Analyst Chat

Analyst Chat #3: Protecting Your Organization Against Ransomware

Matthias Reinwarth and Alexei Balaganski discuss the history of ransomware and the measures needed to protect yourself against it.

Read also: Business Resilience Management (Crisis Roadmap for Beginners)

Welcome To the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an analyst and advisor at KuppingerCole analysts. We will focus on specific and hopefully interesting topics that we as analysts encounter in our daily work. The work that we do is mainly focused on the topic areas of cyber security, identity and access management, AI, and much more here we do in-depth research, but also advisory work with vendors and end users as clients in each edition, I'm joined by one guests, often a fellow analyst or another interesting partner. And we will have a 15 minutes or so chat around current topics. And my guest today is Alexei Balaganski. He is lead analyst with KuppingerCole and today we will talk about ransomware and everything around that. So, hi Alexei, welcome.
Hello Mathias. Thanks for having me.
I'm very happy to have you here because you are one of our lead analysts in the area of cybersecurity. And that of course is just right down trusting topic. And it's a real, real life topic because cyber security is gaining more and more important while people are more working from home. We are still in this weird time of the Corona pandemic and ransomware and cyber security in general are what we call hot topics. It's really something that should be on everybody's mind today. So we want to talk about ransomware in general today. Can you give the audience a quick introduction of what ransomware actually is? What is the, the idea, the concept behind that
He might have guessed? The answer is actually right in the name, right somewhere. It's obviously a piece of malicious software that's designed to prevent you from accessing your computer or from working with your documents until you pay a ransom, but an amount of money to a cyber attack. Usually such a piece of malware is delivered to you or why our official campaign or militia fleeing. So it's disguised legitimate program, a document, but as soon as a user starts such a program kind of free as its ugly head and cause an immediate damage to your system or to your files. So modern, most modern strains of ransomware, usually encrypt your documents, office files, images, any other valuable pieces of digital information. Some are not as destructive. They just lock you up from accessing your computer in any case, or they will show you a message reminding you to, to pay a ransom. It's really all to think about it. Ransomware is such a huge topic in here too. It's absolutely not technically complicated thing. Modern media bakers believe that ransomware attacks a function which diabolically Clemmer elite hacker groups come up with in reality. However, ransomware is something which even a novice, cybercriminal almost a script kiddie can launch with minimal resources, but really huge monetary return.
Okay. That was actually the thing that I was thinking about. Are there typical groups of people who are behind these attacks? You, you, you do that either. Okay. You mentioned script kiddies. Of course there's is something that they just do for fun or just because they can, but who are the most important groups behind these ransomware attacks? Are these really people that want to earn money from it through this ransom? Or where, where is where's the beef? Where w where do these attacks really originate from?
Well, to answer this question properly, I think it might be interesting to go a little bit back in time and look at the humble beginning suffering somewhere. So it actually all started, I would say about a decade ago or in Eastern European countries like Russia, for example, where I'm originally from, again until the first ransomware texts were, were limited to a specific region, because of course the biggest challenge for a ransomware attacker is to collect the ransom. So how do you get that money from your team? And back then the only feasible or option for them to collect the money were for example, premium SMS numbers. While you would have to send a text message to a page number, or even go to a store and buy something like an iTunes gift card and send it to a hacker. So obviously this doesn't scale well, and of course it leaves a trail leading to the attacker.
So those original ransomware techs were small and done by gangs of local facts. If you will. However, just a few years later, we had this explosive growth of cryptocurrencies like Bitcoin and Bitcoin of course, makes it the way anonymity built into Bitcoin and other cryptocurrencies make them the perfect tool to collect ransomware payments around the world, which led to a massive increase of scale. And of course the profitability of such extortion. So yes, ransomware is now a highly lucrative business. There are probably thousands of local and global cyber gangs. If you will put into this market, some are well known and established in the underground markets, or they even run their ransomware as a service where basically you don't have to create any software yourself. You just take a pre-configured kit, run it through some kind of distribution campaign, for example, or email spamming campaign.
And you split earnings with original creators. So basically you are acting as an affiliate partner of such or in some way of the service group. And it was fine and dandy for quite a few years. You remember this probably like 2012, 2015, there were large scale ransomware attacks of what people were already talking about the problem, but it was not destructive enough. It was not yet a real, real pandemic until in 2017, you've got this WannaCry attack and then the not PTR attack. I mean, for our business who have probably never heard about those themes, those were two major ransomware attacks, which we were using highly dangerous windows exploited, which was supposedly developed by the NSA back then. And then later stolen by again, allegedly a Russian hacker group, which published it, made it available to anyone and any malware, which to like explore it could spread across a network to any unpatched windows machine without any user interaction whatsoever. And to go, one of the biggest, big or of the WannaCry attack was the British national health care systems NHS. But in total, it affected over 200,000 computers across over 150 countries around the world, whether it was the original intended goal of those attackers. We cannot say probably not only the only managed to collect a limited amount of money, but they caused huge financial losses to affect the companies. For example, the new shipping company Maersk was completely docked out for weeks and the estimate the losses to be around $300 million.
So you think that also the collateral damage that occurred through WannaCry was something even unexpected by the originators of this strain so that they, they didn't think of that this could spread in such a way that no one actually can pay the ransom for all these boxes that have been infected. And the collateral damage was just that higher, that which they didn't estimate adequately.
Oh, we should clearly understand that all we are talking about now are at best our guesses. They are based of course, on experience, but will probably never be any undeniable evidence of the motifs and the actual people behind the other texts. However, we can presume that, for example, the one that Crytek, didn't actually plan to be that destructive because there was no kill speech in their malware. And actually there was a brave British guy, a hero who discovered this skill switch and used it to slow down at tech. The second one is not paid him away. It was probably already used as a weaponized ransomware strain. So its original goal was to disrupt it systems, not to collect transom. And this was originally targeted towards Ukrainian companies. And again, that gave the Western media the chance to talk about Russia's involvement, but it was quickly spread uncontrolled all around the world. It affected hundreds of over a hundred countries around the world. And of course they're much everywhere including Russia. So again, you can never know what exactly it was planned and what exactly went wrong, but you can definitely say that ransomware is no longer just an extortion business. It's really a cyber weapon of destruction. Okay.
If we fast forward to today, many news headline with the strain or family of, of, of, of malware. And is this something that we should consider just right now with many people working from home with many people using their machines, their own private, personal PC, as an entry channel towards corporate networks, what would you say is important when it comes to thinking of ransomware as of today?
Oh, that's a really interesting and surprisingly complicated question because on one hand, since we are all working from home, we usually stay away from our corporate networks. And in that regard, the uncontrollable spread of malware from one machine to another might be somewhat limited author. Of course our particular exploit has been long patched by Microsoft. And I don't think we will, we can not exclude the opportunity that there will be another Explorer of that scale, but it's not particularly likely at the moment. However, we have already seen that people are now using this whole coronavirus pandemic as an excuse, if you will, as a extremely important topic for spreading the traditional, the older strains of ransomware, to just explore the people's fears, to gain the interest, to progressing your or whatever, affordable supplies to lose them and to malicious link or to open the program. So we have to read somewhere is just as dangerous now as it was earlier. And of course, if your computer is infected, if your data is lost, who will help you, if all your it colleagues are quarantined somewhere else in the world. It's a more difficult question, I guess. Okay.
So, but the main entry point is not really a technological one, but it's, but it's the user in front of the keyboard. It's it's social engineering. It's the, the better the, the, the link is that leads to such a malware and an installer. The more interesting it looks like, and the more tempting it is, the, the higher the risks. So it's not necessarily, as you said, a vulnerability that was in an operating system before now, it's the vulnerability in the person.
Absolutely. I think as the problem exists between the keyboard and the chair, humans are unfortunately, always the weakest link in any it system, even including experts or at least presumed expert like ourselves. I know that I've been a victim of such attacks earlier. I managed to contain them early enough to prevent any damage. But again, nobody is inoperable, stay in vigilant kind of checking all the potential attributes of our phishing email or another kind of malicious email or link. It's the first line of defense, just like washing your hands is a first line of defense against the coronavirus,
Right? So the more non-technical persons are involved, the higher most, probably the danger is that this really can happen. On the other hand. What would you think if you had to say as a summary for today, what would be the three key measures to take when it comes to preventing any company, any organization, any use of, to fall victim, to such such an attack, what would be your three steps I recommend?
Well, I think it's clear from the earlier discussion that kind of, if you are already hit by ransomware, it's usually already too late. So it was the best defense against ransomware is proactive prevention. And of course, the first thing you have to think about is having backup copies of all your important documents, because even if your computer is completely unaccessible, even if your documents are destroyed, but you have a safe, backup copy, which is offsite. So it's not an are not affected by ransomware three and switch specifically, look for your backup copies and destroy them as well. If it's fresh enough, if it's tested to be readable and recoverable, when basically you are safe, you are, I mean, you will only be mildly affected by any ransomware attack, but of course there are some kinds of friends aware, which are already mutating and adapting to this situation.
For example, instead of destroying your documents, they will just copy them and try to dox you that they will try threatened to publicly reveal your sensitive private information unless you pay the ransom. So obviously you want to avoid that as well. And for that, of course, the most important technology is a proper antivirus or endpoint protection tool. Again, the most important thing is to look beyond the label and check that your antivirus, your EPP solution actually have capabilities built in specifically for protecting you against certain somewhere, whether it's just a built in backup management tool, which will restore any document, which is corrupted, or if it's designed to identify or insurtech early looking for specific militia behavior, you have to ask your antivirus vendor, what exactly are they able to offer you protection? And of course the last but most important security measure, if your own common sense again. So be vigilant, read any texts before blanket clicking on the link, or think twice before opening the suspicions attachment. If you receive something from your colleague, you are unsure about or call the colleague and ask whether it's really a document from him vigilant. Okay,
Great. So that already very well summarizes what we've been talking today. We only had the chance to scratch the surface of this immense topic. I assume that we will follow up on that topic in a later version of this podcast again, and then maybe dig deeper into what a corporation can do and enterprise can do for protecting itself against these, these threats for the time being Alexa, thank you very much for your time and for helping me in this episode of this podcast around ransomware, which is really highly topical, just as of now, anything you want to add from your side,
Last thing to let our listeners know in it, or even if they have suffered a ransomware attack, they are still not alone in this world. There are people and companies around the world, which are ready to help. There is a lot of information available on the internet resources, which will help you to identify which ransomware have you been affected by what the theories are known, decryptor tool, for example, which will help you recover those documents without paying the ransom. Or if you just need some general guidance to not hesitate, to talk to security experts, including us at KuppingerCole. Again, thank you from my side as well, stay safe.
I will try my best. And just as a short mentioned at the end, as you, as you've mentioned it already as well, of course, this is an area where we as analysts have gained expertise, especially you have gained these expertise. So if you want to talk to the expert, if you want to read from the expert, go to our website, go to KuppingerCole dot com and just try to find the information you need. And if you have further questions, just ask us, we might be able to help you there. Thank you very much, Alex, a and looking forward to having you as a guest in one upcoming episode of this podcast. Again. Thank you. Bye bye. Thanks. Goodbye.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #150: Clear and Present Danger - Ransomware Threats to Healthcare Providers

Only a week has passed since John Tolbert, our Cybersecurity Research Director, spoke at CSLS about ransomware and how to combat it. Today, he reports on specific threats posed by ransomware attacks to the healthcare industry, particularly in the US. But in the end, these are just examples…

Event Recording

Exploring the role of Endpoint Security in a Ransomware Resilience Plan

Ransomware attacks continue to increase in frequency and severity. Every organization needs a ransomware and malware resilience plan. Three major components of such plans should include deploying Endpoint Security solutions, keeping computing assets up to date on patches, and backing up…

Event Recording

Lessons Learned: Responding to Ransomware Attacks

The last year has seen almost two-thirds of mid-sized organizations worldwide experiencing an attack. Managing ransomware attacks requires significant patience, preparedness and foresight – Stefan shares his experience managing the ransomware attack on Marabu Inks, his key learnings…

Webinar Recording

Why Data Resilience Is Key to Digital Transformation

As companies pursue digital transformation to remain competitive, they become more dependent on IT services. This increases the potential business impact of mistakes, natural disasters, and cyber incidents. Business continuity planning, therefore, is a key element of digital transformation,…

Webinar Recording

Breaking the Ransomware Attack Chain

At some point, any business connected to the internet is likely to become a victim of a ransomware because they are relatively easy and inexpensive to carry out, but potentially yield large payouts for cybercriminals. The best way of tackling this threat is to know how to break the attack…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00