3. Let the rules break
    Those who do not adhere to security rules can increase their own security awareness. The company should occasionally - not regularly so that it does not become a habit - give its employees the freedom to break certain safety rules - but only those that do no immediate harm. Only when they break the rule can employees see what happens when the rule is broken and why it ultimately exists. In a conversation between the IT security team and employees, it can then be jointly understood what the purpose of a particular policy is.
  4. Take a new approach
    Most awareness programs have not resulted in employees changing their behavior. In the opinion of many experts, however, this is due to the fact that they were not designed to change behavior at all - they should simply meet applicable compliance requirements. So little was invested in these trainings - both financially and in terms of content. Only those who put their brains into the content of their security training can change employee behavior.
  5. Get support from the C-level
    Those who have the support of the decision-making level make their security training more successful. Anyone planning an awareness program should first get strong support from above - even if only with words. This inevitably leads to greater attention in the workforce, more freedom in structuring and supporting other departments.
  6. Make common cause with other departments
    When an IT security employee sets up an awareness training program, he should bring other departments on board in addition to the board of directors - human resources, marketing, legal, compliance, data protection officers and property management. All of these departments have a direct or indirect interest in security and can help with advertising and funding. They also have the option of making the training courses mandatory for employees.
  7. Be creative
    Those who are not creative cannot offer good security training. This could include, for example, setting up a security wall in the entrance area of ​​the building as part of a company party, on which - among other things - ten common security errors are listed. The employees, who can name all ten mistakes, take part in a raffle.
  8. Set meaningful time windows
    Most training programs run for a year - each month has a specific theme. A 90-day plan is better - this means that the content and goals are put to the test every quarter. Many programs are successful because they deal with three topics in parallel over a quarter of a year and the topics are then selected again. This is how you stay up to date.
  9. Choose a multimedia approach
    Every employee has different requirements when it comes to IT security. Everyone wants to be picked up differently. You should therefore rely on a wide variety of communication channels to raise awareness of the topic of IT security - for example via newsletters, posters, games, news feeds, blogs, phishing simulations, etc.

Conclusion

The cybercrime market generates billions in sales. Just like companies, cyber criminals are highly motivated to constantly find new sources of income. They rely on deception, blackmail, attacks, threats and lures to gain access to critical data and resources.

Reading tip:Cyber ​​Resilience 2020 - The Six Million Dollar Fail

Ransomware is nothing new. What is new is the growing number of attacks and the more and more sophisticated strategies that accelerate the development of new and unexpected ways of exploiting individuals and companies. It is more important now than ever that security is an integral part of business processes. Organizations should definitely work with security professionals who know they need a well-designed security solution to defend against. What is needed is a system of highly integrated and automated technology that is only effective in combination with effective policies and a life cycle strategy of precaution, protection, detection, response and learning.