Learn about malware and ransomware attacks, what are these and how they spread to infect systems in masses. How to prevent such attacks? Should you pay the ransom? What to do if your business is hacked? We answer all these queries around malware attacks.
Advancements in technology do not come without the existence of any threats. As the number of people online each day increases significantly, threats grow more omnipresent on the internet. Ever since the birth of the online sphere, there has always been a great interest in securing these networks from cyber attacks such as malware, ransomware attacks.
An estimated 30 million attacks happen in cyberspace annually, costing individuals, corporations, and governments billions each year. Damages can range from small scale account attacks to large scale business breaches that leak sensitive information to the public. Such damages are why investing in cybersecurity is essential for everyone.
The Silent Killer: Malware
There is no way to stay completely invisible from online threats. Although there are existing methods to discourage hackers from accessing your information, threats like malware are always present. Malware is a term coined to describe malicious software that makes its way onto digital devices through programs created by hackers on the web.
Malware includes multiple types of malicious code like spyware, bots, rootkits, worms, and other computer viruses. These find their way into computers through visiting shady websites and signing up for strange offers online. Spyware is mainly characterised by its ability to track the activity on a specific device. Bots can hack your accounts online, perform DDoS attacks, and even mess around with particular processes on business websites. Rootkits allow hackers to control a device remotely to steal information, allowing worms to spread through your networks to access files.
What is the difference between ransomware and malware?
Malware is a more powerful force that can damage industries and disrupt entire online environments through hacking and sensitive information leaking. Ransomware is a more targeted approach that aims to take control of people’s computers and lock software and files. To get files back and regain access to a computer, the ransom attacker will ask for a payment. Supposedly, once they receive the payment, they will send a unique key to release it.
Ransomware victims usually access these through ransom emails that contain links. These emails pretend to offer a free item or change a password to an old account. Many emails have become more advanced to look indistinguishable from legitimate ones, which means checking the email address of the sender is a must.
When a person’s email address is hacked, the hackers will likely use it to send more ransom links to other addresses in a person’s contact list.
Should you pay the ransom?
There is no one way to answer this question. Several businesses and county governments that have paid ransom to get their decryption keys to resume normal operations. On the contrary, there are calls from security experts to never pay the ransom.
The decision to pay ransomware demand should not be taken lightly. It comes with the acceptance of several risks and in coordination with legal counsel, cyber insurance and security experts.
Should you decide to pay the ransom, you need to be aware of the following key factors:
- You could be targeted again in the future
- There is no guarantee that you will get your data decrypted
- Your systems may still be infected
- You may be paying cybercriminals who are carrying out illegal activities just like your incident
A quick search into the search engine should show you, attackers, publicly threaten to leak the data in case they are not paid. Irrespective of the ransomware payment decision, it may take a while to return to normal operations.
Common Ransomware Attack Vectors
Phishing emails are frequently used tactics by threat actors to deploy ransomware. Additionally, it acts as an internal weapon at hand because a compromised email account can be used to send malicious emails around to multiple contacts because they trust this email. Attackers encourage users to open a malicious attachment or link that is linked with attacker-controlled systems.
RDP (Remote Desktop Protocol)
RDP is one of the most popular protocols used for remote desktop sessions, allowing staff to access their organisations’ servers and desktops remotely (over the internet). Insecure RDP configurations are frequently targeted by ransomware actors to gain initial access. This is based on credentials harvested by attackers using phishing, data breach information or other social engineering techniques.
Unpatched software or hardware add to the insecure assets of an organisation, greatly increasing the risk exposure. This scenario on the internet-facing systems makes it easier for attackers who can exploit the weaknesses to gain access to internal networks.
Ransomware kill chain – How does a ransomware attack take place?
There are five phases of a ransomware attack. Understanding the Indicators of Compromise of an attack chain is the best way to start defending your network before applying controls. The following will help you understand the different phases of the ransomware kill chain. The attack chain of ransomware sits at the centre of most ransomware attacks such as cryptolocker attack, Petya, Samsam, etc. For a quick grasp on an attack chain, read about cyber kill chain phases.
Before ransomware starts its task, the first step is to find access to the target system or a network. This is often done by these two most popular methods i.e. either exploitation of a known vulnerability or by phishing. Examples of exploit kits that contributed to ransomware attacks in the past are Angler, Sundown, magnitude that exploited vulnerabilities in Internet Explorer, Adobe Flash Player and Silverlight.
An exploit kit is nothing more than a set of coded modules used to exploit further weaknesses to stay silent and further run post-exploitation modules to constantly gather information for an attacker. Such silent operations include techniques such as drive-by download where a user’s browser is directed to a malicious website that is used to download and infect the user with malware.
- Delivery and Execution
Ransomware files are delivered to the target system. Methods such as persistence are used to ensure stealth stay on the system without getting caught.
- Backup Hijacking
Ransomware targets backup data such as files and folders on the victim’s system. Although storing backups on the same system in the same network is not a good security practice, this is a unique property to ransomware to remove backup data that eliminates recovery chances.
- Data encryption
Files and folders are encrypted after performing a secure key exchange with Command and Control (C2) server. It ensures different encryption keys are used with different victims (networks).
- User notification
After the backup is deleted and data encryption of files and folders, the system user warning is displayed with instructions on how to recover their data, where to pay the ransom and related instructions.
Examples of ransomware attacks
- A few notable incidents of ransomware attacks in the past are:
Ryuk in 2019 and 2020 spread via malicious emails phishing the users with links and email attachments. Ryuk ransoms exceeded sums of 300,000 USD to release files and data, making it one of the expensive ones.
- SamSam attacks started in 2016 and 2017, however gaining coverage around 2018 when it affected the city of Atlanta, the Department of Transportation and other organisations. Either RDP, java-based web servers such as JBoss or FTP servers were used to gain access to victim’s networks.
- WannaCry outbreak affecting NHS and other organisations in 2017. This is considered to be one of the most devastating incidents in ransomware history due to terms of loss volume. WannaCry exploited a Windows vulnerability affecting organisations worldwide. Thousands of businesses were affected that include popular names such as FedEx, Nissan, Telefonica.
- TeslaCrypt, Cryptolocker, Petya are some of the other examples. AIDS trojan (or PC Cyborg) is considered the first ransomware created by Harvard biologist, Joseph Popp. It was distributed using infected floppy disks that were given to attendees of an international AIDS conference in Sweden, 1989.
How to prevent ransomware attacks?
Defence in Depth Cybersecurity Strategy
There is no single solution to help you completely prevent malware attacks. Defence in depth approach relates to using the layered defence that offers more opportunities to detect and prevent malware. This helps to stop malware before it infects the target system or networks. It’s more about how to limit the impact of malware or ransomware attack and responding quickly. Speed is the key, which only comes after preparation and practice. Therefore, your organisation must have people, processes and technology acting together to limit the impact of attacks.
Cyphere provides the following top tips against malware and ransomware attacks:
Tip 1: Prevent Malware Delivery
Preventing malware from being delivered to your systems greatly reduces the malware and ransomware threat.
Email and web filtering to allow required file types and data expected by recipients. By blocking suspicious websites and continuous inspection of internet content, malware transmission can be stopped before it reaches your internal systems. Use DNS based filtering techniques to stop such threats.
Secure remote access is important to add layered protection for networks. By restricting RDP access to internal systems and enforcing VPN access with multi-factor authentication greatly reduces the attack surface of remote access points into the network. Ensure multi-factor authentication is enforced on all email accounts.
Tip 2: Prevent Malware Infection
It is important that internal systems and devices are configured to prevent malware execution. In line with the defence-in-depth approach, follow secure hardening practices for operating system builds in your environment. For example, the Windows family may have different settings for certain Operating Systems, however, overall secure hardening baselines should be applicable to the entire Windows OS family. This includes separate baselines for servers and desktops.
Patch Management is important mitigation that ensures all exploitable bugs in your products are patched as soon as possible. Ensure that security updates are installed as they become available from the product vendor.
Scripting environments should have restrictions to avoid the execution and spread of malware. This includes disabling Office Macros or limiting scripting environments using AppLocker enforced via group policy. Once disabled, ensure that users cannot re-enable them.
Tip 3: Limit the Impact
Use the principle of least privilege to provide remote access with only low privilege accounts to login. There should be an approval process in place where users are required to escalate privileges, and this must be performed on need only basis. All escalated privileges should be time-limited and revoked upon task completion.
Regularly review permissions for all the staff including internal and external employees. This regular review of all user permissions limits malware’s ability to spread around the network. Do not allow IT teams and other privileged user groups to perform corporate tasks such as web, email with privileged accounts. Create separate accounts for corporate and production environments.
Segregate obsolete systems from the rest of the network to maintain a small attack surface. Obsolete systems are no more supported by their vendors; therefore, no security fixes are available for the bugs exploited by cybercriminals.
Tip 4: Education
User education and awareness training play a key role in stopping malware from being delivered and/or infecting other systems within the network. Cyber security importance in the user training should address at the least these facts:
- Defending against phishing
- Strong authentication practices
- Securing your devices
- Reporting incidents
There should be zero exceptions for this awareness training exercise. Specifically, cybercriminals often target senior management staff due to their importance within the business. Therefore, no exceptions should be made that could prove costly to the business later.
Organise regular training with engaging content about ongoing issues. Topics such as remote working securely, insider threats, cyber security tips for businesses in easy to understand language should be included.
Consider your supply chain to ensure a better cyber security posture across business partners, suppliers and other third parties. Small businesses should consider defining policies for supply chain parties based on the risks attached to data access, storage and consumption.
Tip 5: Backups
Ransomware attacks actively target backups to increase their likelihood of payments. Make regular backups of the most important data to the organisation. Find out which data is critical to the organisation, and test backup data restore regularly to ensure it is working as expected.
At the least, create one offline backup that is stored at a different location (offsite) from your network and systems. Utilise cloud services designed to protect backups where possible.
It is important to be prepared than the saying ‘we are too small’. This isn’t applicable as malware and ransomware attacks target businesses irrespective of their size. More often small businesses are targeted due to lack of attack preparedness. Identify the critical assets and determine the impact in case your business is under attack. Identify your legal and regulatory obligations and incident management plan to prioritise system recovery. Identify the attack vectors possible in your business context, and mimic the exercise using third party penetration testing companies. This ensures you assess and analyse the gaps identified by security experts, followed by a remediation plan to mitigate these risks. Acting on the penetration test findings shall minimise the attack surface and demonstrates data security commitment to your supply chain.
What to do after the malware attack?
Follow these steps immediately to limit the impact of a malware attack:
- Disconnect the infected systems, devices immediately from all network connections (wired, wireless or mobile).
- Reset credentials, especially privileged accounts.
- Securely wipe the infected devices and reinstall the operating system from the gold build. In case of an incident you need investigating, get professional help from third-party security providers.
- Double check that the underlying system is clean before restoring a backup.
- Now connect these devices to the network to download, install and update the software installed.
- Install antivirus and run a full scan. Schedule periodic scans and on-access scanning capabilities.
- Monitor network traffic across the company to identify any similar behaviours.
What to do after the Ransomware attack?
It is similar to the above-mentioned points under malware attack. However, the difference is the after-math where ransomware leaves you with encrypted data without any access. Ransomware attack encrypts the important files, leaving no way to decrypt these without a decryption key. This is held by attackers available upon ransom payment. A good initiative No More Ransom, supported by Europol European Cybercrime Centre and private companies, provides prevention advice and decryption tools from anti-virus vendors, which may help.
As described above if you should pay the ransom or after attack strategy to clean up the network, businesses should consider the next steps carefully.
Cybersecurity is a must-have for anyone who is heavily reliant on the internet for lifestyle, work, or leisure purposes. Too many attackers have made a foothold in the cybersphere, which means that staying safe must be everyone’s priority. Educating users on the importance of network security will help everyone fight back against malicious attackers online.
Our assessment services assist customers with preparation against such attacks. The technical risk assessments such as penetration testing, build configuration review assist with proactive and resilient measures against malicious attacks on your network and data. Should you feel to discuss any security concerns, get in touch for a free chat.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.