We reported recently on how ransomware attacks, where organisations get locked out of their data unless they pay a ransom, were on the wane. Now, just when you thought it was safe, the numbers for the first half of 2019 are out and it looks like ransomware attacks have taken a dramatic upturn once more. And it gets worse. The most recent victim, ironically, was the one of the world's largest providers of forensic services.
Eurofins pays ransom to ransomware creators
According to the BBC, Eurofins Scientific, the Luxembourg-based forensic services experts who do testing for the world's police forces and security agencies, encountered a ransomware attack in early June 2019, and it reportedly paid the fine. It's just one of a slew of recent high-profile attacks. Lake City in Florida, for example, handed over $530,000 in bitcoin to cybercriminals in June, and Riviera city in Florida paid $600,000 to unlock its files. Both suffered attacks from Ryuk, allegedly created by a Russian organised crime group called Grim Spider. Some say Ryuk ransomware collected more than three and a half million US dollars in ransoms during its first four months out in the wild.
Ryuk isn't exactly sophisticated – It's all down to human error
Like most ransomware, Ryuk gets into systems via malicious email attachments, which is hardly the most sophisticated approach in the world. It's about as basic as it gets. The only reason Ryuk is causing havoc is that people are still opening malicious emails, and that's something every worker on the planet should have been taught not to do a very long time ago.
Ryuk is designed to disable anti-malware, and it can lie dormant for months waiting for the right conditions. Once activated it encrypts every file on the infected machine, and demands that the victim sends two encrypted files to an email address for decryption. The hackers then return the decrypted files and include a bitcoin wallet address, to which the victim pays the ransom.
The problem with paying ransoms...
It's understandably tempting to just pay up and shut up, making the problem go away in the simplest and fastest way. The problem is, as more businesses pay up the criminals only become bolder. They wouldn't bother doing it if it didn't work, after all, and that means the businesses that pay ransoms are only helping the problem proliferate.
Insurance companies often take the strain and refund some or all of the ransom paid, as in the case of the Lake City attack. But Lloyd's of London says 'more clarity' is needed around whether current insurance products should cover attacks like this, and that's a sign insurers might eventually slam the doors shut until they can underwrite policies that properly reflect the risk.
Paying up doesn't always mean the attackers will unlock your data, either. Why should they, once they've got your money? These are obviously not honourable people and it's unwise to trust them. Worse still, cyber criminals often share 'sucker lists' of people and organisations they know are naïve, who they think they might be able to successfully target a second time.
The simple solution to ransomware threats?
It's actually fairly simple to stop email-led ransomware attacks. Since people are the vulnerable point, much more so than systems, it's essential to train every single employee who uses a tablet, mobile phone, laptop or desktop for work to recognise the risks. Better IT literacy is probably your best weapon right now, but it's shocking how few businesses, small and large, bother to train their staff in cyber security and make the training continuous so it stays abreast of new types of attack.
Stats about the rise in ransomware attacks
Big attacks are only the most high profile element of a much wider trend, according to IBM's X-Force Incident Response and Intelligence Services
50% of target organisations examined by IBM were in the manufacturing sector, closely followed by oil, gas and education
Most cyber attacks focused on organisations in The EU, US and Middle East
Ransomware attacks increased by 116% during the first 6 months of 2019
What do the newest ransomware threats look like?
Ransomware can be mindlessly destructive, with no ransom involved. WannaCry and NotPetya are a couple of good examples. It appears that purely destructive attacks aren't the exclusive province of state-backed attackers like Stuxnet any more, they're also being harnessed by everyday cybercriminals.
Software like LockerGoga and MegaCortex are ransom-led, but they seek out key industrial systems as well as data. And that's worrying. GermanWiper malware, for example, takes the same approach as NotPetya but the effects are irreversible. And there's a rash of financially motivated attackers who get extra- destructive when they don't achieve their aims, a kind of revenge attack.
Where your main vulnerabilities lie
Some non-targeted ransomware attacks exploit vulnerabilities in servers. But most of them kick off with a spear-phishing email, by guessing passwords or making attacks via a website related to a business or sector. Malvertising - malicious advertising – is a risk, and third party systems like cloud services are often too easy for hackers to compromise. PowerShell scripts are still popular with criminals and privileged accounts with broad-based admin access are something they love, since it lets them be particularly stealthy.
Make sure your people are adequately cyber-crime aware
Sensible businesses start with the absolute basics, making sure their systems are as secure as possible and the cyber security protocols used by employees are watertight. If you want to put your business on a firm footing we'll be pleased to provide support with the government's Cyber Essentials and Cyber Essentials Plus schemes. Just give us a call for a no-strings chat with a proper professional.