In a constantly evolving cyber threat landscape, ransomware remains an enduring fixture on our business customers’ list of concerns. Customers are interested to know the latest advice on avoiding falling victim to a ransomware attack and how to respond and recover, should the worst happen.
What is ransomware?
Ransomware is malicious software (malware) that either:
- encrypts files
- blocks access to a computer or mobile device
Ransomware demands a ransom, often to be paid in cryptocurrency, for the decryption of the files or unlocking of the device.
Preventing ransomware attacks
The Australian Cyber Security Centre (ACSC) website contains information and links to a wide range of prevention measures. No single measure will provide a silver bullet. As with many cybersecurity threats, defence-in-depth is the best strategy.
However, user awareness is particularly important, given the majority of ransom attacks rely on insecure user behaviour.
Phishing remains a key mode of ransomware (and other malware) infection, and users should be trained to avoid email ‘lures’. These are emails with malicious attachments or links to malicious sites.
The recipient is enticed to open the email and execute the attachment or click the link, often through a sense of urgency engendered by the phishing email (fake bills, invoices, penalty notices).
Other key prevention methods include:
- Using and regularly updating reliable antivirus software
- Disabling macros in Microsoft Office applications, since these may be used in malicious attachments to emails to download ransomware
- Enforcing a regular security patching policy to ensure all mobile devices, laptops and desktops are using the latest versions of their operating systems and applications
- Keeping abreast of the latest cyber threats by referring to sources such as Stay Smart Online, which can also provide alerts to new and emerging threats
What to do should the worst happen
Given the prevalence of ransomware, you may wish to consider having an incident response plan that specifically contemplates this threat.
Accessing back-ups will be a key part of this plan. You should identify your critical data and ensure this is backed-up off-line at a cadence that reflects how quickly your critical data changes over time.
The cost of frequent back-ups may necessitate a difficult discussion as to how much irretrievable data loss is acceptable to your business.
Europol provides a potentially valuable service through the ‘No More Ransom’ project. This website offers decryption tools for a number of ransomware strains, provided by law enforcement agencies and commercial partners.
To pay or not to pay?
But what if you don’t have back-ups and external resources can’t help in restoring your critical data?
The ACSC is very clear in its advice: “Never pay a ransom demanded by ransomware. There’s no guarantee paying will restore your files, and paying a ransom could make you vulnerable to further attacks. Report the infection and seek help from a cyber security expert.”
However, some Australian businesses are ignoring this advice. According to research by Telstra, 47% of Australian businesses that found themselves victims of ransomware paid the ransom. 86% of Australian businesses who paid a ransom were able to retrieve their data after the payment, according to Telstra.
This latter statistic may make paying the ransom look like a relatively attractive option over significant irretrievable data loss. However, the consequences of paying a ransom may include:
Breaking the law
It’s important to realise payment of a cyber ransom may not be legal and as such you should seek legal advice before making a decision on what to do.
Paying a ransom is no guarantee of getting your data back
In this respect, ransomware is increasingly resembling ‘real-world’ extortive crime and kidnap, where acceding to a ransom demand may not secure safe and timely release, and may simply lead to a further ransom demand.
The attack on Kansas Heart Hospital in May 2016 is one such example. The hospital paid a ransom demand following a ransomware attack that encrypted critical patient files.
However, rather than decrypting the files, the criminals demanded another ransom, which the hospital refused to pay, determining this was no longer ‘a wise manoeuvre or strategy’.
Then there is the issue of the ransomware operator’s intent and competence. Some ransomware is designed to scare and to attract payment, without any intention of enabling restoration of that data, or poorly coded ransomware may make restoration impossible. The infamous worldwide WannaCry attack of May 2017 was one such case. The ransomware demanded $300 or $600 payable in Bitcoin, but accession to this demand would not have led to the restoration of data. The malware did not assign paying victims a unique bitcoin address, so had no way of automatically verifying whether the victim had paid the ransom.
Vulnerability to further attacks
By paying a ransom you have identified yourself as a compliant target and may increase the prospect of being attacked once again, by the same criminals or a different group.
Securing the ecosystem
Ransomware will endure as a profitable enterprise for criminals as long as victims are willing to pay the ransoms. By paying a ransom you are helping to perpetuate the problem.
The Europol-sponsored initiative, ‘No More Ransom’ advises: “if the ransom is paid, it proves to the cybercriminals that ransomware is effective. As a result, cybercriminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts”.
Some analysts have argued that we may have reached, or are soon to reach “peak ransomware”, since many cyber criminals are turning to crypto-jacking as a profitable alternative. Crypto-jacking is the use of malware to steal computing power, rather than money or data, by surreptitiously mining for cryptocurrency on the victim’s computer.
However, the fall in value of cryptocurrency may mean crypto-jacking is not as attractive as it was. It seems that ransomware will continue to be a fact of life for businesses for the foreseeable future, fuelled by the ease with which criminals can obtain the required tools and the willingness of their victims to pay up.
Meanwhile both the design of malware and the business models that support it will continue to evolve. New malware strains demonstrate ever-more advanced capabilities, including encryption algorithms some analysts believe are all but unbreakable.
Against this background, it is incumbent on any responsible business to ensure it has layered defence to prevent a ransomware attack, which must include staff education.
It must also have a plan to respond to a ransomware attack and ensure there are adequate back-ups of critical data. Failure to take these steps will leave the affected organisation with no good options: facing either irreversible data loss and disruption or the prospect of paying a ransom. This latter option certainly does not guarantee the return of your data, but it will certainly profit criminals and further perpetuate the ransomware threat.
This article first appeared in the September issue of CBA’s quarterly cyber security report ‘Signals’. You can view the full issue or sign up for our mailing list via the CommBank website.