Ransomware – Threat to Business

  • Ransomware is malware (a virus for a layman) that prevents or limits users from accessing their systems by locking the system's screen or encrypting the user's data and demanding a ransom payment to decrypt them. In a sophisticated ransomware attack, recovering the data without the decryption key is next to impossible. It is difficult to trace transactions paying a ransom, as digital currencies such as Pay Safe Card, Bitcoin, or other cryptocurrencies are used to pay ransoms. Now, this is even available as Ransomware-as-a-Service.
  • As per the State of Ransomware 2022 Survey done by Cybersecurity firm Sophos that surveyed 5600 organizations in 31 countries –

78% of Indian organizations confirmed ransomware attacks in 2021, up from 68% in 2020.

80% of Indian organizations responded that their data was encrypted by attack.

Indian organizations pay a $1.2 million average ransom to get data decrypted.

10% of victims paid a ransom of $1 million or more.

How Ransomware Attacks Happen

  • Like any other malware, ransomware attackers use two attack vectors - Email or Downloads. Email is considered one of the primary ways that an attacker uses. A phishing mail is sent with misleading attachments that trick users into opening them. The malicious files execute and infect the system when a user downloads and opens an attachment. Another way, though less popular, is to redirect a user to a random or malicious website that asks for downloading files or irrelevant permissions.
  • The second attack vector through which ransomware propagate is the drive-by downloads. People often search for applications, songs, videos, movies, or a TV series that requires a user to pay ₹100 to use; instead, people often search for free or cracked versions on the internet. Attackers exploit this trend/habit by adding malicious code to whatever user is trying to download. The front-end user sees the app/song/movie etc., getting downloaded. However, in the backend, ransomware is downloaded and installed without any notification, encrypting the user's data on target systems, and the user loses access to the system. At this point, attackers usually demand a ransom in exchange for accessing files/folders/data again by giving the user the decryption key.

How real are ransomware attacks?

  • After a successful ransomware attack, the user's system data is encrypted with an encryption method varying from one variant of ransomware to another. In most successful attacks, the user loses their data as they do not back up their data regularly. Rather than individuals, organizations are more prone to a ransomware attack and are at higher risk as it is easier for an attacker to make an attack successful by targeting a large userbase at once and can also demand more ransom once the attack is successful. On top of this, reputational and legal risks also come into the picture for corporate organizations. While it is highly debatable whether an attacked individual or organization should pay the ransom or not, small and medium enterprises face a potential risk of going out of the business if they do not recover from the incident in the minimum time possible.

Common Ransomware Variants

S.No Variant Description
1 Apocalypse Discovered in 2016, it used a custom algorithm for encryption instead of standard algorithms. It did not create a substantial impact as it was successfully eradicated.
2 Cerber Discovered in 2016, this ransomware encrypts files on an infected system using a .cerber extension and uses RSA and RC4 encryption algorithms.
3 CTB_Locker Uses a more sophisticated algorithm than RSA, alongside it AES and ECDH algorithms. ECDH is an anonymous protocol that deals with critical agreement.
4 Jigsaw Encrypts files on an infected system using the .fun extension, runs on the .NET framework, and uses the AES algorithm.
5 WannaCry WannaCry exploited a vulnerability in Windows operating system and wreaked havoc in 2017, infecting more than 400,000 systems across the globe and demanding payments in Bitcoin.
6 Petya Petya is considered to be an advanced version of WannaCry. Similarly, it asked for the ransom amount in Bitcoins
7 Conti Conti emerged in 2019 and was responsible for 13% of the total attacks in the year 2020. In one instance, the attackers were able to infect a school's system and demanded a ransom of $40 million. The attackers also threatened to post the collected information online if the school did not pay the ransom
8 REvil An example of ransomware-as-a-service, which primarily targeted businesses in the engineering sector

Recent Prominent Ransomware Attacks

ISS World, a Denmark-based company, lost around $74 million in February 2020
Cognizant lost over $70 million because of the Maze ransomware attack in April 2020
Sopra Steria, an IT-service firm, suffered an operating loss of €50 million in October 2020
Software AG, a leading Germany-based software vendor, disclosed that their systems were infected by the Clop ransomware. The attackers demanded $23 million in ransom
The University of California San Francisco's School of Medicine was targeted by ransomware in June 2020. UCSF negotiated with the attackers and paid $1.14 million in ransom
Travelex, a money exchange firm, paid a ransom of $2.3 million in Bitcoins to regain access to their data

How an organization can Reduce Ransomware Attack Risk

Preventing an attack is always better, less costly than containing, and remediation that follows an attack, especially the Reputation related cost. Enterprises can do the following to prevent Ransomware attacks –

  • Plan & implement layered defense and security controls across all points in the organization's environment from perimeter to endpoint.
  • Review security controls regularly and makes sure they continue to meet the organization's needs
  • Maintain offline, encrypted backups of data, images of critical systems, and regular test backups.
  • Prepare for the worst, develop a cyber incident response plan, and keep the program updated.
  • Conduct regular vulnerability scanning to identify and address vulnerabilities, especially on internet-facing devices, to limit the attack surface.
  • Regularly patch and update software and OSs to the latest available versions.
  • Ensure devices are correctly configured and disable ports & protocols which are not in use.
  • Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in-house, outsource to a Managed Detection and Response (MDR) specialist.
  • Implement a cybersecurity user awareness and training program that includes guidance on identifying and reporting suspicious activity (e.g., phishing) or incidents.
  • Conduct organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails.
  • Implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious Internet Protocol (IP) addresses at the firewall.
  • Employ Multi-Factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Leverage best practices and enable security settings with cloud service providers and product/tools vendors.