Any Company Can be Struck by Ransomware
Worldwide surveys prove that companies are primary targets of cryptoviruses or extortion Trojans, i.e. ransomware. The attacks are usually mounted using spam mail with infected links or malware files as attachments. But there are means to take preventive action and a checklist in case disaster strikes.
Attackers have understood that active ransomware (extortion Trojans), capable of encrypting files, enables a more effective attack against corporate users than, say, Trojan attacks spying on data. It does involve more effort for the attacker in some cases, but the potential spoils to be extorted from companies are far greater than from attacks against a private person. This is because many private users are not prepared to pay for their data; they simply wipe the PC and re-install everything. In corporate computing, things are usually not that simple. Cyber attacks often target crucial data on PCs, or the attack proliferates over an existing corporate network, encrypting the PCs of entire departments.
Preventive measures prior to a cryptotrojan attack
Surveys show that some companies are even attacked by ransomware several times per day. These findings are also supported by system logs of major providers of security solutions. Micro Trend, for example, published figures in February 2020 showing that in the year 2019 its solutions had fended off over 61 million attacks worldwide from ransomware in particular. Kaspersky and Sophos each report that in 2019, they foiled ransomware attacks ranging in the tens of millions.
The use of a robust endpoint security solution can thus go a long way in terms of preventive measures for corporate users. How well the solutions provide protection is also documented by AV-TEST's ongoing evaluations of corporate security solutions.
In addition to endpoint solutions, it is also recommended to deploy Endpoint Detection and Response Modules, or EDR for short, along with SIEM solutions – Security Information and Event Management. These solutions can uncover inconsistencies in access by unauthorized users. If accounts with limited access privileges attempt to access the wrong files, these tools react and sound an alarm. Many endpoint solutions now have an integrated EDR module, thus enhancing the protection of the corporate network. SIEM solutions, on the other hand, are indeed standalone products, but they can be easily coupled with endpoint solutions, as they often provide compatible interfaces.
Also of interest are so-called deception tools for networks. They put out bait and set traps for intruders, luring them into prepared shadow networks with decoy data. This method enables easier analysis of what an attacker is targeting. Cybergangsters often also deposit cryptoviruses in key positions, seeking to launch them from there. These attacks then come up empty-handed, as the stored data is logged and malware apps can be evaluated per mouse click.
Staff training sessions are essential
The most common ransomware scenario in roughly 80 percent of all cases involves an attack via spam mail. The message contains a link leading to an infected website or has a dangerous attachment. In many cases, security solutions already intervene here and defeat the attack. If it involves a zero-day attack, the attack may still succeed if the employee, as the last link in the chain of defense, does not react properly. That is why it is highly recommended to train employees to be aware of this kind of attack. Some manufacturers and system vendors also offer security awareness training courses. There are even platforms, provided by Proofpoint, Kaspersky or Trend Micro, among others, offering testing tools for corporate users. They can be used for companies to send their own employees e-mails containing harmless phishing tools that notify the system if they get through. This allows companies to evaluate what employees respond to and which tricks they fall for repeatedly. It's training that can really pay off for a company.
The worst-case scenario
Many companies have already had to learn the hard way how quickly a crisis with encrypted PCs and ransomware can escalate and that it is necessary to first find the right answers to the situation. Here is a brief list of the most important questions and answers:
1. Do we have a backup of the data?
This is usually the most frequently-asked initial question, because if there is a very recent backup, the encrypted data can be externally saved for analysis and the affected workstations or servers can be reset. Often there are backups available, but they generally are not up to date – frequently they are even quite old. That is why companies might not want to simply give up the encrypted data. But most of the time, it is quicker to manually restore older backups than to tediously decrypt current data.
2. Do we need to file a report?
The EU-GDPR requires European companies to report the loss of data to the competent data protection authorities within 72 hours. A police report is not mandatory, but it is recommended. In the United States, there is no uniform regulation. It varies from state to state. Only California has largely adapted the content of the EU-GDPR in its CCPA (California Consumer Privacy Act). However: if it involves lost data of EU citizens, even a US company in Europe is required to respond according to the EU-GDPR. No matter where its headquarters are located.
3. Should we pay or not?
The clear message is: don't pay! Why? Each cent of ransom paid to attackers finances the next attack on other companies and perhaps the next assault on your company as well. Add to this the consideration that even after decryption, a company cannot be sure whether its network doesn't still remain compromised. It's better to invest any available budget in data restoration and network analysis.
First secure forensic data, then restore data
If a company is well prepared, it can normally restore the lost data. Companies that have lived to tell about it report that all measures require lots of time and resources, and in certain cases, the data of individual users had to be re-entered. Unfortunately, some IT managers in companies restore data too quickly and simply delete infected systems. It is better for the IT department to secure the attacked systems and to examine them in virtual machines, for example. In this way, e.g. through analysis of log files, it is often possible to identify other vectors or additional hidden files in a network. Once these have been discovered and analyzed, reinfection his highly unlikely.
The additional security modules such as EDR and SIEM mentioned earlier are extremely helpful in the analysis of forensic data. These tools allow experts to trace additional movements through the network and to find all files and additional access attempts. The analysis data can then be fed into existing security solutions, which can search the network for files with certain hash values, for example.
PhishInsight test platform
Cloud storage & recovery
AV-ATLAS shows the threat scenario
Data analysis with the help of online services
Ransomware is such an important issue for many security companies that they have launched collection platforms to provide information and decryption resources and tools. A very well-known project is "No More Ransom". The platform also offers the corresponding decryption programs for a very large number of cryptotrojans. Over the past months and years, authorities and special teams have discovered and secured some so-called command and control servers for ransomware. Afterwards, the servers were released and, with the help of the tools offered on the platform, provided free decryption of data. The list of information, tools and data for decryption is constantly growing there. An additional freely-available collection of tools can be found at ID Ransomware and at the Advanced Cyber Defence Centre.
Sometimes it is already very helpful for IT departments to unmask the attacker. This is usually achieved by means of the text file in which the attacker provides payment instructions. Based on the text, the above-mentioned platforms can already identify the attackers and the ransomware deployed. If that is not sufficient, small files can also be uploaded onto the "No More Ransom" portal and identified. Booting up the encrypted workstation with rescue sticks or DVDs usually reveals very reliably the precise description of the attacker. But unfortunately, that still isn't enough to reverse the encryption. AV-TEST evaluated recommended tools, such as boot sticks and DVDs, in a test.
Backup strategies and securing data in the cloud
Corporate users need to rely on sophisticated backup strategies. Usually this is the case beyond a certain company size. In the area of small office/home office (SOHO) and small and medium-sized enterprises (SMEs), there still isn't enough attention paid to the topic of backups. This seems baffling, as the market offers a wide range of flexible and affordable solutions. Many solutions even offer sensors that react when massive numbers of files are renamed, then block ransomware processes and restore the data on demand.
And many cloud providers have already responded to the topic of cryptotrojans by adapting their services when it comes to cloud platforms. Due to the fact that cloud storage always works with file versioning, the copies of all files are always available. If all of a sudden large volumes of data are encrypted on a cloud server, the platform normally blocks additional access. If encryption isn't stopped, or if it is stopped too late, cloud providers offer the corresponding tools to automatically restore backup versions.
More targeted ransomware attacks and new strategies
CEO AV-TEST GmbH
Malware developers and cybergangsters are constantly developing new devious strategies for their attacks.
Over the past few years, the traditional attacks have proceeded as follows: the ransomware penetrates a PC and encrypts all data on all connected hard drives and network drives. Once the demand is paid – usually in Bitcoins – in many cases the victims receive a tool for decrypting the data. In this scenario, normally no data was leaked onto the Internet; but there never was any guarantee for this.
In more recent attacks, the attackers try to increase the pressure on companies and seek to make existing backups less of an asset: the attackers siphon off the data, e.g. customer data, and threaten to make it public on a website. Some companies don't react properly here, as they fear even greater damage to their image. It is better to take a pro-active approach: if customers are informed in a timely manner, they can change sensitive data and access details.
Not exactly new, but even more dangerous, are so-called spear-phishing attacks. These attacks are targeted to a specific company, almost exclusively using zero-day malware. Analyses of these types of attacks on companies have shown that certain zero-day malware was only developed and deployed for the attack. The financial investment on the part of the attackers is high and very targeted in this scenario. Defending against this type of attack is difficult, but not impossible. Well-trained employees with an awareness for attacks often thwart the success of the attackers.