What is Ransomware?

Ransomware is a form of malware made to prevent users or organizations from accessing files on a computer. In simple terms it encrypts files on a device and make them unusable. Cyber attackers put an organization in a situation where paying the ransom is the quickest and least expensive option to recover access to their files by encrypting these files and requesting a ransom payment for the decryption key.  Ransomware has become the most emerging attack since the 2017 Wannacry outbreak. The recent rise in ransomware was also influenced by the COVID-19 pandemic. Gaps in firms’ cyber defenses emerged when they quickly shifted to remote work. These flaws were taken advantage of by cybercriminals to spread ransomware, which led to an increase in ransomware attacks.

How Ransomware can get into your organization? 

A ransomware attack is carried out in what specific ways by threat actors? They must first obtain access to a computer or network. Your computer can become infected with ransomware in a number of different ways.

Step 1 – Distribution and Infection  

With the help with various infection vectors ransomware gets into an organization’s system. 

1.Phishing

A malicious email may include a downloader-equipped attachment or a link to a website offering a malicious download. When a recipient of an email falls for a phishing scam, ransomware is downloaded and run on their computer. Spear phishing would be sending emails to workers at a certain organization with the false claim that the CEO is requesting that you complete a crucial employee survey or that the HR department wants you to download and review a new policy. Such strategies aimed at top-level decision-makers in a business, such the CEO or other executives, are referred to as “whaling.”

2.Social Engineering

Threat actors may use social engineering to appear legitimate, such as by pretending to be from a reputable organization or a friend, in order to fool users into opening attachments or clicking on links. An instance of social engineering would be of threat actors obtaining details about your interests, frequent destinations, employment, etc. from your public social media profiles and used some of that information to send you a message that appeared to be from a familiar source in the hopes that you would click before you realized it wasn’t real. 

3.Malvertising

The use of online advertising to spread malware with little to no user engagement is known as malvertising or malicious advertising. Users can be taken to malicious servers when browsing the internet, even on sites that are legitimate, without ever clicking on an advertisement. These servers compile information about target machines and their locations before choosing the malware that will do the job the best.  The fact that all of this occurs without the user’s knowledge gives rise to the term “drive-by download.” 

4.Malspam 

Unsolicited email used to spread malware is referred to as malicious spam, or malspam. Some threat actors utilize spam to get access, sending emails with malicious attachments to as many recipients as they can, then watching to see who opens the attachment and “takes the bait,” as it were. The email could have malicious attachments like Word or PDF files. Additionally, it might link to websites that are harmful. 

 

5. Other Infection Means  

• Unpatched Vulnerabilities 
• Remote Access Solutions 
• Mobile Malware 
• Internet-Facing Vulnerabilities and Misconfigurations 
• Third Parties and Managed Service Providers 
• Precursor Malware Infection 

Step 2 – Data Encryption

After gaining access to a system, ransomware might start encrypting its files. This only requires accessing the files, encrypting them with an attacker-controlled key, and then replacing the originals with the encrypted copies because encryption technology is embedded into an operating system. 

Step 3 – Ransom Demand

After all files have been encrypted, the ransomware is ready to demand money. Usual the display background changed to a ransom note or to have text files added to each encrypted directory that contains the ransom note. These messages typically demand a predetermined sum of bitcoin in return for access to the victim’s files. In exchange for payment of the ransom, the owner of the ransomware will either give a copy of the symmetric encryption key itself or a copy of the private key that was used to protect it. 

However, most of the cyber security firms including FBI advice not to pay the ransom if your are facing a ransomware attack.  Paying the ransom will only make the attackers to launch additional attacks against you.  

How to Protect Your Organization?  

1. Backup your Data – The best option to restore the encrypted data is by using backup. It is important to maintain offline, encrypted backups of data and regularly test your backups. 

2. Patch and Update – In order to guard against ransomware attacks, patching is essential since hackers frequently search the patches for the most recent discovered exploits before launching assaults on unpatched systems.

3. Practices Good Cyber Hygiene Habits, 

• • Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface. 
  • User of strong authentication and enabling 2FA  
  • Avoid Using Public Wi-Fi 
  • Browse Safely and be careful when you click 

4. Cyber Awareness Training and Education  – Phishing emails are a common method for spreading ransomware. It is essential to educate people on how to recognize and prevent possible ransomware attacks. User education is frequently seen as one of the most crucial defenses a company can employ, as many current cyber-attacks begin with a targeted email that does not even contain malware but merely a socially-engineered message that tempts the user to click on a harmful link. Simulators and training on phishing can significantly reduce the impact and effectiveness of these types of cyberattacks. 

TestMyUser – Test My Users is a comprehensive user training and awareness platform which assists organizations while promoting security awareness in a convenient 3 Step Approach. With Test My Users, organizations can conveniently conduct Phishing campaigns as a part and parcel of a compendious security awareness training initiative.

What you should do if you are hit by a ransomware? 

Organizations mostly get to know they have got hit by a ransomware attack when a ransom note is displayed. In such case, it is unlikely to recover the data.  CISA recommends steps that organizations take when responding to a Ransomware attack. 

1. Detect and Analysis

• • Determine which systems were impacted, and immediately isolate them.  

• • Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.  

• • Triage impacted systems for restoration and recovery.  

• • Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.  If on site experts are not capable of recovering the data getting asking help from the experts in the community for assistance would be a best option.  

• • Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.  

2. Containment and Eradication

• • Take a system image and memory capture of a sample of affected devices (e.g. workstations and servers).

• • Check for possible decryptors available

Recent ransomware attacks we have reported,

Cisco Confirms Breached By Ransomware Group