Reacting to Ransomware
Reacting to Ransomware
Ransomware continues to be a major threat to computer systems. Attacks on high profile users make the news headlines but there is clear evidence that any system could be targeted.
The 2022 State of the Phish report from Proofpoint reports that 46% of successful phishing attacks led to Ransomware infections. 58% of those infected agreed to pay the ransom demanded. Of those nearly half had to pay an additional fee before data was unlocked; some organisations never gained access to their data even after paying the ransom. The Proofpoint summary is based on 4,100 survey questionnaires and information from Proofpoint’s own work as a cyber security analyst and advisor. It is unfortunate that actual numbers of cases are not reported only percentages of incidents.
The 2022 Ransomware Survival Guide from the same source indicates other sources of Ransomware infection. These include deliberate insider action, compromised remote access systems and infected websites. An infection usually involves installation of malware that in turn allows unauthorised access to drop off the Ransomware agent.
The whole system has become well organised, up to the concept of Ransomware as a Service. Malware can link to various payloads allowing the Ransomware coder to work with established delivery systems rather that creating their own. They could also move to a new malware infection agent should an existing source become too easily identified and blocked. Ransomware users pay to gain access to the attacking system. This could be as a one off fee, a monthly subscription or an arrangement where the authors take a percentage of the ransom collected. The danger to the targeted user is that the Ransomware author only has a limited stake in whether the ransom is paid or not. If all the income went to the authors then they would seek to maintain a ‘trusted business’ reputation for unlocking on payment received. With the Ransomware as a Service model the author’s income comes from supplying the encryption. They may receive any agreed income from the attacker regardless of the victim paying any fee. There may be additional user friendly (friendly to the attacker) interfaces that display files locked and payloads delivered. The authors’ reputation rests on the efficiency of delivery and difficulty in breaking any software lock. They have stepped away from collection of the ransom further hindering following of any money trail back from the victim to the coder.
Prevention is always a lot easier than the cure for cyber-attacks. Ransomware criminals can rely on the business mind-set that the costs of preparation might exceed any possible ransom demand. This is poor advice as a vulnerable organisation may be targeted several times and there is no guarantee that payment will lead to data being unlocked.
The Europol backed ‘No More Ransom’ website contains helpful advice to combat ransomware. The content is relevant Worldwide not just to citizens of the EU. If you suspect a Ransomware infection follow these steps:
- Do not pay the ransom.
- Disconnect all computers from your network but leave them switched on.
- Use the Crypto Sheriff tool. You will need a computer with an Internet connection that is not part of your compromised network. Ideally upload details of the ransomware demand and 2 encrypted files from an infected machine. Crypto Sheriff will then attempt to recognise the ransomware agent and report if an un-encryption key is available. This step does assume that the user is not completely locked out of an infected machine and that encrypted files can be copied onto a portable drive.
- Report details of the infection to the police.
The possible results of these actions are either that the ransomware report is a false alarm, the system can be unlocked and malware removed or that the infection is still in place. All is not lost (literally and figuratively) in the latter case. If systems are restored from a point before the initial infection took place then the data stored up to that time will become available. Good practice should ensure that there are regular backups, copies are stored off-line and that the restore procedure has been tested out. Alongside a technical plan to restore a system there needs to be a business plan to ensure that some work can continue while systems are down and that customers are aware that the incident is under control.
As a known vulnerable system the victim faces an increased likelihood of subsequent attacks. Software and user training for malware prevention that may have been neglected will need to be prioritised.