Ransomware attacks are continuing to surge in 2019. According to Trend Micro, the first half of 2019 saw a 77% increase in ransomware attacks, with WannaCry ranked as the most used type of ransomware. The DCH Health System is one of ransomware’s latest victims, when it was reported that they paid the hackers responsible to resolve the attack that crippled operations at its three hospitals.
Even with a basic understanding of how to protect your organization against ransomware, there may still be questions you have about the extent of this disruptive crippling attack. Below, is a compilation of some of these questions and some suggestions on what your organization can do to mitigate the damage from ransomware.
1. Can ransomware spread through a network?
Yes, like any other virus attacks, ransomware can proliferate through a computer network, infecting and locking unprotected endpoints — including network servers. To maximize the impact of an attack, ransomware is designed to actively seek connections to other computer systems. In order to resume business operations, the affected organization will then be cornered into paying the hacker.
Similar to how one would treat a viral attack, it is critical that organizations quickly isolate and quarantine the affected endpoints. This means prompt identification of an attack and disconnecting those systems from the network so that the attack is contained.
2. How did ransomware come into existence?
One of the earliest examples of ransomware was the AIDS Trojan written by Joseph Popp in 1989. This ransomware hid files on a hard drive and encrypted their names using symmetric cryptography. It then showed the victim a message claiming that a certain piece of the user’s software had an expired license. The victim was asked to pay US$189 to the entity known as PC Cyborg Corporation.
By 2006, ransomware experienced an explosive rate of propagation with trojans such as Archiveus, Cryzip, TROJ.RANSOM.A, and Gpcode. As ransomware’s prominence grew, the encryption behind them slowly increased in strength, as well.
3. Can ransomware be detected?
The impact of ransomware hinges heavily on the first mover advantage, thus it is not expected of typical anti-virus software to have prior knowledge of a new virus. But keeping your anti-virus software up to date is certainly a way to mitigate a significant amount of risk.
Early threat detection systems that leverage User and Entity Behavior Analytics (UEBA) may give organizations the ability to identify potential ransomware attacks, and email clients like Gmail are built with security controls that warn users whenever an attachment or sender appears to be illegitimate. Perhaps the hardest form of ransomware to detect is when it is the case of a business email compromise (BEC).
Because there is no foolproof way for detecting all types of ransomware attacks, organizations should instead be proactive about how they manage potential attacks, such as having security policies that can automatically isolate infected endpoints from the network. Employees must also be trained to be vigilant about the emails they receive. Simulated phishing attacks are one such way to raise organizational vigilance.
4. Can ransomware encrypt an encrypted drive?
Yes. Ransomware does not bother with the contents of your file or if your drive is already encrypted. It simply encrypts over your encrypted drive and demands a ransom from victims to decrypt their layer of encryption.
5. Can ransomware steal data?
Yes. How ransomware works is hackers make a copy of the stolen files, encrypt them and delete the original files. The stolen data are now files under the hackers’ control. If victims do not pay the ransom, hackers will delete the version of their files forever. Wannacry and NotPetya are two of the more prominent major attacks.
6. Can ransomware infect backups?
Yes. Ransomware programs such as WannaCry and the newer version of CryptoLocker delete the shadow copies created by the Windows operating system. Hackers are increasingly targeting backup copies to increase the likelihood of victims paying the ransom since they have no backup copy to restore. Keep your backups off your core network, whether in physical hard drives or in a separate cloud network, but nonetheless, ensure you take appropriate security measures.
7. Can ransomware be removed? If not, should I pay the ransom?
If you’ve managed to identify and isolate the infected computer systems, it is possible to do a factory reset on those systems to remove the ransomware.
While it can make sense cost-wise to pay the ransom, we at Horangi never recommend that you pay it. Paying the ransomware demand makes your organization a repeatable target, and communicates to other attackers in the know to attack you again.
Instead, opt to put together a comprehensive incident response plan that your organization can follow whenever a security incident such as a ransomware attack occurs. Such a plan can include protocols like which security partner to call, and the steps you take to isolate the attack and document the attack logs that will be critical in forensics.
Above all, we recommend that you have a robust backup management program, constantly assessing your risks so you know you have a backup of your business critical data.