Ransomware: Pay Or Not Pay, That Is The Question

Few thoughts about IT security mean that company executives do not sleep in peace any more than thinking about what to do in the event of a successful ransomware attack. The following applies: the better a company is prepared, the more prudently everyone can act.

The average weekly number of ransomware attacks over the past 12 months rose 93 percent globally. Over 1200 organizations are now being attacked every week. According to data from Cybersecurity Ventures, the damage caused by ransomware will reach around $ 20 billion this year, a 57-fold increase over 2015. By 2031, the cost of ransomware incidents could even exceed the unbelievable figure of 265 billion US dollars.

Why is the number of ransomware attacks increasing so rapidly? It’s easy to explain: the hackers are paid for their success. It is a vicious circle: If the companies agree to the extortion and pay the ransom, the attackers and free riders are happy. This calls for further attempts, and many companies meet the criminals’ demands without hesitation because they resort to cyber risk insurance, which hackers in turn knob.

Ransomware For Rent

The increase in attacks is also related to the availability of malware. Many groups of hackers offer Ransomware-as-a-Service (RaaS): Anyone can rent this type of threat in appropriate forums and stores on the Dark Net, including infrastructure, skills to negotiate with the victims, and blackmail websites where stolen information can be released to increase pressure through double or triple extortion. The ransom is then divided between the contracting parties.

However, a ransomware attack often doesn’t start with ransomware. The episode usually begins with a simple phishing email that contains malicious attachments. Hackers also work with bot network operators: During the Ryuk ransomware attacks, the Emotet malware was used as a door opener and supplier of the ransomware. It infected the network, then smuggled in Trickbot as another multifunctional Trojan, and this, in turn, opened the gate for Ryuk, who finally encrypted the data.

Treat The Break-In With Mindfulness

Cybercriminals don’t have breaks. They are constantly refining their technology to make their malware more difficult to detect and increase the pressure to pay. Originally, the ransomware only encrypted data and requested a ransom to unlock it. Around two years ago, the attackers added a second phase and stole valuable information before encryption. They threatened to publish it if the ransom was not paid – the double blackmail scheme was invented. Around 40 percent of all new ransomware families now do this. In addition, a third phase was recently observed in which the actual victims of the data theft, namely business partners, customers, patients, or journalists, are contacted. Because sensitive information about them was also contained in the stolen data packets – the triple extortion, all of this is to increase the ransom and the likelihood that some victim will pay, thus further filling the pockets of the criminals.

The Check Point Software Incident Response Team has handled countless corporate ransomware cases around the world. It is therefore recommended that you follow the steps below when it comes to a ransomware attack:

1) Keep a cool head

In the event of a successful ransomware attack, the most important thing is not to panic. The IT security department should be informed immediately. A copy of the ransom note is helpful because it will be useful for law enforcement and further investigations.

2) Isolate the computer

Infected systems must be immediately disconnected from the rest of the network to prevent further damage and arbitrary movement through the web. At the same time, the source of the infection should be identified. A ransomware attack usually starts from another threat. The hackers may have been in the system for a long time and have gradually obscured their tracks so that for most companies, detecting the trigger is often not manageable without specialized help.

3) Keep an eye on backups

Attackers know that companies will attempt to restore their data from backups to avoid paying the ransom. Therefore, they often try to find the bottlenecks to encrypt or delete them. In addition, external devices and removable media, such as USB sticks, should never be connected to infected machines. Otherwise, they will become contaminated carriers. Caution should also be exercised when restoring encrypted data, as a faulty key, for example, can damage the original data. It can therefore be useful to make copies of the encrypted data. In addition, decryption programs are gradually being developed that can help to crack previously unknown code. If there are unencrypted backups, Nevertheless, their integrity should be checked before a full recovery.

4) Refrain from reboots and system maintenance

Automatic updates and other maintenance tasks should be disabled on infected systems. Deleting temporary files or making other changes could make investigations and countermeasures difficult. At the same time, the techniques should not be restarted, as some IT threats then begin to delete files.

5) Cooperation with the police authorities

In the fight against cybercrime, and especially against ransomware, working with law enforcement agencies is key. Companies should therefore contact the police and the national cyber defense center at an early stage. Kritis operators are obliged to do so immediately and in full in the event of a penalty anyway. In addition, the special incident response team of a trustworthy IT security company should be contacted and the employees informed. Training employees on how to recognize ransomware and other IT threats also help ward off future attacks.

6) Identify the type of ransomware attack

A free identification program can be used if the attacker’s message does not describe what type of ransomware it is. The website of the No More Ransom [1] project often even has a decryption program against ransomware.

7) Run through the infection chain and close security gaps

Whether human factors or technology failed, companies should go through all processes again and rethink their entire IT strategy. This way, they ensure that a similar incident never happens again – otherwise, the ransomware attack could lead to a repeat offense. In addition, if a data recovery has taken place, the incident should by no means be regarded as resolved because the security hole has not been fixed.

Best Practices To Avoid Attacks

It is good to know what steps need to be taken to best deal with a successful ransomware attack, but even better when everything possible has been done to prevent the attack:

1. Pay particular attention to weekends and public holidays. Most of the ransomware attacks in the past year 2020 took place on weekends or holidays. These days, companies react more slowly to a threat because only an emergency staff takes over the protection.
2. Install updates and patches regularly. WannaCry hard-hit organizations around the world in May 2017, infecting over 200,000 computers in three days. However, a patch for the exploited EternalBlue vulnerability was already available a month before the attack.
3. Install anti-ransomware security solution. Anti-ransomware protection monitors unusual activity, such as opening and encrypting a large number of files. If Anti-Ransomware Protection detects suspicious behavior, immediate action can be taken to prevent gross damage.
4. Implement essential training. Many attacks start with a targeted phishing email that does not contain malware but uses social engineering to convince the user to click on a compromised link. Educating users is, therefore, one of the most important parts of protecting against ransomware attacks.
5. Ransomware attacks don’t start with ransomware, so malware should generally be monitored. Bot networks such as Trickbot and Dridex (and formerly Emotet as the largest representative) infiltrate organizations and create the conditions for a subsequent ransomware attack.
6. Backing up and archiving data is essential. If something goes wrong, data should be easily and quickly recoverable. It is important to consistently create backups, including on employees’ devices. Managers must either rely on the employees to remember to turn on the backup themselves or let it run automatically.
7. Restrict access to only necessary information and segments of the network. Suppose the impact of a successful attack is to be minimized. In that case, it is important that users only have access to the files, programs, and areas of the network that they need to do their jobs, while everything else remains invisible – this is the concept of Zero Trust, so “no trust.” In addition, a micro-segmentation of the network reduces the risk of uncontrolled spread of ransomware in the network because the latter is separated into small parts, at the borders of which the data traffic is closely guarded.

Every Payment Motivates The Hackers

Should executives pay the ransom now? The answer is not as simple as it is often presented. While the amounts can sometimes be in the hundreds of thousands or millions of euros, costs from critical system failures can quickly exceed these amounts. However, it should be noted that even a payment does not necessarily mean that the data or even part of it will be decrypted – you put yourself in the hands of the blackmailer. There are known cases where attackers smuggled errors into the coding to not restore the data themselves – let alone the entrepreneurs.

Of course, managers have to think about jobs and production. Still, on the other hand, every payment motivates the hackers to further attacks and attracts free riders, increasing the ransomware wave. This dilemma can best be avoided if a company prepares itself as best as possible to defend itself against ransomware and to deal with an attack that has occurred.

Also Read: Security In The Flexible Working World