Ransomware is one of the most prevalent variants of cyber-attack, often delivering more impact and disruption to the victim than many other attacks. Ransomware has featured in the majority of headline-grabbing cyber-attacks, such as the recent attack against Garmin which brought them days of user-impacting downtime, a week of recovery and a capital loss of millions in ransom paid to the culprits.
The principle is simple, holding the business ransom in the cyber age by encrypting your data so that you can no longer make use of it, and in some cases extracting the data for sale on the dark markets.
There are hundreds, if not thousands, of Ransomware variants and each operates with a different heuristic approach but with the same ultimate aim of encrypting your data. Like any software product, Ransomware has evolved over the years to become faster, less detectable and more effective.
How does it do it?
Modern variants use Operating System routines to encrypt data fast, whilst also keeping under the nose of Anti-Virus. A recent attack we observed went undetected by the majority of Anti-Virus vendors for three days after the attack commenced, although you can hasten the signature process with your vendor by sending them a sample immediately.
It is also common for modern variants to use the same PKI (Public Key Infrastructure) system that protects internet communications (think online banking and social media for example) to protect its encryption keys and prevent the good guys from building their own decryption tools.
Ransomware first needs a foothold on your system and a lot of variants now worm around the network, using vulnerabilities in unpatched endpoints or stolen credentials. More recently, we are seeing manual lateral movement where a human attacker gains control of one machine on the network and manually infects as many servers / PCs that they can reach. It is quite common for an attacker to have a multi-tiered team, with a large team of unskilled hackers getting the initial foothold before handing the case over to a senior colleague for the actual attack. We have seen Ransomware infections from various sources, including:
- Over the internet, automated worming attacks leveraging default credentials or unpatched system vulnerabilities (such as WannaCry)
- Over the internet, manual attacks against website hosting servers, using exploits such as those against Telerik and Pulse Secure VPN devices.
- Over the internet, manual attacks against exposed management services such as RDP/ SSH.
- Via the end-user, through malicious emails and vishing.
Why?
Ransomware is big business for cybercriminals and these criminals operate much like any other business, generating profit and paying salaries. A recent study from Sophos found 26% of compromised organisations paid the ransom demand as they were unable to recover in a timely fashion, if at all. It is also now very common for an attacker to steal, or claim to have stolen, sensitive information to extort money by threatening its disclosure.
What can SQA Consulting do for you?
Do you have an ongoing incident? SQA Consulting can rapidly mobilise an on-site team to contain and eradicate the threat, minimising impact and protecting data. Our analysts can dig into that malware, looking for any weaknesses you can exploit to recover your data.
Not been hit? It is often only a matter of time until your business is disrupted. Book your ransomware readiness audit now to have our team assess your risk against industry recognised frameworks. By being prepared, you can be assured that you will not only minimise data loss but also prepare the path for the quickest possible recovery and minimal disruption to your business, staff and customers.
Contact SQA Consulting for further information on:
- Reducing the likelihood of an attack
- Mitigating the impact of a successful attack
- Significantly reducing the time to recovery
