Unpicking the complex ransomware landscape
6 min read
14 May 2018
The business world is full of risks which can seriously impact an organisation’s ability to perform. While different risks will be prioritised depending on company size and industry – one menace which all firms need to prepare for is the cyber threat.
The frequency of cyberattacks are increasing as the tools required to launch them become more readily available and easier to use. Alongside that, hackers are lowering their sights. While Hollywood still paints an image of hacks being coordinated by incredibly technical individuals against a single high-value firm, in reality, most attacks are no longer designed to hit one target but lots simultaneously.
As such, small businesses are just as likely to be targeted as any other sized company. The tactics used by the perpetrators of cybercrime have evolved rapidly, and one sophisticated attack that has now become common place is ransomware. Malware designed to infect and encrypt files until a ransom has been paid, it can be particularly aggressive and cause firms to experience long periods of downtime.
Making the situation more complex is the existence of numerous strains. While their ultimate aim maybe similar, they can be spread via different means and the severity of their effects will be fuelled by the presence of certain software and their accompanying vulnerabilities.
Many strains are spawned from a few common incarnations which have been enhanced with slight additions so they can bypass patched vulnerabilities. To give small businesses a better understanding of those common strains, here’s an overview.
Cerber targets cloud-based Office 365 users and has impacted millions of victims through an elaborate phishing campaign. It bypasses O365’s built-in security tools and, once it takes hold, it notifies victims with a ransom note and audio recording.
CryptoLocker has become almost synonymous with ransomware since its first appearance in 2013. A Trojan malware that targeted Windows OS, it was spread via email attachments. The original botnet was shut down in May 2014 but it spawned numerous reincarnations with similar names. For example, TorrentLocker, which collects email addresses from the victim’s address book to spread malware beyond the initially infected computer.
For a long time it was suggested that Apple devices and their Mac OS couldn’t be affected by malware, but that changed with KeRanger. While not as common, it highlighted the inventive thinking hackers were doing to hurdle security walls. In this case, KeRanger was provided with a valid app development certificate which enabled it to slip past Apple’s Gatekeeper protection, which had stopped all other strains.
The Locky malware is spread via an email disguised as an invoice. When opened, the invoice is scrambled and the victim is told to follow instructions to read the document. After a few seemingly innocuous clicks, Locky begins encrypting a large array of file types using Advanced Encryption Standard (AES) encryption.
WannaCry hit the headlines in May 2017 when a global-scale attack forced a wide variety of organisations offline. In the UK, multiple NHS organisations experienced downtime that lasted for days as computers were shut down to mitigate the attack from spreading while a solution was sought.
Overall, WannaCry affected more than 125,000 organisations in 150 countries. The ransomware strain – also known as WCry or WanaCrypt0r – targets Windows machines through a Microsoft exploit known as EternalBlue.
The ransomware landscape can cause crippling downtime
Prevention is the best form of defence. This involves educating staff so they are aware of the red flags of ransomware emails and bogus web pages. Phishing and other forms of social engineering attacks remain common tactics for targeting businesses, so employees need to be taught to be more vigilant.
Emails and websites are often created to resemble those of legitimate firms and it’s very easy to be duped if users aren’t providing their full attention.
From a cybersecurity perspective, it’s imperative for small businesses to take a multi-layered approach as a single line of defence will be easily breached.
For instance, most will have a firewall and antivirus installed – but the speed with which ransomware strains are evolving means the technology is always on the back foot. Vendors release patches after vulnerabilities have been exploited, making it too late for the unlucky few. That being said, businesses need to patch defences regularly to ensure the more common strains can be detected.
Any comprehensive cybersecurity setup must include backup and disaster recovery. When businesses take and archive snapshots of their systems regularly, they are able to quickly spin up virtual systems from a healthy point in times of a data disaster such as a ransomware attack.
This ensures business-critical data is always accessible, mitigating costly downtime as firms can get back up and running with little delay. Moreover, when companies know that they have a solution to sidestep ransomware, they never feel that paying up is their only option.
Mark Banfield is SVP and general manager of international business Datto