Cyber-crime is a business much like any other, tools and approaches used by attackers are constantly changing and adapting to suit the ever-changing digital environment, and as organisations improve and adapt their security measures, cyber criminals change their methods of attack. The use of ransomware is becoming an increasingly popular tool, used by attackers to exploit businesses and extort money from them. But what is ransomware, who is at risk, and how can these potential victims defend themselves?
What is ransomware?
Ransomware is a form of malware that encrypts the data held on an infected machine and demands a ransom – usually payable in Bitcoin and often tailored to the size of the company – in order to release it and regain access to the device. This piece of malware will often spread to other devices on the network, meaning a whole organisation can be affected from just one compromised device.
In addition to this there is absolutely no guarantee that once the ransom has been paid the devices in question will be decrypted. In fact, sometimes affected devices will be wiped entirely after the ransom payment has been received. Even if the data is decrypted, the computer is still infected with the original programme which could potentially be reactivated at any time if no action is taken to remove it. Often companies that have fallen victim to, and paid out during, ransomware attacks are more likely to be targeted again in the future as they have already been identified as ideal targets. For these reasons organisations are highly discouraged from paying the ransoms, however once the ransomware is in place it is often the only chance of restoring the original data. Often, it’s all too tempting to just pay the ransom and hope the data will be restored.
But all is not lost, even if an organisation does decide to pay the ransom it is possible for cyber security experts, such as norm’s own Cyber Security Incident Response Team (CSIRT), to remove the malware from infected devices and help put the appropriate measures in place to prevent similar attacks.
But don’t just take our word for it, here are some examples of real-life ransomware attacks.
One of the most famous examples of a ransomware attack, WannaCry infected around 230,000 computers around the world in 2017. The software specifically targeted devices running on Windows and held their contents to ransom, demanding a bitcoin payment within three days or the permanent deletion of all files.
Here in the UK the attack notably targeted around one third of NHS trusts, resulting in somewhere close to 19,000 appointments being cancelled and ambulances being incorrectly re-routed. Not only is this an example of business interruption with the loss of appointments costing the NHS approximately £92m, it is a terrifying one that left multiple people without urgent medical attention.
It is still unknown whether any files were recovered, even after paying the ransom, in this case. Reports claim that a fault in the software meant that any payment received could not be associated with the user it came from, suggesting that even when their demands were met the attackers had no way of knowing where the payment came from, resulting in the ransomware remaining in place.
As shocking as this case study sounds it isn’t all necessarily bad news, the WannaCry attack was only so proficient at infecting devices because it exploited a weakness in an old version of the Windows operating system, and older Windows devices which were no longer supported. This has since been patched via an update available to all Windows users. In this case simply keeping up to date with software updates and regular patching would have been enough to prevent the attack, this is one simple and easy measure that all organisations can implement to improve their defences against attack. Something as simple as frequent and regular penetration testing will help to highlight this and similar weaknesses to an organisation’s systems and is an invaluable tool in the fight against ransomware.
By comparison, more recent news reported that cyber insurance giants, Chubb, had fallen victim to a ransomware attack. In this case the attack was carried out by a cyber-criminal group called Maze who posted a statement claiming to have encrypted and stolen personal data from Chubb’s systems. The group then posted a number of email addresses of executives as “proof” and demanded a payment in order to keep the rest of the data safe.
Chubb released a statement following this claiming that there was an ongoing investigation, involving working with an external cyber security provider, but that there was no evidence that their systems had in fact been affected. However, no further information surrounding the alleged attack has been provided since and it is unclear whether the claim was simply a publicity stunt from Maze or whether Chubb dealt with it internally and paid the ransom.
In the wake of these claims a report was produced by cyber security intelligence firm Bad Packets stating that their vulnerability scans of the Chubb network had found Citrix servers on the network which are vulnerable to the CVE-2019-19871 vulnerability, and that Chubb had a remote desktop server which could easily be accessed by the public. Both of these were revealed easily by vulnerability scans and are both are huge security concerns, with the FBI stating that public access to remote desktops is around “70-80% of the initial foothold that ransomware actors use” while the CVE-2019-19871 vulnerability is known to have been exploited in the past for external users to hack into networks and install ransomware.
Not only is it hugely damaging for the reputation of a cyber insurer to be vulnerable to the very ransomware attacks they insure against, it is also concerning from a data protection point of view. Insurance companies in particular hold vast amounts of personal data that relate to their clients, often including addresses, full names, income information, and payment details. These organisations have a significant duty to ensure this data is protected to the best of their ability.
How can you protect yourself?
Keeping up to date with any operating system patches and updates is a basic and easy to execute defence. Combining this with regular penetration testing, vulnerability scans and patching will help to identify any areas of weakness that could be exploited by an attacker as potential entry points into your networks. Not only do these provide an invaluable and detailed insight into an organisation’s weaker areas, they are often also a requirement from a compliance perspective. They should always be carried out by a third-party provider rather than an in-house IT team in the interests of independence.
As well as a technology perspective, businesses also need to ensure they are correctly and effectively training their staff. Malware doesn’t just enter through technological weaknesses in networks, attackers can also deploy social engineering tactics to trick staff into opening compromised links or documents sent in cleverly crafted messages designed to deploy malware onto a device. The best way to combat this is with effective and regular staff training specifically relating to cyber safety and phishing, which should also be designed and delivered by a third party.
At norm. we have made it easy to protect your networks from ransomware attacks and other cyber security threats. Our managed Cyber Security as a Service (CSaaS) package provides everything you need to identify weaknesses, put in place defences, and comply with requirements from regulatory bodies – all at one low monthly fee. It also includes monthly, jargon-free reporting which gives your overall cyber stress score and provides recommendations on how to improve it.
As part of our CSaaS offering, we also provide access to our Cyber Security Incident Response Team (CSIRT) which is available 24/7 and provides access to cyber security and data protection experts. Our team works alongside your staff from initial incident identification, containment, malware removal, through to restoration of your services. We also liaise with the ICO on your behalf, if required.
We know no business wants to be interrupted by systems going offline, visit our website page dedicated to preventing cybercrime from taking business offline for more in depth information.
If you have fallen victim to a ransomware attack our team can help and are always available on our hotline: 020 3855 5303, alternatively you can contact us via email at firstname.lastname@example.org
Written by Isabella Gibson
Isabella Gibson is a member of the norm. sales team. She joins the team with a BSc in Biology from the University of Bristol and puts her well developed research and data analysis skills in to good use in her role. She is currently focusing her research on the benefits and risks of an increasingly digital working environment.