Ransomware: threats and precautions

 

Total damages of US$ 6 trillion in 2021 with growth of 15% per year over the next five years was the prediction from Cybersecurity Ventures in its 2020 annual report, representing “the greatest transfer of economic wealth in history”, “exponentially larger than the damage inflicted from natural disasters in a year” and “more profitable than the global trade of all major illegal drugs combined”.

First, an organisation’s critical data is encrypted so that it has no access to applications, databases and individual files, quickly bringing its activities to a halt. A ransom is then demanded in return for the decryption key, although in some cases the key is never delivered, even after a payment is made. In the absence of backup data the victim is left with two alternatives, pay the ransom within the stated time or lose the data forever.

Importantly, it’s not only the largest organisations that are targeted with ransomware – we read about these only because they are the ones considered newsworthy. Those targets with sensitive data are the most likely to pay quickly and the least likely to want any publicity, so its likely the full size of the problem will never be known. The ransoms demanded range from a few hundred Dollars – the usual amount is small, US$ 100-200 – through to for example the US$ 11m that was paid by the world’s largest meat processing company, JBS Foods, earlier this year. Of course, the cost of ransomware is not only in the payment made, the NotPetya attack is said to have cost Maersk up to US$300m in losses. Ransomware attacks are both increasing in number and gaining a higher profile.

Why is it that ransomware is spreading so quickly and what precautions can be taken to protect from this growing threat?

Why is ransomware spreading so quickly?

In its 2020 report, the FBI’s Internet Crime Complaints Centre (IC3) said that 2,474 ransomware attacks were reported to it in 2020, an increase of around 20% compared to 2019.

Clearly the growth in remote working over the last 18 months has played a major part in this increase. The pandemic has lead to a growing number of people online, working and studying remotely, fundamentally changing the way we work. Often those working remotely are unaware of the risks that exist. In their rush to stay up and running it was easy for organisations to pay less attention to cybersecurity that it deserved. Coupled with this, medical facilities, schools and universities were subject to extraordinary pressures, of a type they had never experienced before.

Growth in the deployment of ransomware has also come about for other reasons. Unskilled hackers now have access to tools via RaaS (Ransomware-as-a-Service) – a subscription based business model used by ransomware developers that lets less skilled hackers get up and running easily, at low cost. Ransomware has been turned into a commodity: it’s scalable, readily available and cheap to acquire. Simultaneously, the skilled hackers have become more sophisticated.

Detection of the perpetrators has also become more challenging, which is encouraging more hackers to try their hand. The use of anonymous cryptocurrency for payment has made it difficult to follow the trail of money, this combined with the availability of open source code and more sophisticated malware (malicious software).

With the number of Internet of Things devices also growing rapidly (for example, smart mobiles, watches, televisions, domestic security systems, fire alarms, fridges etc.) there represents another lucrative target market for the hacker. IoT malware attacks increased by 66% in 2020 compared to 2019 according to the Global Cyberattack Trends report from SonicWall.

How do the attacks occur?

It’s not just the simple encryption and ransom being used now, hackers are exerting more pressure than ever before. They can spend months searching undetected inside an organisation’s systems, looking for the most sensitive, most valuable data. Once found it is then encrypted and exploited – with the threat that the most sensitive data will be leaked or sold, a course of action that can be irretrievably damaging for an organisation’s reputation, driving customers away for ever.

How does a hacker get inside an organisation’s systems in the first place? How is the malware delivered?

One of the most common methods is by phishing. In “Email scams, a growing threat” we looked at the different types of phishing: along with the “common” phishing there is whaling, vishing, smishing and spear fishing. Often an email will have an attachment that is disguised as an apparent trusted file. Once it is opened, it commandeers a victim’s computer. Other ways in include via social engineering, whereby the user clicks on a fake advert that then downloads malware – a process known as “malvertising”. It can also be spread through the medium of chat messages as well as via removable USB drives.

RDP (Remote Desktop Protocol) attacks are also common. An RDP allows one computer to connect to another or a network – something now much more common over the past 18 months with remote working. Effectively the hacker forces entry, done by exploiting weak usernames and passwords, and because legitimate login details have been used it makes the hacker’s activity that much more difficult to detect, hence their activities can remain hidden for months.

The different types of ransomware

There are two main types:

1. Locker ransomware: this blocks the basic functions of a computer, for example, access to your desktop can be denied. Interaction with the window that contains the ransom demand is still permitted, in order to facilitate payment of the ransom, but in all other respects the computer is unusable. The only slight consolation here is that loss of data is unlikely, it’s more the inconvenience associated with regaining access.

2. On the other hand, crypto ransomware does not interfere with the computer itself, instead it encrypts data thus making it inaccessible without the use of the key to unlock for which the ransom is paid. Without backups the consequences can be devastating, hence the ransom is often paid.

What can be done to reduce the risk of losses from attacks?

Being proactive, rather than reactive, together with engaging the necessary expertise is undoubtedly the first step. The regular backing up of all of an organisation’s data is essential and it is advisable to take out insurance cover that will reduce the financial loss should a cyberattack take place. Putting in place measures to minimise the risk of a successful attack is best done without delay. Recovering files from a backup and restoring encrypted systems is often more of a challenge than one expects – costs will soon mount as a significant period of time can pass before full access to files is restored.

In our article on “Cyber security risks and their management” we outlined a plan to manage cyber risk, as follows:

An attack can cripple a business for days or weeks, with the cost of recovery (to which must be added the ransom if paid) easily amounting to a huge sum of money. In its report “The cost of a data breach 2021”, IBM found that the average cost of a data breach was at its highest in 17 years, at US$ 4.24m. These costs will cover legal expenses, forensic investigation fees, data recovery and possibly fines/penalties plus the ransom itself, if the organisation decides to pay.

In order to reduce these costs an organisation not only has to strengthen its protection of data, but also have in place processes to recognise, respond to and recover from attacks.

There are a number of basic precautions that can be taken to protect against the ransomware threat:

1. As outdated software applications and operating systems are the target of most attacks, it is therefore important to ensure that these are regularly updated – make sure that your organisation is using the latest version of each.

2. All users need to be continually educated, heightening their awareness of malicious links and attachments to ensure they neither click nor download files from unsolicited emails. All users should continually be encouraged to “remain vigilant at all times”.

3. Everything needs to be backed up on a regular basis, keeping the backup completely separate from the original. That might be on a separate device, server or offline.

4. Institute basic safe practices such as:

• Strong password security

• All software should be kept completely up to date, installing the latest patches as soon as they become available

• The use of secure networks only, avoiding public networks where data can easily be intercepted

Remaining alert, especially when unexpected emails arrive in an inbox

Ransomware and the cloud

It won’t come as a surprise that ransomware attacks are increasingly taking aim at the cloud. In addition to a growing number of organisations using cloud based Software as a Service (SaaS), many are moving all of their data to the cloud. Many business critical services now make use of the cloud, with the result that the probability of being paid a ransom is now higher for the sophisticated hacker. This combined with the fact that a cloud service provider often makes a server available to many users, the likelihood is then that a hacker can increase the total amount of ransom paid from a single attack.

Data on the cloud can be compromised by ransomware in a number of ways, for example:

• by targeting cloud based email services such as Office 365: using phishing emails, access is gained to email accounts. Once accounts have been compromised, ransomware is used to encrypt the messages of the victim. Not only that, by having access to an email account further damage can be done by impersonating the owner and attempting to spread malware to their contacts; also

• via attacks on the cloud service provider. In order to protect your data understand what plans your cloud vendor has should there be an attack. Comparisons can be made to alternative providers thereby ensuring protection is maximised. In addition, develop your own plan to be used in the event of a successful attack – one that will ensure business continuity during an outage, and maybe implement a cloud strategy that includes multiple vendors, or makes use of a combination of cloud and on-premises servers

• Cloud file sharing services are another target – ransomware first infects a local computer, maybe by using phishing emails, it corrupts local files which are then shared on the cloud. This way an infection can quickly spread across a whole organisation.

To reiterate, it is essential to understand what precautions your cloud provider has in place to protect against malware, as well as to have your own plan in place to counter the inevitable, hopefully short term disruptions, should the worst happen. Beyond that vigilance and training are important. Bear in mind that ransomware can attack anything to which a user is connected. Therefore within an organisation access and permissions should be strictly limited for each user to only those systems etc. that are necessary for them to carry out their responsibilities.

Some well publicised recent attacks

JBS FOODS ATTACK 2021

The Brazilian meat processor paid a ransom of US$ 11m after it was attacked earlier this year, shutting down operations in Australia, Canada and the US. It said it felt the payment was necessary to protect its customers. If the disruption were to continue it felt that food supplies would be threatened with the risk of higher prices for consumers.

COLONIAL PIPELINE ATTACK 2021

The company operating the largest pipeline in the US was targeted causing severe disruption to fuel supplies. Colonial stopped oil supplies during the attack after 100Gb of data was stolen, impacting the billing operations of the company. It paid the ransom of around US$5m but the wider costs included the disruption to supply and the price of fuel.

BRENNTAG ATTACK 2021

The German chemical distributor had its files encrypted, with 150Gb of data stolen. The ransom demanded in Bitcoin was the equivalent of over US$ 7m, with the amount eventually paid US$ 4.4m.

UK NHS 2017

Whilst going back four years, the disruption caused makes the attack on the NHS worthy of mention. The WannaCry outbreak, that had affected over 200,000 computers throughout the world, caused thousands of operations and appointments to be cancelled in the UK National Health Service. Key systems, including telephones, were brought down. The Department of Health and Social Care’s report estimated that around £20m was lost mainly due to lost output, with a further £72m incurred on IT support to restore data and systems.

 
 

A few words about CompassAir


Creating solutions for the global maritime sector, CompassAir develops state of the art messaging and business application software designed to maximise ROI. Our software is used across the sector, including by Sale and Purchase brokers (S&P/SnP), Chartering brokers, Owners, Managers and Operators.

 

Through its shipping and shipbroking clients, ranging from recognised World leaders through to the smallest, most dynamic independent companies, CompassAir has a significant presence in the major maritime centres throughout Europe, the US and Asia.

 

Our flagship solution is designed to simplify collaboration for teams within and across continents, allowing access to group mailboxes at astounding speed using tools that remove the stress from handling thousands of emails a day. It can be cloud based or on premise. To find out more contact solutions@thinkcompass.io. If you are new to shipping, or just want to find out more about this exciting and challenging sector, the CompassAir Shipping Guide might prove to be an interesting read.

 

Contact us for more information or a short demonstration on how CompassAir can benefit your business, and find out how we can help your teams improve collaboration and increase productivity.