Ransomware Attacks — Overview

Ransomware refers to a malicious type of software that takes control over a computer system, preventing the user from accessing their data. Victims find their files or entire systems encrypted, held hostage until a ransom is paid for a decryption key.

While ransomware attacks have gained widespread attention recently, the first recorded incident dates back to December 1989, when a biologist distributed infected floppy disks at an international AIDS conference. Known as “PC Cyborg” or the AIDS Trojan, it demanded a ransom of $189 via a P.O. box in Panama.

Initially, ransomware attacks targeted individuals and small organizations. However, these threats have evolved in sophistication and complexity, largely due to their potential for profit and the difficulty of tracing them.

Currently, there are two primary forms of ransomware attacks: - Crypto ransomware — This variant encrypts files on a victim's system. - Locker ransomware — This type prevents access to the entire system, rather than just individual files.

In recent years, organized crime has capitalized on this threat by providing Ransomware-as-a-Service (RaaS) to cybercriminals with limited technical skills. These RaaS packages, available on the dark web, often include bundled offers, user reviews, and 24/7 support.

Current Trends and Organizational Impact

The WannaCry attack in 2017 marked a significant turning point, showcasing the potential for large-scale ransomware attacks as a lucrative business model for criminals. Since then, attacks have surged, with the first half of 2022 recording more incidents than the entirety of 2021 — raising concerns about underreporting.

BlackFog’s report, "The State of Ransomware in 2022," highlights this trend, noting a monthly increase in infections over the past three years.

The European Union Agency for Cybersecurity (ENISA) indicates that many attacks go unreported, with 94.2% of cases lacking confirmation on ransom payments. Organizations may be paying substantial ransoms to regain access to their data while keeping these incidents under wraps to avoid damaging their reputation.

Some companies even hire negotiators to facilitate dealings with attackers and manage cryptocurrency transactions. In severe cases, some organizations have faced bankruptcy after failing to recover from attacks, even after paying ransoms.

Cybersecurity professionals and government agencies strongly advise against paying ransoms, as there are no guarantees of regaining access, and doing so may only encourage further attacks.

In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates the Cybersecurity and Infrastructure Security Agency (CISA) to create regulations for reporting cyber incidents and ransom payments. This will allow CISA to assist victims and analyze trends effectively.

Myths Surrounding Ransomware Attacks

Many organizations, especially small to medium enterprises (SMEs), often believe they are safe from ransomware due to their size or the nature of their data. This misconception can lead to inadequate preparations against such threats.

In reality, anyone can fall victim to ransomware, whether targeted or indiscriminate. Common myths include: 1. We are too small to attract ransomware attackers. 2. We don't handle sensitive data, making us less appealing targets. 3. Phishing is the main cause of ransomware; other vulnerabilities don’t matter. 4. Paying the ransom will ensure attackers go away for good. 5. Our intrusion detection systems will catch them immediately. 6. We have online backups, so recovery will be swift.

It’s crucial to note that some attackers specifically target SMEs, recognizing their often weaker defenses and higher likelihood of payment.

According to ENISA, organizations should proactively prepare for ransomware attacks and consider potential consequences before they occur. Once an attack happens, it may be too late for effective action.

Steps Organizations Can Take to Protect Themselves

Recovering from ransomware attacks can be both challenging and costly. For instance, Ireland's Health Service Executive (HSE) suffered a ransomware attack in 2021, costing over €100 million to restore operations and upgrade IT systems.

Organizations need to take preventative measures, as it’s a matter of when, not if, an attack will occur. Key steps include: - Enhance Credential Security — Employ multi-factor authentication (MFA), enforce strong passwords, and utilize password management systems. - Adopt Secure by Design Principles — Implement defense in depth, least privilege principles, and network segmentation to minimize damage. - Create a Vulnerability Management Program — Conduct regular vulnerability scans and prioritize patch management. - Implement Network and Endpoint Protections — Use antivirus software, firewalls, and intrusion detection/prevention systems. - Enable Centralized Logging and Monitoring — Create a centralized log management system and consider implementing a SOAR system for automation. - Establish Backup and Recovery Protocols — Regularly back up data, including offline backups to prevent loss in an attack. - Provide User Awareness Training — Educate users to recognize phishing attempts and report suspicious activities.

Conclusion

Ransomware poses a threat to organizations of all sizes. To protect against these attacks, it's essential to implement robust security measures, alongside a well-planned incident response and crisis management strategy. These plans should be regularly tested to ensure effectiveness in critical situations, ensuring business operations can continue during recovery.

Further Resources

[1] NIST Ransomware Advice, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/ransomware [2] CISA Stop Ransomware Tips & Guidance, https://www.cisa.gov/stopransomware [3] IST Combating Ransomware — A Comprehensive Framework for Action, https://securityandtechnology.org/ransomwaretaskforce/report/

If you found this article insightful, please acknowledge it by commenting or following for future updates. Join me on Medium or LinkedIn to stay informed about my latest stories.