8 Actions Your Business Can Take Now to Avoid Paying a Ransom Later
The number of ransomware attacks have exploded in 2021 — and so, too, have the size of the ransoms. Here are eight actions that companies can take so they do not have to pay a big ransom to get their data back.
The number of ransomware attacks have exploded in 2021. The month of July started out with a big bang when cybercriminals encrypted the data in as many as 1,500 small businesses in one fell swoop. The hackers infiltrate the companies' IT systems by exploiting a vulnerability in a Kayesa software tool. The cybercriminals are demanding $70 million to restore the data in all of the affected businesses.
It is unknown at this time whether Kayesa will pay the ransom to get the decryption key. Chances are it might based on recent ransomware attacks. For example, JBS USA paid $11 million in June 2021 to get its data back. And in May 2021, both Brenntag and Colonial Pipeline Company paid a $4.4 million ransom.
The situation is getting so dire that four states — New York, North Carolina, Pennsylvania, and Texas — are considering passing legislation that would limit or ban ransom payments. Their hope is that the number of attacks will significantly decrease once companies stop paying the ransom.
In the meantime, it is up to businesses to protect their data. Here are eight actions that companies can take so they do not have to pay a big ransom to get their data back:
- Use But Don't Rely Solely on Security Solutions
Security solutions detect and block ransomware as well as other types of malware. Thus, it is important to use security solutions to protect your company's computing devices, including smartphones and tablets.
However, using a security solution does not necessarily mean that your company will be protected from every ransomware attack. An infection might still occur for a number of reasons. For starters, some security solutions provide more capabilities than others. For example, some offer behavior-based malware detection in addition to signature-based malware detection. Plus, security solution providers set their own schedule for releasing updates. Software that is frequently updated will offer better protection than one that is not.
Even the best security solutions cannot protect against ransomware attacks that have not been seen before. Cybercriminals know this, so they continually devise new attacks as well as overhaul existing ones. Therefore, you need to take additional measures to protect your business against ransomware.
- Make Sure Software and Firmware Are Being Updated
To carry out ransomware attacks, hackers often exploit security vulnerabilities to gain access to programs and devices. Updates are typically used to patch known vulnerabilities. For this reason, you need to make sure that the software and firmware are being regularly updated on your company's devices, including servers, desktop computers, smartphones, tablets, printers, and routers.
Updates are often automatically installed in operating system software and mainstream apps. However, it is a good idea to periodically make sure this is occurring. If updates are not automatically installed, they will need to be manually done.
- Require Two-Step Verification
In some ransomware attacks, cybercriminals use compromised credentials for an Internet-facing app or system to initially access a company's network. Or they might use credentials they have stolen from the compromised device to access and install the ransomware on other computers (especially hosts and servers) in the network.
Requiring two-step verification (aka two-factor authentication) when logging into business accounts can thwart hackers' attempts to initially access a network and propagate ransomware in it. Even if an account's password is compromised, it cannot be used to gain access to the account since an additional form of verification is needed.
It is best to use two-step verification for all types of accounts, including app, service, and administrative accounts. If using two-step verification is not possible, your company should require the use of strong account passwords and implement an account lockout policy to defend against brute-force password-cracking attacks.
- Change the Default Macro Setting
Some Microsoft Office apps (e.g., Word, Excel, PowerPoint) give users the ability to create macros when they want to automate tasks that they perform repeatedly. Once created, users can run the macros anytime they need to perform those tasks, saving time and effort.
Unfortunately, cybercriminals like to create Word and Excel macros that initiate ransomware attacks. Sometimes they attach the macro-laden files to phishing emails and text messages. Other times, they include links to the files in the email and text messages. In the phishing or text message, the hackers try to trick the recipients into opening the files.
By default, the Office apps that support macros are configured to automatically disable any macros in files. However, users are given the option to enable them. If they do so, the macros run and the ransomware is unleashed.
Thus, it is a good idea for your company to change the default macro setting from "Disable all macros with notification" to "Disable all macros without notification" in the Office apps that support macros. That way, employees will not be given the option to enable a macro if a file includes one. Unless macros are routinely used in work files, receiving a legitimate file that contains a macro is rare. If your employees regularly send and receive files containing macros, your company can take advantage of digitally signed macros. In this case, you would change the default macro setting to "Disable all macros except digitally signed macros".
- Apply the Principle of Least Privilege
To reduce the risk of a ransomware infection starting and spreading in your company's network, it is a good idea to apply the principle of least privilege whenever possible. In other words, you should limit employees' permissions and access to company resources to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest duration necessary.
The ways in which you can apply the principle of least privilege will depend on your IT environment and employees' job duties. For example, if the operating system software being used on your company's desktop computers lets employees connect to and control their machines from a remote device using the Remote Desktop Protocol (RDP), you should limit the ability to create RDP sessions to only those employees who must use them as well as take measures to secure those sessions (e.g., deploy an RDP gateway). If no one needs to access their desktop computers from remote devices, the ability to create RDP sessions should be disabled.
Similarly, you might want to restrict employees' ability to install and run apps on their desktop computers and any company-provided mobile devices. This will reduce the risk that employees will inadvertently download and install ransomware-infested apps on company devices. Hackers often hide ransomware in pirated versions of popular commercial apps, which they offer for little or no cost to entice people to download them.
- Teach Employees to Be Cautious
Teaching employees to be cautious can go a long way in helping your company avoid becoming a ransomware victim. For starters, you should let employees know about the dangers associated with:
- Clicking links in email and text messages from unknown senders. These links could lead to malicious websites designed to install malware on visitors' devices or steal the visitors' personal data.
- Clicking links in strange email and text messages supposedly from people they know. Hackers sometimes hijack a person's email or text account so they can use it to send phishing messages to the masses. Hackers also use hijacked accounts to send personalized messages to a victim's contacts. They masquerade as the victim to make the email seem legitimate, thereby increasing the likelihood that the recipient will click the link.
- Checking out clickbait. Clickbait refers to text links ("You won't believe ...") and thumbnail image links designed to entice people to view content on another web page. While clickbait is typically used to increase page views and generate ad revenue, cybercriminals sometimes use it to send people to malicious websites.
- Scanning quick response (QR) codes in online message boards, forums, and other public sites. Typically, anyone can post messages with QR codes — including cybercriminals — in these venues. The QR code might lead to a malicious website.
- Opening files attached to email or text messages. If the attachments are not expected, they might contain malicious code (e.g., a macro or script) that leads to a ransomware infection or another type of cyberattack.
- Opening a password-protected file (especially if it is a compressed archive file) sent via email or text message if that message includes the password needed to unlock the file. When this occurs, there is a good chance that the file contains malicious code.
- Stress the Importance of Heeding Warnings
Software programs often includes features that help protect their users from security threats like ransomware. For instance, most web browsers flag web content that is a potential security threat. Browsers also block pop-up ads by default since these ads often contain malicious code or links to malevolent sites.
Some employees, though, ignore the warnings. A few even disable the security features. For example, they might disable the pop-up blocking functionality in their web browsers or jailbreak their smartphones. Therefore, you need to stress the importance of letting the security features do their job and taking their warnings seriously. Otherwise, the employees might find one day that their files are being held hostage.
- Perform Backups
Cybercriminals are constantly devising new ransomware variants and new ways to spread them. As a result, an infection might occur despite your best efforts to avoid one. Thus, you need to regularly back up your files and systems on your company's computing devices, including mobile devices. You also need to test those backups so make sure the files and systems can be restored.
Although having restorable backups will not prevent a ransomware attack, you won't have to pay the ransom if the attack is successful.
Other Actions
There are other actions that companies can take to defend against ransomware attacks. We can make sure that your business has covered all the bases so that it will be protected from ransomware and other types of cyberattacks.
Ransomware statistics flickr photo by Infosec Images shared under a Creative Commons (BY) license
A History of Ransomware
Ransomware is a type of malware in which the perpetrator threatens to commit a malicious act unless the victim pays a ransom. The simplest type of ransomware appears to lock the target system, although a person with reasonable knowledge of computers can usually resolve the problem without paying the ransom.Read more
To Pay or Not to Pay: That is the Question That Ransomware Victims Must Answer
Colonial Pipeline Company recently paid $4.4 million dollars to get its data back after a ransomware attack, rekindling the debate of whether companies should give in to cybercriminals' demands. Find out why some companies decide to pay the ransom while others do not.
Most people never heard of the Colonial Pipeline Company before May 2021, even though it transports 45% of all fuel consumed on the US East Coast. This company works behind the scenes, moving 100 million gallons of refined gasoline and jet fuel through 5,500 miles of pipeline each day. However, that all changed in early May when the fuel stopped flowing for several days. Numerous reports about gas pumps running dry and people panic buying gas made Colonial Pipeline a household name.
A ransomware attack was to blame for the fuel stoppage. The DarkSide ransomware gang had infiltrated the IT systems in Colonial Pipeline's corporate network. Besides having its IT systems offline, the company shut down certain systems in its operational network as a precautionary measure. The operational network uses automated systems to monitor and control the fuel that flows through the pipeline. Taking those systems offline prevented the infection from spreading to the operational network. However, it also resulted in the shutdown of all pipeline operations.
The company paid $4.4 million to the DarkSide ransomware gang to get the key needed to decrypt its data. While paying the ransom enabled Colonial Pipeline to get its pipeline operations online sooner, security experts are concerned that it will encourage other cybercriminals to try similar attacks. And their concerns may be well founded. Just weeks after Colonial Pipeline paid the hefty ransom, one of the largest meat producers in the world, JBS, announced that it was the victim of a ransomware attack.
These events are rekindling the debate about whether companies should pay the ransom if their data is being held hostage. Answering this question, though, is not as simple as it seems, especially given the new tactics that cybergangs are using. Even the Ransomware Task Force — a group that recently developed a strategic framework for combating the growing ransomware threat — could not agree on an answer. "The Ransomware Task Force discussed this extensively," said one of its members. "There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus."
So, it is up to businesses to decide for themselves whether it is a good idea to pay ransomware gangs. Here are some of the reasons why companies do and do not pay up when they fall victim to a ransomware attack.
Why Companies Pay the Ransom
Paying the ransom to get data back is a fairly common occurrence among companies. "The State of Ransomware 2021" study by Sophos found that 32% of the companies whose data was encrypted by ransomware in 2020 paid the ransom.
Colonial Pipeline also decided to pay the ransom after it discovered some of its files were encrypted. "I know that's a highly controversial decision," said the company's CEO Joseph Blount. "I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this. But it was the right thing to do for the country."
Blount said he authorized the payment because, at that time, no one knew how badly the company's systems were breached. Therefore, he did not know how long it would take to repair those systems and get the pipeline back online.
As the Colonial Pipeline example illustrates, some companies pay the ransom to minimize the disruption to their operations, especially when the disruption significantly affects the lives of other people. In other cases, businesses pay the cybergangs because doing so is easier or quicker than reconstructing their data from backups. Or organizations might find that their only option is to pay. Perhaps they did not create any backups or the ransomware encrypted both the original data and the backup files.
Additional pressure tactics used by ransomware gangs can also prompt a company to give in to their demands. Those tactics include:
- Data exfiltration. Nowadays, most ransomware gangs steal data before encrypting it, threatening to publicly post the stolen data if a business refuses to pay up. In the first quarter of 2021, 77% of the ransomware attacks included a threat to release stolen data, according to Coveware's "Q1 2021 Ransomware Report".
- Some ransomware gangs try to bully businesses into paying the ransom. For example, members of the DoppelPaymer gang often call their victims to intimidate them into paying. In one instance, they even threatened to send a gang member to the home of a certain employee and provided the employee's home address as proof they knew where that person lived. The gang also called several of the employee's relatives.
Why Companies Do Not Pay Up
About two-thirds of the companies whose data was encrypted by ransomware in 2020 did not paid the ransom, according to "The State of Ransomware 2021" study. They were able to recover their data from backups or through some other means (e.g., using a decryption tool provided by a third party), thereby eliminating the need to pay up.
Most security experts recommend that ransomware victims follow in these companies' footsteps. The experts believe that giving into ransomware gangs' demands encourages them to carry out even more attacks. It also lures other cybercriminals into carrying out this type of attack. The newcomers do not even need to know how to create a ransomware program. Some gangs let other cybercriminals use their ransomware programs for a share of the profit, a practice referred to as the Ransomware-as-a-Service business model. In 2020, two-thirds of the ransomware attacks were carried out by cybercriminals using this model, according to Group-IB's "Ransomware Uncovered 2020/2021" report.
Besides encouraging more ransomware attacks, there are other reasons why security experts do not recommend paying the ransom. Here are a few of them:
- Giving into the cybercriminals' demands does not guarantee that companies will get all their data back. More often than not, companies get only some of it back. For example, only 8% of the ransomware victims participating in "The State of Ransomware 2021" study got all their files back after paying the ransom. On average, the victims recovered just 65% of the encrypted files, which means about a third of their data was still inaccessible despite paying the ransom.
- Cybercriminals might demand more money once the initial ransom is paid. That's what happened to the Kansas Heart Hospital in Wichita. The hospital paid the ransom, but the cybercriminals did not provide the decryption key. Instead, they demanded more money, which the hospital refused to pay.
- Paying the ransom might violate Office of Foreign Assets Control (OFAC) regulations. OFAC is a financial intelligence and enforcement agency in the US Treasury Department. It imposes economic sanctions on individuals and groups it designates as "malicious cyber actors", including perpetrators of ransomware attacks and those who assist, sponsor, or support these attacks. US citizens and organizations are generally prohibited from engaging in transactions, directly or indirectly, with designated malicious cyber actors. This type of engagement is banned because it enables the cyber actors to profit from and advance their illicit activities — and those activities might threaten US national security, according to the US Treasury Department.
Only the Start of the Long Road to Recovery
Deciding whether or not to pay the ransom is a difficult decision that companies need to make if they fall victim to a ransomware attack. No matter their decision, they will face many challenges while recovering from the infection. Besides having to restore their data and systems, they will need to find and fix the security hole that allowed the cybercriminals to access their networks so they do not get attacked again. And they will need to determine how to absorb the losses (e.g., lost revenue from downtime) and additional costs (e.g., cost of bringing in forensic experts) resulting from the attack.
For Colonial Pipeline, the recovery will take months and cost the company millions of dollars, according to Blount. However, there is one loss the company won't be able to recoup — the company's anonymity. "We were perfectly happy having no one know who Colonial Pipeline was," said Blount. "Unfortunately, that's not the case anymore. Everybody in the world knows [us now]."
Money flickr photo by 401(K) 2013 shared under a Creative Commons (BY-SA) license
3 Things to Keep in Mind Before Moving More IT Operations to the Cloud
With the future looking brighter, companies are contemplating moving more IT operations to public clouds. Here are three things to keep in mind before doing so. Read more
The Security Risks Associated with Cookies
Cookies are a common target for hackers because they represent a major vulnerability in web applications. Multi-factor authentication (MFA) is a traditional approach to solving this problem, but it’s becoming less effective as attackers devise ways of defeating it. Web developers are using new methods like Progressive Web Apps (PWAs) to defend against modern attacks in the current cloud and mobile-oriented computing environments.Read more
The "Android Update" that's actually Malware
Researchers at Zimperium zLabs have discovered a sophisticated Android app that masquerades as a software update. It appears to be an update for the Android mobile operating system (OS), but it actually exfiltrates data about users and their mobile devices. This malware is similar to other Android apps that Google discovered in its Play Store during early March 2021, which infect target applications with Trojan horse tools like AlienBot and mRAT. These apps included a barcode scanner, recorder and virtual private network (VPN) service.
Zimperium researchers discovered many unsecured cloud configurations during March, 2021 that exposed user data to thousands of legitimate apps for both the Android and iOS mobile OSs. This investigation also revealed an app described as an Android system update that Zimperium’s zIPS on-device detection solution flagged as malware. Closer examination showed that this app was part of a spyware campaign with advanced capabilities. The additional discovery that this app has never existed on Google Play confirmed its function as malware.
Function
The app’s first action after installation is to register the infected device with a Firebase command-and-control (C2) server that issues commands to the device. A separate C2 server then manages the exfiltration of data from the device. The Zimperium team reports that several conditions activate the app, including the installation of an app, addition of a contact or receipt of an SMS message.
Researchers classify this malware as a Remote Access Trojan (RAT), which controls the target system through a remote network connection. This particular RAT is able to exfiltrate many types of data, including the following:
- Call logs
- Contact lists
- GPS data
- SMS messages
It can also obtain operational information on the device such as installed application and storage statistics. Additional functions of the RAT include hijacking the target device’s camera and microphone to record audio, image and video files. Furthermore, it can record telephone calls and review browser bookmarks and history. The RAT also uses accessibility services to access instant messaging services like WhatsApp.
Additional functions are possible when the target device is rooted, meaning the user has administrative access to the device. These functions primarily include exfiltrating database records and files of specific types, including those with the following extensions:
- .doc
- .docx
- .xls
- .xlsx
The RAT can also copy file stored in external locations, although the size of these files must be limited to avoid impacting connectivity. As a result, it only copies thumbnail images in this manner.
Detection
Researchers are still developing methods for removing the RAT from infected devices. So far, the best means of detecting them include noticing when your device is transmitting more data to the internet than it should, although this malware uses several strategies to avoid such detection. The RAT sends all the data it obtains to the C2 server when the device has a Wi-Fi connection. However, it limits transfers to specific types of data when the device only has a mobile data connection, as users are more likely to detect activity through this connection.
Androids flickr photo by Racchio shared under a Creative Commons (BY-ND) license
Microsoft Exchange Server Continues to be Hacked at an Alarming Rate
Microsoft has identified multiple 0-day attacks against on-premises versions of Microsoft Exchange Server. These attacks exploit vulnerabilities that allow attackers to access email accounts. They’re then able to install additional malware that provides them with additional capabilities through these accounts. The attackers include multiple state-sponsored groups that have targeted tens of thousands of Exchange servers throughout the world.Read more
A Glimpse into a Trucking Company's Ransomware Nightmare
A manager at a trucking company shares what it was like to be the victim of a ransomware attack. Here is his story and the lessons other businesses can learn from it.Read more
Ethernet Technology: A Possible Comeback?
Ethernet is a family of wired technologies commonly used in local area networks (LAN) and wide area networks (WAN). It has been commercially available since 1980, but has been refined multiple times to support higher transmission rates, more nodes and longer distances while retaining much of its backward compatibility with older versions. Ethernet is still a key technology of the internet due to advances in technologies such as switches, bandwidth and networking.Read more
PDF Viewers are Susceptible to these Attacks
The vast majority of PDF viewers are vulnerable to a variety of attacks, according to researchers at Ruhr University Bochum in Germany in a 2021 study. These techniques exploited standard features of PDF that are generally familiar to most hackers. In the most serious cases, researchers were able to execute code remotely, read data and manipulate it. Fortunately, a number of solutions are available for these vulnerabilities.