Since first appearing in the late 1980s, ransomware has evolved to become a multi-million dollar business. Victims are faced with either paying large sums of money or losing access to crucial data files.
Recently, ransomware criminals have shifted their attention from targeting individuals to businesses and large organisations. The logic is that larger victims have more to lose, and larger resources with which to pay demands.
As a result, ransomware has become one of the top security concerns for many organisations. Senior managers understand the potential disruption it can cause to daily activity and the potentially large financial cost they will face to overcome it.
Types of attack
Ransomware comes in two forms. One uses mass distribution methods to find victims while the other uses targeted attacks. Both involve the distribution of software that encrypts files on target systems and then demands payment for their decryption.
Attackers use mass distribution techniques in an effort to find as many victims as possible. Rather than pinpointing potential targets, they simply unleash their efforts on the internet and see who takes the bate. Victims could become infected through phishing emails, visiting compromised websites or downloading malicious software.
Targeted attacks tend to be aimed at specific potential victims who have more to lose, and more money with which to pay. They tend to be much more customised and driven by people rather than automated tools.
The goal of a targeted attack is to infect an entire business or organisation, rather than an individual user. This makes it more difficult for the victim to avoid paying the ransom as the financial losses resulting from disruption can be very significant.
How ransomware works
Once a system has become infected, ransomware makes its presence felt alarmingly quickly. A target system can have its data totally encrypted within minutes.
An attack starts with delivery of malicious code and initial infection within about five seconds. Next, the code enters a backup spoliation phase which removes any data backups that can be found. This is normally completed within about 10 seconds.
The file encryption process usually starts within two minutes and can be completed in as little as 15 minutes. Even if a system is turned off during this time, the code can continue from where it left off once power is restored.
The final stage is user notification. Some ransomware will change desktop wallpaper or display a message on screens that outlines what has happened and the payment that is required to retrieve access to the encrypted data.
At this point, the ransomware code usually deletes itself from the target system, reducing the likelihood that the perpetrators can be traced.
Defending against an attack
The first step in reducing the chance of suffering a ransomware attack is the development of a comprehensive incident response plan. Data stores should be examined and back-up processes tested to ensure critical files are replicated in at least two secure locations.
IT teams should also ensure that security patches are rolled out as soon as they are released. These should be applied to operating systems and applications throughout the organisation as attacks can come from a range of different vectors.
A least-privilege approach should also be taken to file stores. Staff should only have access to the files they need and restricted from others. This tactic can help to slow the progress of ransomware should it successfully infect the infrastructure.
Detection is critical
The deployment of effective endpoint detection tools within the IT infrastructure is a vital step in combating the ransomware threat. These tools can detect infections early and respond automatically. They can also perform tasks such as monitoring for phishing emails containing malicious attachments.
If a system does become infected, the endpoint protection system should be able to automatically block and kill malicious processes. For example, the tool should check the 'appdata' and 'temp' folders on systems as these are often the locations where the malicious code will run.
The tools should also be able to automatically isolate infected systems from the organisation's network. This can be achieved by disabling all network adapters to stop the code from receiving instructions from the attackers.
Eradication and recovery
If an attack has been detected and prevented, affected systems will need to be thoroughly checked to ensure the threat has been removed before they are reconnected to the network. If the code has managed to encrypt files, these will need to be replaced with copies from the secure back-up site.
It's then worth investigating what vector was used to infect the system. Was it a web-based attack kit or a phishing email scam? What steps can be taken to ensure this doesn't happen again in the future?
By making effective plans and deploying endpoint detection tools, organisations can significantly reduce the likelihood they will face a ransomware attack. The threats are not going away, but the chances of them resulting in disruption and financial hardship can be greatly reduced.