With 2017 now a distant memory, it is clear that it was the worst year ever in regards to ransomware, with severe attacks noted all over the world. There has never been a year in which attacks caused so many problems worldwide for so many private individuals, companies and federal organisations, with many struggling to properly protect against ransomware.
Malwarebytes Labs, a data security firm, states in their latest report that ransomware attacks have risen in comparison from 2015 to 2017 by 2,000 per cent with last year´s attacks being the worst ever. The two worst ransomware variants that attacked companies and organisations in 2017 around the globe were NotPetya and WannaCry.
WannaCry
The WannaCry attack caused serious damage around the world in May 2017, when it infested around 300,000 computers in 150 countries. It primarily targeted Windows operating systems which were not properly patched or were too old to be patched. The ransomware encrypted the data and demanded Bitcoins to be paid to release the data.
The spread of this malware was stopped by a new Microsoft patch and the detection of an implemented kill switch, although the reason why the kill switch was available in the first place is still unknown.
WannaCry relied heavily on an exploit that was released by the ‘Shadow Brokers’ (who previously hacked the NSA and made their zero-day exploits public). One victim was the German railways, which then had problems with their information terminals not showing arrivals or departures. Instead, you could just see the WannaCry screen demanding the ransomware money in Bitcoins.
NotPetya
NotPetya started off as a Ukranian Tax Software update just one month later in June and infected hundreds of thousands of computers in more than 100 countries all over the world in just a few days. The financial impact was enormous, for example, the global pharmaceutical company Merck suffered a loss of more than $300 million just in the third quarter of that year alone from this attack.
Why are ransomware attacks so successful?
Carbon Black, an anti-malware software solutions provider, released a study in last October identifying an increase of 2,500 per cent in ransomware software sales in the major dark web marketplaces between 2016 and 2017. According to them, more than 6,300 sites are currently offering ransomware solutions to carry out your own attack.
With so many tools available on the dark web, it is no wonder that Sophos Labs, a data security software provider based in the UK, projects in their annual security forecast for 2018 a further increase of ransomware attacks in 2018. They state that “it is a fair bet that Android and Windows will continue to be heavily targeted with ransomware and other malware, given the success attackers have had thus far”.
What’s more, according to the data security analyst and software provider Kapersky Lab even more ransomware attacks will be aimed at companies. From those attacks that they were able to fight off, around 26 per cent were targeted against firms. This is an increase of over three per cent compared to 2016.
The experts from Kapersky also stated that 65 per cent of the companies that were hit either suffered a severe data loss or were not able to access their files anymore. While Kaspersky doesn’t explicitly predict more ransomware attacks for this year, they warn about more advanced attacks to come for mobile devices and a rise in so-called destructive attacks.
What are destructive attacks?
A new breed of ransomware arrived on the scene last year, except it’s not actually a real ransomware, but more of a destruction tool. The ExPetr/NonPetya ransomware late last year appeared as a ransomware, but actually aimed at wiping the data of the victim completely. Kaspersky believes that more of these attacks will happen during this year, and since the attackers are not specifically targeting the victims, everybody is in danger being hit by such a ‘wiper ransomware’.
Avoiding ransomware in 2018
There are many things to consider when fighting ransomware this year. As there are many different types of these viruses around these days, keep in mind the following three main tips and execute accordingly:
1. Email security is king
According to Sophos and other experts; “Email will remain the primary attack vector threatening corporate cyber security, especially in the case of targeted attacks”. Therefore securing this main source of vulnerability is essential to everybody who runs a network or connects to the Internet.
Remember: Most ransomware attacks are triggered by a normal email with an infected attachment such a document, photo, video or other type of file. Hackers don’t even need much knowledge to insert a piece of malware into a file; in many cases there are many articles and YouTube tutorials on how to hide code, making it child’s play.
With this in mind, opening an email attachment from an unknown sender should always be avoided. If you are sure that this email is not addressed at you, delete it immediately and also inform your company data security advisor or IT team.
If you think it might be from a colleague but you are unsure, do not open it until you have made a phone call or reached the sender in another way, to check their identity and ensure the legitimacy of the file. Remember, keeping your company’s IT systems and data secure is always the right decision.
2. Make your network and IT environment secure
One single computer encrypted by ransomware is undoubtedly a serious problem, but when it spreads all over the network it can become not only a nightmare for the IT department, but endanger the business as a whole.
Companies who have not already done so should consider implementing a data security software solution which is specifically designed to check all incoming emails before they are delivered from their Exchange server to the intended recipient. With such a solution, the risk that a virus spreads over inside a company network is reduced dramatically. Additionally, IT administrators and management should consider implementing network security software, which automatically monitors the network and its files for threats.
Such a solution would alert administrators if a ransomware attack is trying to encrypt vast quantities of files over the network. These solutions also frequently check outgoing traffic, so when the ransomware tries to connect to their external server to start the encryption process this could be terminated as early as possible to mitigate damage.
And last but definitely not least: Always update your software and operating systems with the latest patches as they are available. As pointed out so often, hackers only really get successful when the victim has gaps in their data security policies.
3. Make your employees smart
We have written about ransomware and malware in our blog before, but what we see is that in the case of an encryption attack even the most experienced computer users get into a panic. Therefore, every employee in a company should exactly know what to do if they get attacked by ransomware, even high-level execs and IT Directors.
A ransomware attack should not only be part of a business continuity plan for higher management or IT experts, but precise tips on what to do, when hit, should be visible and understood in every office. These can be simple, but effective, for example:
- Disconnect from the internet and internal network
- Try to properly shut down the device or immediately call IT security/IT administration
IT security and administration staff alike should always be best informed about the latest developments in cyber security and hacking. Reading the latest blog news, keeping up to date about new developments in this scene and loop holes in networks or software solutions should therefore be a necessity for these employees.
What should you do if you’re hit by ransomware?
If for one reason or another a ransomware got through your defense line and your data has been encrypted, you should do the following:
- Never pay the ransom! We do not say that lightly; if you pay the criminals you do not have a guarantee that you will get a decryption key from them. In many cases (and most definitely if it is a ‘ranscam’ or wiper malware) you will not get your data back, leaving you with no data and having unnecessarily lost your money.
- Do not try to decrypt your data by yourself if you are not familiar with it. For some older ransomware versions there are decryption tools already available on the internet. While for some computer specialists it is possible to recover their own data, you have to have some expertise and it is risky – if something goes wrong, you could destroy your data forever.
A better alternative is to try contacting a data recovery specialist like PF Consultants, who will have all the necessary tools and experience to attempt to rescue your data.
Can your ransomed data be recovered?
From the perspective of a data recovery specialist, every ransomware case is different. There is not only a big difference in how ransomware variants encrypt the data and spread through the network but also how they target different areas of data storage systems.
Some systems and data structures are more challenging and need more time to recover than others. As each case is different, it makes sense to contact a specialist and ask if they have seen your type of ransomware strain before. They will be able to advise you on whether it is worth sending in to attempt data recovery work and if they have been successful with similar cases already.
With all the attacks in 2017 ransomware will most likely be a serious threat to both private individuals and companies in 2018 too. It therefore pays to revisit your data security, network policies, user training and backup procedures.
From a backup perspective, it is highly recommended to store backups of your business critical data on external storage devices which are not connected to your network and are regularly tested for accuracy and functionality.
If your backups are not working or they have been infested by a ransomware virus, it is best to try contact a professional data recovery service provider who can attempt to recover your information from the problematic backup media or work around the ransomware itself to get to the data.