Let’s say it’s a Monday morning and you’ve got a mountain of work to climb through before Friday hits. Coffee in hand, you take the lift to your office, passingly greet your employees, and sit down at your workstation.
After waking up your computer, you try to open a file but find suddenly see a red window open up with the following text:
“Your important files are encrypted!”
Welcome to Cryptolocker, a piece of malware that encrypts your important files and holds them for ransom in an attempt to get your company to pay a fee to decrypt them. These particular pieces of malware and others like it have come to be known as ransomware.
So what do you do?
Firstly, don’t panic. In this situation, you’d probably have a thousand things running through your head, but if you want to avoid making the situation worse, you’ll avoid trying to solve this unfortunately common problem on your own.
Were you to try and solve this problem on your own regardless, you may simply make the situation worse and expose other devices or your organization’s entire network to the ransomware.
Your best bet would be to immediately notify your IT Team or your MSP so that they could begin to remediate the issue.
However, the better thing would have been to set up the proper security against these types of attacks in the first place, but many SMBs haven’t woken up to the very real threat of ransomware.
A report from Datto states that:
- “84% of MSPs are ‘very concerned’ about ransomware, but only 30% report that their clients feel the same.”
- “Ransomware is still the number one malware threat. Nearly 70% of MSPs report ransomware as the most common malware threat to SMBs.”
- “62% of MSPs said clients’ productivity was impacted due to attacks, and 39% said their clients experienced business-threatening downtime.”
Although the threat of ransomware is growing and becoming ever more pervasive in our increasingly digital world, there are solid ways to protect yourself and your company against it.
This article will give you a clear understanding of what ransomware is, how it works, how to protect your organization against and, and what to do if your company gets hit by a ransomware attack.
What is Ransomware
Ransomware is a type of malware that specifically prevents victims from gaining access to their files or their entire system, and to regain control, the victim has to pay a ransom.
In the past, ransomware payments had to be sent via snail mail, but the scheme has evolved to the point where cybercriminals now request payment via credit or, more popularly, with cryptocurrency.
The key difference between ransomware and other types of malware is that it is a money-making scheme—the cybercriminal has a financial incentive—whereas other types of malware may have different aims.
For example, certain Botnets may simply aim to harvest some of your device’s computing power, and other types of malware might just aim at stealing sensitive data for corporate espionage or state-sponsored cyberattacks.
Of course, there are some types of malware made by cybercriminals who simply wish to “watch the world burn,” so to speak.
So how did all this start? Well, in the late 1980s, the first ransomware known as PC Cyborg came into the scene demanding $189 by mail, but the encryption used with this attack was fairly simple and easy to reverse.
But over the next 10 years, more serious ransomware threats began to appear, such as GpCode and WinLock.
Why does ransomware exist? Because it’s proven to work out well cybercriminals! With every company or individua thatl pays a ransom, criminas get more confirmation that this is a reliable way to make money.
Datto’s report states “The average ransom requested by hackers stayed roughly the same year-over-year. MSPs report the average requested ransom for SMBs is $5,600 per incident, compared to $5,900 last year.”
What started as a relatively harmless virus that only asked victims to cough up $189 has now transformed into a billion-dollar industry. And until we all get better about our cybersecurity, these attacks will continue.
How Ransomware Works
How does ransomware work? Well, that depends on the type of ransomware.
For instance, scareware doesn’t work the same way that doxware works, and vice versa.
Cryptolocking malware, which was discussed earlier in the article, works by locking your files with strong encryption that can’t be broken. The criminal then holds your files hostage and offers to give you the encryption key in exchange for payment.
But how does the ransomware get on your computer in the first place?
There are a lot of ways this can happen, whether it’s falling victim to a phishing attack, visiting a spoofed domain, or clicking on a suspicious-looking link in your email.
This brings us back to the fact that it depends on the type of ransomware you’re dealing with, so let’s go ahead and take a look at the different versions of this cyberattack.
Types of Ransomware
- Scareware — These were prevalent many years ago. Scareware is a malware tactic that tries to scare you into downloading a piece of malware that encrypts your data. Typically, this would look just like a message, sometimes as a popup, from an entity claiming to be the FBI, and they say that they’ve noticed some bad software on your computer and that they can remove it for you. There are also many tech support scams where the scammers claim to be from Microsoft and want to help fix your computer.
- Screen lockers — Screen locker ransomware is when the virus infects your operating system and, as the name implies, locks you out of your computer or devices. This blocks you from accessing any of your files and has the potential to create serious downtime for a company.
- Encrypting ransomware (cryptolockers) — This type of ransomware is among the most dangerous and is most prevalent. This is when the malware encrypts your files, folders, and even your hard-drives.
- Doxware — Doxing is when someone publishes private or identifying information about a particular person on the internet, usually with malicious intent. Following that vein of thought, doxware is when a cybercriminal threatens to publish your stolen sensitive data online unless you pay a ransom. This particular form of ransomware has become more prevalent as more and more people share their lives and business information online.
- RaaS — Ransomware-as-a-service (RaaS) is a more recent service that cybercriminals offer to potential scammers. There are always those that develop malware to earn money with less risk as they don’t do the attacking, they just create and sell the ransomware. This also allows non-technical criminals to break into this industry. There are even subscription models for this service.
- Ransomware on mobile devices — As the name suggests, this type of ransomware is specific to mobile devices. They infect your phone and steal your private data before demanding you pay them, often in cryptocurrency, in exchange for the return of your information. These forms of ransomware tend to be encountered as a form of social engineering on social media.
Common Ransomware Targets
The largest target of ransomware attacks target small to medium-sized businesses (SMBs). Why? Because they tend to have the least protections in place while at the same time being in more desperate need of their data should it get taken hostage.
In contrast, larger businesses and enterprise targets are generally going to be more protected, more secure, and have all their critical data backed up. There are some cases where larger organizations get targeted, but the vast majority of attacks are aimed at small businesses.
So who gets targeted the least? Everyday consumers who have little to offer to cybercriminals.
What is it that gets attacked?
At this point, we know who tends to get targeted, but what is it that hackers are trying to break into?
The usual targets for ransomware attacks include windows endpoint systems, which is to say, your employee’s PCs, software-as-a-service applications, data repositories, and databases.
Datto reported that 91% of ransomware attacks this year targeted PCs. The second-highest number of attacks (76%) were aimed at Windows Servers.
Understand that when we say that SaaS apps are targets of ransomware attacks, we don’t mean that you could get malware just from using something like Salesforce, but rather that your salesforce account might be what the cybercriminals intend to take hostage from you.
Datto’s data on SaaS application incidents states that:
- 64% of MSP’s reported attacks within Microsoft 365
- 54% of MSP’s reported attacks within Dropbox
- 25% of MSP’s reported attacks within Google Workspace
Why Businesses Should Be Concerned about Ransomware
We’ve already briefly touched on some of the devastating effects that ransomware can have on your business, but to further illustrate that point, some of the key reasons that businesses like yours should be making ransomware one of your top concerns.
Many SMBs Are Still Unaware of Ransomware’s Threat
As mentioned near the start of this article, many SMBs seem to be unconcerned about the potential threat of a ransomware attack while their MSPs seem very concerned.
When businesses aren’t concerned about a potential problem, they don’t prepare for it, and that makes SMBs a vulnerable target of these types of attacks.
There are, however, many SMBs that are waking up to the problem of ransomware and are taking the proper precautions to avoid becoming another victim of the industry.
Ransomware Attacks Keep Getting Past Security Efforts
Although there has been increased spending on cybersecurity, ransomware continues to bypass security measures, including antivirus, employee education, pop-up blockers, email filtering, and even endpoint detection solutions.
How are cybercriminals managing to get past security? Many MSPs reported in the Datto report that criminals consistently make modifications to their malware to avoid detection, and the social engineering attacks have become increasingly sophisticated and difficult to detect.
This is further reinforced by the fact that 54% of ransomware attacks come from phishing attacks. Despite increased awareness training, many end-users continue to fall victim to social engineering tactics.
Costly Repercussions
Since breaches are rarely limited to a single computer, ransomware attacks tend to create a considerable amount of downtime for businesses as the infection usually spreads throughout the entire business network.
This is one reason why many SMBs simply pay the ransom. To get back to operations, they need their data back, and paying the ransom is almost always cheaper than the downtime.
To illustrate this point, consider that the average ransom in 2020 cost around $5,600, whereas the average cost of downtime was around $274,200.
Who’s Getting Targeted?
The top industries being targeted for ransomware attacks include but are not limited to healthcare, finance/insurance, government, professional services, and education.
While SMBs are the primary target of hackers, MSPs are also being targeted more often. The reason for this is that the hackers figure that they can get to the MSPs clients by hacking into their systems and stealing their credentials.
MSPs are, of course, increasing their security as a response to this growing tactic.
How to Protect Your Organization from Ransomware
Now that we’ve gone through what ransomware is, the usual targets of ransomware, and why it’s still a prevalent threat, it’s time to dig into the practical methods you can use to protect your company from it.
Backup Your Data
Data backup relates to backing up files, emails, and databases within your organization. It begins with the replication of your company’s data on all workstations, servers, and even storage appliances.
Once the initial full backup is complete, future backups need only make updates based on what data has changed since the previous backup was completed.
This process saves a considerable amount of storage, bandwidth, and time, compared to the resource costs of running full backups every single time.
By backing up your company’s data consistently, you significantly lessen the sway that a cybercriminal has over you were they to put your data and systems up for ransom. Even if you never get your original data back, you still have the backup.
All critical backup files should be given strong encryption and stored in a safe, secure, and accessible location only to authorized personnel. This creates additional protection should the cybercriminal also intend to attack your backups.
Having a backup doesn’t solve all your problems, however. If the cybercriminal were threatening your organization with doxware, you would still be at risk of having confidential data go public.
Recovery Policy
In the unfortunate event that you lose your data to the cybercriminal, your company should be able to fall back on a data recovery plan.
This ensures that any critical information that was lost and not backed up is at least recoverable.
Having strong recovery policies will help make the process of data recovery smooth and efficient. When creating these policies, be sure to consider the following questions:
- Which files are more critical than others?
- Is the way you’re currently organizing data effective? Is there a better way this could be done?
- How long does it take to restore backups?
- Who are the key figures who are in charge of restoring data should it be lost?
To learn more about data recovery, please see our article on Data Backup and Recovery (BCDR).
Use Next GenFirewall Security Software
Modern firewalls, often called next-generation firewalls (NGFW), are incredibly effective at defending against ransomware attacks.
This sophisticated firewall software grants your company protection from malware that attempts to enter your network. Traditional firewalls fall short in this capacity.
A longtime player in this specific field is a next-generation firewall vendor called Sophos XG. Their solution delivers a suite of offerings that include public cloud protection, enterprise protection, and other services catered to your needs.
If you do get a next-generation firewall, be sure to keep it updated to ensure that it works properly. This goes for any security applications your business uses. If you don’t regularly update these apps, hackers may find ways to sneak into old versions of the software.
Safe Internet Practices
Phishing attacks are still the primary method that hackers use to break into the critical data of SMBs, so practicing safe internet and email usage areas must.
This involves making sure that your employees are using secure networks as they browse the internet and avoid clicking on suspicious links within emails.
If an email looks legitimate but it’s asking for something unusual, your employees should know to notify your IT team to check for a phishing attack.
A great way to mitigate the risk of employees encountering cyberattacks online is to implement a company-wide security awareness program. The program would support your employees by helping them stay informed about changes to cybersecurity, cyberattacks, and rising threats.
What To Do if Someone in Your Organization has a Ransomware Infection
How should your company respond to a ransomware attack?
Firstly, don’t pay the ransom as this may get you into more trouble. Reuters recently released an article addressing how your company could be prosecuted for paying the ransom to cybercriminals.
Another reason to avoid paying the ransom is that doing so supports the cybercriminals. The primary reason hackers continue to attack companies in this way is that they’ve successfully made money from the scheme.
If everyone cut off the cybercriminals’ cash flow by not paying ransoms, these kinds of attacks would become less-frequent, if not disappear altogether.
Instead, the first thing you do in response to the attack is to isolate the infected device to stop the spread of the infection. This can be achieved simply by disconnecting the device from your network/internet.
Once that’s done, take stock of the damage and identify what data has been affected. You want to know what data you’ve lost in part so that you can know what data needs to be restored (if the relevant backups exist, of course).
The next thing to do is to identify the type of ransomware you’re dealing with. Once it’s been properly identified, or even if you can’t identify it, report the attack to the authorities.
If your business has a disaster recovery plan, this is the time to implement it. If you know what data has been lost you should be able to restore it from your backups.
The most common ransomware recovery method involves using a re-imaging machine, which restores the infected device from a backup.
Don’t Let Your Data Become Hostage for Ransom
There may eventually come a day when avoiding the threat of ransomware is as simple as downloading a single application, but until that day comes, it’s still largely up to you and your employees to keep your data safe from cybercriminals.
By reaching this point in the article, you’ve familiarized yourself with what ransomware is, how it breaks through your security, and what you can do about it. Knowing this information is one thing, but if you aim to keep your private data safe, you’ll have to take appropriate action.
In summary:
What is Ransomware? — Ransomware is a type of malware that prevents victims from accessing personal data and or entire systems. To regain access to the victim’s data, the hacker demands a ransom.
How Ransomware Works — It depends on the type of ransomware you’re dealing with. Cryptolocking ransomware, also known as Screenlockers, locks your files with strong encryption. Doxware steals your private data and the hacker will threaten to make it public unless a ransom is paid. Ransomware-as-a-service is a service that cybercriminals use to sell ransomware viruses to less tech-savvy criminals. There is also ransomware that can be acquired on your mobile device, usually through social engineering attacks on social media.
Common Targets — Ransomware is most often aimed at SMBs because they tend to be less protected against these types of attacks, whereas larger enterprise companies usually have strong guards against it.
Why Businesses Should Be Concerned — If your company isn’t concerned about ransomware then you probably won’t invest money or time in the relevant security measures, which makes your company a more likely target of these types of attacks. Another reason to be concerned is that an attack like this can have costly repercussions, in large part due to the down-time created from the attack.
How to Protect Against Ransomware — Backup your data, create recovery policies, utilize next-generation firewalls, and establish and implement safe internet practices.
What to do in the event of a Ransomware Infection — Don’t pay the ransom. Paying the ransom may be illegal, and it also supports this type of criminal activity. Instead, what you should do is isolate the infected device and cut it off from the rest of your network, find out what data was affected, identify the type of ransomware you’re dealing with, and implement your disaster recovery plan.
Avoid Unnecessary Downtime with Ransomware Security
The amount of time and energy that goes into recovering from a ransomware infection is much more than the costs of investing in ransomware prevention. As the old adage goes, an ounce of prevention is worth a pound of cure.
Although ransomware attacks are still very prevalent in today’s business world, not all who get attacked experience downtime; those who don’t tend to have implemented effective business continuity and disaster recovery solutions.
The Datto report, which was mentioned earlier in this article, indicated that BCDR clients are among the least likely to experience significant downtime as a result of a ransomware attack.
To give your own business a reliable level of ransomware protection, consider opting for our Managed Security Services.
Unlike other cookie-cutter security services, we take a holistic approach to understanding your business’s security strengths and vulnerabilities and then work to address them accordingly.