Laptop displaying a pirate flag

Identifying Risks and Deploying Solutions to Mitigate and Minimize Cyberattack Risks

The ubiquity of the term “ransomware” has resulted in a sort of tuning-out of the phrase. Many people simply lump it in with the broader category of malware and assume their anti-virus software or corporate firewall can handle this additional threat with little trouble.

This assumption puts many organizations at a disadvantage, as the ever-increasing number of ransomware attacks demonstrate.

Ransomware is a form of cyberattack that, as the name suggests, holds IT systems hostage until the attackers receive a payment. In best-case scenarios, systems and data are simply tied up and inaccessible. In the worst cases, data is lost completely, or systems are damaged or permanently compromised.

These attacks have become increasingly common, both in smaller organizations and businesses as well as large-scale enterprise. Unfortunately, no one is entirely safe from ransomware, but there is plenty you can do to detect, prevent, and mitigate the likelihood of ransomware attacks.

How Common is Ransomware?

Ransomware attacks have increased exponentially in a remarkably short amount of time. According to a report by NTT Security, ransomware attacks increased by 350% in 2017 alone; in 2016, ransomware attacks accounted for a scant 1% of all malware issues, rising to 7% by the next year.

Ransomware damage costs exceeded $5 billion in 2017, and numbers are expected to rise. The United States and North America remain primary targets for most ransomware attacks. NTT Security’s report also shows that nearly 70% of all attacks in the Americas target finance and tech businesses, with nearly 10% of all attacks targeting business and professional services. Nonetheless, we are seeing increased attacks on the public and SMB business as well.

Simply put, ransomware is incredibly common and remains one of the largest cybersecurity threats facing organizations of all sizes.

How to Tell if You’ve Been Infected

The most obvious way to tell if you’ve been targeted by a ransomware attack is that you can no longer access your system or its data, and have been messaged by the attacker, now extorting you with a promise that they’ll relinquish control once you pay.

If you haven’t received a message yet, though, but suspect you’ve been infected, there are a few steps you can take to determine if you’ve been attacked:

  • Check your extension files carefully, and cross-reference with known ransomware file extensions.
  • Watch out for file renames in your system or network. This is usually very uncommon. Keep an eye on your data to determine if it’s been encrypted without any action your part, too.
  • Excessive computer slowdown could also indicate there’s more going on with your systems, as are suspicious increases in internet traffic. Ransomware surreptitiously uses your own system and gradually lock it down—increased use can be an indicator.
  • Disabled network security solutions are another indicator that someone has taken control of your system and is planning a ransomware attack.
  • Even if everything is working perfectly fine, malicious code, scripts, and software could be hidden and waiting to act. Diligence is vital.

How Does Ransomware Spread?

There are many, many avenues open to ransomware attackers that make it possible to infect and spread through IT and computer systems. Some employ a more technical approach, while others use social engineering to achieve their goals, relying on human error to infect and spread.

Ransomware infections most frequently occur through one of the following infection vectors:

Phishing Emails and Human Error

No doubt most users are already familiar with phishing attempts and phishing emails. Phishing emails are by far the most common method for attackers to try and spread ransomware or otherwise access IT and computer systems.

Many phishing emails are very easy to spot, but they are becoming increasingly sophisticated to trick users into opening attachments or clicking through to links with malicious files. Many attackers are able to spoof email addresses or create accounts that are almost indistinguishable from legitimate entities.

Actual phishing attacks—where users are prompted to enter login information—are less common, but it’s increasingly common to see files and attachments that look like the real thing. PDFs, ZIP files, Word documents, and even JavaScript files can contain ransomware.

All it takes is a single click, and a hacker can access your systems through these compromised files, encrypting data and locking you out. One user inadvertently clicking on the wrong link or file can compromise an entire network.

Remote Desktop Protocols

Remote Desktop Protocol (RDP) was created to give IT administrators a way to securely access a user’s machine remotely to make configuration and troubleshooting easier—it also allows admins to use the machine remotely.

Hackers and attackers can use open-source search engines to identify these machines and brute-force their way in with a password cracker to give themselves administrator access.

Once they’re in as an administrator, they effectively have total control over the machine and can lock it up entirely, holding data and systems for ransom.

Drive-By Downloads from Compromised Sites

Drive-by downloads are malicious downloads that occur without a user’s knowledge when they visit compromised websites. These attacks rely on known vulnerabilities on legitimate websites and allow attackers to inject malicious code into the site or force a redirect to a site they control.

Either approach surreptitiously downloads an exploit kit onto the user’s device. Attackers are then able to quietly scan the device in question for vulnerabilities. If they can find an exploit, the user will receive a ransom note.

This approach has been used in several high-profile instances on sites such as the New York Times, BBC, and the NFL.

USB Drives and Other Removable Media

The devices you use with your computer can host ransomware. USB devices and other items that connect to a computer physically can be a delivery method for ransomware.

While less common, this approach nonetheless yields results for attackers, particularly if attackers take a social engineering approach, as done in Australia in 2016. In this instance, residents in Melbourne found USB drives from “Netflix” in their mailboxes.

These drives claimed to be a promotional application for the popular streaming service; as such, many users plugged the drives in.  The drives deployed ransomware quickly, infecting numerous computers.

In some cases, hackers will even add replication capabilities to ransomware, meaning that any device that is plugged in after the initial USB drive has infected a system is thus also infected.

What to Do If You’ve Been Attacked

One of the first and best steps you can take if you’ve been infected is to disconnect an infected computer from your corporate network to prevent the infection from spreading. Administrators should immediately disconnect this system and disable Wi-Fi and Bluetooth connections on other machines to help isolate and quarantine the infected device.

The next step is to determine what sort of ransomware your system has been infected with. Depending on the variant affecting your system, there may be decryption tools you can use to unlock and access your files once again.

In these cases, reliable backups are a must. A reliable backup can minimize the impact on an organization and prevent slowdowns to business operations.

Defending Against Future Threads

Does your organization have a business continuity or disaster recovery plan? If so, it’s vital to incorporate ransomware defenses and reliable backup systems into this plan. Consistent off-site backups can help protect data and minimize operational downtime.

Hardware and Software Solutions

IDS Systems provides comprehensive technology solutions that regularly and reliably backup data to ensure business continuity in the event of an attack. IDS DataGuard™ provides off-site backups and rapid redeployment in the event of a ransomware attack, which allows organizations to keep data losses to as little as 30 minutes, in some cases.

Backups and reliable hardware solutions can help mitigate issues that would otherwise cripple a server room.

Additionally, it’s incredibly important to have a complete network firewall solution in place to prevent attacks in the first place. A robust security solution can help protect your data and systems to ensure continued operations.

Training and Education

One of the best steps you can take to protect your organization from attack, beyond backup and security solutions, is to train personnel to spot and identify potential infection vectors. Creating a culture of security and diligence will help ensure your systems remain safe despite the best efforts of attackers.

Educating users about potential threats and how to identify phishing attempts and deceptive links is a vital component of ongoing IT security.

For assistance with ransomware protection and other security solutions, contact the experts at IDS Systems today.