Ransomware During the Pandemic Crisis

It is really astonishing how quickly the word “pandemic” has evolved from a subject of obscure computer games to the center of everyone’s daily conversations… However, when discussing the latest news about the coronavirus outbreak, one should not forget another pandemic that’s been causing massive damages to businesses, governments, and individuals around the world for several years already.

Since its initial emergence in Eastern Europe about a decade ago, it has quickly evolved into one of the largest global cyberthreats, crippling hospitals and entire cities, bringing large corporations to a total halt, costing the world billions in economic losses. We are, of course, talking about ransomware.

What is ransomware anyway?

Actually, the answer is directly in the name: ransomware is a kind of malicious software that’s designed to prevent you from accessing your computer or specific files on it until a ransom is paid to the attacker. Usually, ransomware is disguised as a legitimate document or program, and users are tricked to download them from a website or to open as an email attachment.

Most modern strains of ransomware encrypt valuable files, such as office documents and images, on affected devices, others merely lock the victims out of their computers – both however demand a payment to restore the access.

Contrary to the popular belief, ransomware attacks are not diabolically clever creations of elite hacker groups: since they don’t need to evade detection for a long time to achieve their goal, even novice cybercriminals can launch successful ransomware attacks with minimal resources.

Ransomware evolution

Early ransomware types were usually limited to a narrow geographical region, where attackers were able to collect their money via premium SMS messages or even prepaid cards. However, the explosive growth of anonymous cryptocurrencies like Bitcoin made them the perfect tool for much larger global extortion campaigns.

Within a few years, ransomware has become a highly lucrative business for cybercriminals, providing high reward and low risk with minimal investments. Many criminal groups even offer Ransomware-as-a-service, where the earnings are shared between malware creators and their “affiliates”.

Things turned ugly in 2017 when several strains of ransomware appeared, which utilized a highly dangerous Windows exploit believed to be developed by the NSA and later leaked by a hacker group to spread across computer networks without any user interaction.

WannaCry attack has affected over 200,000 computers across 150 countries including the entire British National Healthcare System. NotPetya malware, originally targeting Ukrainian companies, has spread uncontrollably around the world within days, affecting many large enterprises: the shipping company Maersk alone estimated their losses to be around $300 million.

Ransomware was no longer just a lucrative criminal business: it has turned into a cyberweapon of mass destruction.

Ransomware identification

As opposed to most other cyber threats, ransomware manifests itself within minutes of the initial infection. Whether you have clicked a link to a malicious website, opened a suspicious email attachment, or were affected by a drive-by download (such as an infected online ad), at the moment when you see a note on the screen telling that your computer is blocked or your files are encrypted, the damage is usually already done and the only thing you can do is to try to minimize it.

First, don’t panic – not all such notes are a sign of real ransomware, especially if they appear in your browser. Check whether you can still switch to a different program or browse a folder with your documents. If not, you might be a victim of locker ransomware.

If you can still browse your documents, but cannot open any of them because of data corruption, it might be a sign of the worst-case scenario – your files are encrypted and the only way to get them back is to pay the ransom. At least that’s what the attacker wants you to believe.

Dealing with a ransomware attack

Whether you decide to pay the ransom or not, your first action should be disconnecting your computer from the network and external drives: you really don’t want ransomware to spread to other devices or cloud services. It is also advisable to take a photo of the ransom note – this will help identify the malware strain that hit you.

Should you pay? Most security experts recommend against it: not only there is no guarantee to get your documents back after paying, but this will also encourage more ransomware attacks in the future. However, if critical business records are at stake, and you do not have any copies left, paying the ransom might be a sensible (even though morally questionable) option.

It cannot be stressed enough that you’re not alone against the attacker in any case: there are multiple resources that will help you identify the specific type of ransomware, let you know whether the encryption can be reversed and provide additional guidance. Of course, every notable antivirus company offers its own tools and services to deal with ransomware attacks as well.

However, in many cases, the only viable option left to you is to cut your losses, do a clean operating system reinstall on your device and to restore any available files from a backup. Before doing so, however, check whether your backups weren’t encrypted, too.

Finally, it’s highly recommended to submit a report to your local police. This is not just necessary for filing an insurance claim but will also help the authorities to stay on top of malware trends and might even help other victims of later attacks.

Protecting against ransomware

If the scenario above looks too grim then by now it should be clear to you that the most painless method of dealing with ransomware attacks is to prevent them from happening in the first place.

Arguably the most important preventive measure is to have proper backups of all your documents. A popular rule of thumb is to create three copies of your data, store them on two different media, and keep one copy off-site. And, of course, you have to actually test your backups regularly to ensure that they are still recoverable. Having an off-site backup ensures that even the most sophisticated ransomware that specifically targets backup files won’t render them useless.

However, backups alone won’t save you from locking ransomware or from the latest trend of “ransomware doxing”, when attackers threaten to publicly reveal sensitive stolen data unless the ransom is paid. It is, therefore, crucial to keep your users (employees, colleagues, family members) constantly informed about the potential threats. They should be trained to always check the addresses of incoming emails and not blindly click on any links or attachments. More importantly, however, they must be provided with clear actionable guides for dealing with a ransomware attack on their computers.

Endpoint protection solutions are the primary line of defense against ransomware, but the exact capabilities may vary between different products. Modern solutions rely on behavior analysis methods (sometimes powered by machine learning) to identify and block suspicious encryption-related activities before they damage your documents. Others will transparently keep copies of your original files and revert any malicious changes to them automatically. Even the Windows Defender antivirus that comes bundled with Windows 10 now provides built-in ransomware protection – however, you might want to check whether it is enabled on your computer already.

Keeping your operating system and critical applications up to date with security patches is another key prevention measure. Remember, the only reason why WannaCry was so devastating is that so many companies did not apply a critical Windows patch in time after it was released months before the attack. Besides Windows itself, applications like Internet Explorer, Adobe Flash, and Microsoft Office are notorious for having the most commonly exploited vulnerabilities.

Finally, a word about the cloud: there is a popular belief that keeping work documents in a cloud storage service like OneDrive or Dropbox is an efficient preventive measure against ransomware attacks. To be fair, there is a grain of truth in it. Most of these services have built-in versioning capabilities, allowing you to restore a previous version of a document after it gets corrupted by ransomware. Also, if your computer is locked, you can easily continue working with your document from another device (or even from a remote desktop session if your company uses a virtual desktop infrastructure).

However, these considerations only apply if you are not synchronizing your cloud files with your computer: those local copies will be compromised by ransomware and then automatically copied to the cloud in a matter of seconds. Remember, file synchronization services are not a replacement for a proper backup!

Ransomware during the pandemic crisis

Looking at the latest media reports, it seems that many workers are going to work from home for a substantial period. How does it affect the overall resilience against ransomware attacks? Recently, several large cybercrime gangs have publicly promised not to target healthcare organizations during the pandemic. Also, staying away from corporate networks might substantially slow the spread of malware from one device to the others.

However, security researchers are already reporting an uptake in malicious attacks exploiting coronavirus fears. Also, even for every slightly altruistic cybercriminal, there are at least a thousand of others without ethical reservations. For individuals working from home, especially when using personal devices not protected by enterprise-wide security tools, the risk of becoming a ransomware victim is, unfortunately, higher than ever.

For an alternative to office-based security gateways, companies should look at the security solutions delivered from the cloud, especially those that do not require any additional hardware or software deployment.  However, the most efficient protection against ransomware is still your own common sense: do not open unsolicited email communications, avoid clicking suspicious links and attachments, stick to trusted websites for the latest news. Remember, your cyber hygiene is just as critical for your security as literal hygiene is for your health.

 


Related Events

Incident Response Management

Virtual Academy KC Master Class

Incident Response Management


KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00