Understanding Ransomware: A Guide for Businesses.

"Ransomware" is a term you’ve likely encountered, perhaps in a phishing training session at work or on the news. The implications of ransomware are vast, affecting individuals, businesses, and even critical infrastructure. With cybercrime on the rise, nearly €85 million was stolen through scams and frauds in 2022, according to the Banking & Payments Federation Ireland. Equally concerning, Grant Thornton's 2022 Cost of Crime report reveals that one in three small to medium businesses in Ireland were victims of cybercrime between May 2021 and April 2022. Alarmingly, many of these businesses opted to pay the ransom, with an average payout of €22,773.

What is Ransomware?

Ransomware is a type of malicious software that locks or encrypts a victim’s files, making them inaccessible until a ransom is paid. Attackers typically demand payment in cryptocurrency due to its anonymity. Unlike some other types of cyberattacks, ransomware victims are often aware of the exploit as the attackers leave a ransom note, providing instructions for payment in exchange for a decryption key. However, paying the ransom does not guarantee that the data will be restored or that attackers won’t strike again.

Types of Ransomware: Evolving Tactics

1. Ransomware-as-a-Service (RaaS) Attacks: This model allows even non-technical criminals to deploy ransomware by renting malicious software from more skilled developers. RaaS is sold on the Darknet, and attackers pay the original developers a percentage of the ransom. RaaS kits, costing as little as $40, have democratized cybercrime, driving a 50% increase in ransomware attacks in the first half of 2023. This rise is particularly troubling as it lowers the technical barriers to entry for aspiring cybercriminals.
2. Double- and Triple-Extortion Ransomware Attacks: Traditional ransomware encrypts data, but these more advanced variants add layers of extortion. Double extortion involves exfiltrating sensitive data before encryption and threatening to leak it if the ransom isn’t paid. Triple extortion goes further by launching Distributed Denial-of-Service (DDoS) attacks in conjunction with encryption and data theft, overwhelming systems and escalating the pressure on victims.
3. Black Basta Ransomware: Black Basta has evolved since it emerged as one of the most dangerous ransomware groups in 2022. By 2023, the group exploited vulnerabilities in IT contractors and service providers, including a worrying trend of using Windows' built-in Quick Assist tool. Attackers leveraged Quick Assist to gain remote access to users' machines via phishing schemes, showcasing the adaptability of ransomware groups to new tools and techniques. In 2024, they continued refining their strategies, using spam combined with fake tech support schemes to infiltrate even well-defended networks.

Common Vectors of Ransomware

To effectively defend against ransomware, it’s essential to understand how it typically infiltrates systems:

• Phishing Emails: These deceptive emails appear legitimate, often mimicking known brands or trusted entities. They trick users into downloading malicious attachments or clicking on compromised links. Security awareness training for employees is crucial in reducing the success of phishing attacks.
• Exploit Kits: Attackers use these kits to scan for and exploit known vulnerabilities in out-of-date or unpatched software, delivering ransomware through compromised websites or downloads. Regular patching and updating of systems is vital to minimize this risk.
• Malvertising: Malvertising involves embedding malicious code within seemingly legitimate advertisements on reputable websites. Users can inadvertently download ransomware simply by clicking on an ad. Ad blockers and security software can help reduce this exposure.

What Happens When Your Systems Are Infected?

Upon infection, ransomware quickly spreads across the system, encrypting critical files and making them inaccessible. The victim is presented with a ransom note, typically demanding cryptocurrency payments like Bitcoin. However, the damage can extend beyond data encryption once systems are infected. Attackers may exfiltrate sensitive data, threaten its release, or use it to compromise the network further.

Should You Pay the Ransom?

Cybersecurity professionals universally advise against paying the ransom. Here’s why:

1. No Guarantees: Even if the ransom is paid, there’s no assurance that the attackers will decrypt the data. Moreover, the decryption tools provided by the attackers are often flawed or incomplete, leaving data partially encrypted.
2. Encourages Criminals: Paying the ransom fuels the business model of ransomware groups, enabling them to continue targeting other victims.
3. Data Vulnerability: Paying does not eliminate the possibility of future attacks. Attackers know you are willing to pay, making you a prime target for repeat attacks or double extortion.

Instead of paying the ransom, a robust incident response plan should be executed. Immediately isolate infected systems, disconnect them from the network to prevent further spread, and notify your cybersecurity team to begin the investigation.

Verifying How the Attacker Infected Your System

Determining the origin of an attack requires thorough digital forensics. This typically includes:

• Analysing server and system logs to identify unusual behaviour or unauthorized access.
• Reviewing email records to identify phishing attempts.
• Network traffic analysis to uncover the attacker's entry point and any malicious activity.
  This investigation often requires specialised cybersecurity professionals and tools, such as SIEM (Security Information and Event Management) systems, which aggregate and analyze log data to detect threats.

The Role of Backups and Disaster Recovery

A well-implemented backup strategy is one of the most effective defences against ransomware. Regular backups ensure that data can be restored without the need to pay a ransom. However, it's essential to follow the 3-2-1 rule for backups:

• Keep three copies of your data,
• On two different media types (e.g., disk and cloud),
• With one copy stored offsite or isolated from your network to avoid compromise during an attack.

In addition to backups, a disaster recovery plan should be in place. This plan outlines steps to quickly restore critical systems and minimize downtime in the event of an attack. Testing and refining these plans regularly is key to ensuring they work when needed most.

Policies to Reduce the Risk of Ransomware Attacks

Organizations can reduce their risk exposure through a combination of technical controls and policies:

• Patch Management: Regularly update and patch software to close vulnerabilities that attackers can exploit. Testing should be done internally before any patches are released into production.
• Security Awareness Training: Employees are the first line of defence. Regular training can help them recognize phishing attempts and other social engineering tactics.
• Access Control: Implement the principle of least privilege to restrict users’ access to only the data they need to do their jobs. This limits the impact of an attack if one user account is compromised.
• Multi-Factor Authentication (MFA): Enforce MFA for all accounts, especially those with access to sensitive systems or data. This adds an additional layer of security, even if passwords are compromised.
• Endpoint Detection and Response (EDR) Software: Use advanced security software that detects and blocks ransomware in real time. EDR solutions are particularly effective at monitoring suspicious activity and automatically containing threats before they spread.

Conclusion: The Best Defense is a Good Offense

Staying informed, vigilant, and prepared is essential in defending against ransomware. By investing in strong cybersecurity measures, including regular backups, security training, and up-to-date systems, you can significantly reduce your risk. A proactive approach—backed by a tested incident response and disaster recovery plan—will mitigate the impact of a ransomware attack and give your organization a fighting chance to recover without succumbing to extortion.

Source:

(1) Black Basta Ransomware Struck More Than 500 Organizations Worldwide. https://www.techrepublic.com/article/black-basta-ransomware-attack/.

(2) Ransomware attacks hijack Windows Quick Assist feature. https://www.msn.com/en-us/news/other/ransomware-attacks-hijack-windows-quick-assist-feature/ar-BB1mwfTJ.

(3) Black Basta Ransomware Attack: Threat Actors Abuse Windows Quick Assist to Launch Phishing Scheme. https://www.techtimes.com/articles/304720/20240516/black-basta-ransomware-attack-threat-actors-abuse-windows-quick-assist.htm.

(4) 2024 The State of Ransomware. https://ransomware.org/wp-content/uploads/2024/03/2024-State-of-Ransomware-Report_v1.pdf.

(5) The State of Ransomware 2024 – Sophos News. https://news.sophos.com/en-us/2024/04/30/the-state-of-ransomware-2024/.

(6) Ransomware in 2024: who are the biggest… | Henley Business School. https://www.henley.ac.uk/news/2024/ransomware-in-2024-who-are-the-biggest-names.