Cryptoviral Extortion: The Enduring Problem of Ransomware

In 1989, the first instance of ransomware was delivered to thousands of people on floppy disks and demanded that money be sent in the form of a cashier’s check or international money order to a P.O. box in Panama. These days, ransomware has become increasingly more streamlined. Just about anyone can purchase a ransomware strain off the dark web and deploy it without needing to be all that tech savvy. Additionally, using cryptocurrency like Bitcoin helps attackers stay anonymous and untraceable. Though modern ransomware is simple to use, its effects can be far reaching and long lasting. Read on to learn about the long arms of ransomware, and how to protect your organization from its grasp.

Ransomware can set you back decades

Attackers have found a particularly vulnerable victim in small towns and businesses, which often lack the financial resources it takes to recover from a ransomware attack. For example, the Alaskan borough of Matanuska-Susitna nearly had to shut down after a strain swept through their systems, affecting everyone from the purchasing department to the library. Those assets that were not infected were taken offline to prevent further spread. Staff were forced to return to the use of pen, paper, and typewriters for days. Though the attack took place in July 2018, the borough is still recovering.

While successful ransomware attacks don’t always completely cripple organizations, they almost always cause significant disruption. For example, last year’s attack on the city of Atlanta using the SamSam strain of ransomware cost millions, and also took months to get productivity back to normal levels.

Unfortunately, organizations remain far too overconfident in their ability to recover quickly. In a comprehensive survey of cybersecurity professionals conducted by Cybersecurity Insiders, 79% of respondents thought they could recover from an attack in less than a week. Though initial information about attacks is constantly in the news, more follow ups to demonstrate the long-lasting effects may still be needed.

Data backup plans may not be enough

Ransomware can be fast acting and incredibly thorough, as Apex Human Capital Management just discovered. Recently, a ransomware attack spread through their network. However, they had just completed an exhaustive recovery plan with an off-site system that mirrored their live system intended to protect them from exactly this type of situation. Regrettably, since the live-site had an ongoing connection to the backup site, the ransomware was quickly able to hold both sets of data hostage.

Sadly, the path to the retrieval of their data was not a smooth one. They paid the ransom but were given a decryption key that did not work as promised. The decryption process broke a number of directories and made some of the other files completely unopenable. In the end, they were left with a half recovered set of files.

In order to have a truly secure backup, it’s important to have a secondary system that is disconnected from the network when it isn’t backing up data. In fact, it’s best to have multiple backups in place, with at least one of them off-site.

Paying the ransom is no guarantee of recovery

Apex’s desire to simply get it over with and pay the ransom to quickly get data back and return to business as usual is an instinct everyone can sympathize with.  Regardless, experts almost universally advise not to pay the ransom. The fact is, you simply cannot trust that attackers will return your data once you’ve paid. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. For example, XBash malware poses as ransomware, but is programmed merely to destroy Linux databases, and contains no restoration mechanism.  

Despite this, according to a survey by CyberEdge Group, 38.7% of organizations paid the ransom, and only half of these victims recovered their data. Of the 61.3% that did not pay the ransom, 53.3% were able to recover some of their data. It’s far better to invest the ransom payment into recovering the data through other means. Ultimately, paying ransom is bad for everyone. You’re unlikely to get your data back and giving into demands only encourages either a repeat attack, or further attacks on other organizations.

Preparedness and prevention

Realistic expectations, multiple backups, informed employees, and a policy to not pay ransoms are all necessary components to being prepared for a ransomware attack. However, the best way to prepare for ransomware attacks is to prevent them from succeeding in the first place.

Security Event Information Management (SIEM) solutions provide centralized logging and auditing of the security alerts and events within your environment. SIEM software can help provide context to events and clearly identify security incidents, like indicators of ransomware, in real-time. This allows security teams to take action to secure your environment to lock down systems before it spreads.

Implementing robust anti-malware with predictive analysis not only catches existing strains of malware, it can also detect new viruses before they become widespread. It’s also important that you don’t only have anti-malware for just workstations, but also provide protection for other endpoints like servers, preventing ransomware from entering elsewhere in your environment.

By taking a proactive approach to ransomware, organizations have a much better chance of never having to recover from it.