A number of high-profile ransomware attacks in the early months of this year have put a spotlight on the importance of firms working to prevent them.
In March, operations at Norwegian aluminum producer Norsk Hydro and American chemical companies Hexion and Momentive were interrupted by LockerGoga ransomware attacks.
Pots of molten aluminum were switched to manual mode at Norsk facilities across Europe and America, and Momentive had to scrap hundreds of compromised computers following the attack.
While ransomware attacks (which usually involve locking sensitive data and demanding a ransom in cryptocurrencies for its release) increased 15-fold between 2015 and 2017, they have now begun to wane slightly as hackers increasingly favour cryptojacking attacks.
In cryptojacking attacks, hackers secretly infect networks with cryptomining malware that sends mining proceeds to attackers.
Unlike confrontational ransomware software, “cryptojacking” software can go undetected for some time.
Still, ransomware attacks are not yet a thing of the past and can be very, very costly.
At least two insurance firms, DLA Piper and Hiscox, have lately used “Act of War” provisions to refuse to pay out post-ransomware settlements after it was determined that a state-actor, Russia, was behind 2017 devastating NotPetya ransomware attacks on Maersk, Mondelez and TNT Express.
The companies say those attacks caused hundreds of millions in damages.
Cryptojacking malware and ransomware usually enter company systems via “phishing emails” designed to exploit human weaknesses.
These emails can be sprayed out randomly or are sometimes very carefully targeted, says IT media outlet, Techgenix:
“Social engineering can fool users into believing that an email with a legitimate-looking attachment is truly from their friend, coworker, bank, social media company, or more…Particularly apt malicious actors gain access to a user’s email and then send a message that directly relates to something that the user was discussing previously. “
Hackers may also issue phishing emails that, “impersonate law enforcement or government personnel.”
Phishing emails usually include infectious links or attachments that, if clicked or opened, will release scareware, screen lockers, and/or encrypting ransomware onto company networks.
According to TechGenix:
“Scareware is the least worrisome, and essentially just attempts to scare users into paying a ransom, but can’t do anything more than annoy them with popups if they don’t.”
Law enforcement impersonations are also common in “scareware” attacks:
“These ‘screenlockers’ are most likely to pretend to be the FBI or other U.S. agency saying you are required to pay a fine to regain access to your computer because of detected illegal activity. Of course, the FBI would never do this and actively fights against ransomware.”
But the most devastating and costly malware is ransomware, says the outlet:
“Encrypting ransomware is the worst because there is almost no possible way to regain your files if they are encrypted by malicious actors (apart from them decrypting the files and returning your access). Many times, even if users pay to have their files restored, the criminals won’t return them, leaving the unfortunate victim without money nor their files….About 30 percent to 35 percent of the time, the hackers take the money and go, leaving your files perpetually encrypted.”
Attacks on public institutions are becoming increasingly favoured because security budgets there may be relatively modest, say other experts.
TechGenix also notes that, “attackers choose particular industries that they think will pay more quickly and are often lacking in adequate IT security, such as hospitals.”
Companies must ensure systems are always up-to-date and patched, says TechGenix, but malware can even infect protected systems.
“The unfortunate truth is that ‘as many as 75 percent of companies that [fell] victim to ransomware were running up-to-date endpoint protection on the infected machines.’”
For this reason:
“The most important thing to do to make sure ransomware (or any type of malware) doesn’t affect you is to back up your files… If all of your data is regularly backed up, a ransomware attack will slow you down, but it will hardly put a dent in your operations.”
Following a ransomware attack, owners or systems admins should reboot machines:
“If you have Windows 10, you can reboot your machine into safe mode, install antimalware software, find and destroy the ransomware program with this software, and then restore the computer to a previous state.”
After this procedure, however, files will still be encrypted:
“While this can put your machine back into your control, it can’t decrypt your files.”
Companies polled are typically staunch about stating they would not pay a ransom in the event they are attacked (66%):
“However, in reality, about 65 percent do end up pay the requested amount.”
Authorities often advise not paying ransoms, but the potential loss of the data could have a very perilous effect on companies.
As well, “(Hackers) also often offer discounts for quick payment so companies pay without having time to consider all options.”
Properly backed up systems put companies in a much better position should they ever have to negotiate a ransomware attack:
“…(I)f your system is properly and recently backed up, you don’t have to worry about this. Before you decide to pay up, make sure the attack isn’t actually just scareware, as described above. If it isn’t, your company might consider paying the fee, but keep in mind that this doesn’t always result in getting your files back.”
As with all other emergencies, preparedness and prevention reduce the impact, says TechGenix:
“If you follow typical malware avoidance advice and keep your system up to date, have a good anti-malware software, and, most importantly, keep your data backed up and stored in a safe place, you’ll be able to overcome the worst of any ransomware attack.”