Ransomware is a very good business. Once created, it can infect millions of computers and make huge money for its authors. If ransomware has the characteristics of a computer virus, that is, it reproduces automatically and infects other devices, there is little you need to do after publication; it is enough to check BitCoin’s virtual wallet every day and conscientiously send keys (passwords) to people who paid the tribute. Cryptocurrencies protect against disclosure of the author’s identity, and communication can take place via anonymized BitTorrent. It means ransomware is theoretically guaranteed income and a relatively low risk of detecting the perpetrator.
No wonder that the amount of ransomware is growing every year. The number of companies that fell victim to the attack and paid tribute is also growing. According to CyberEdge 2020 Cyberthreat Defense Report, 62% of the companies surveyed experienced problems with ransomware in 2019. In 2018, this percentage was 56%, and in the previous year – 55%. The same growing trend can be seen in the number of companies that paid the tribute: in 2017 – 39%, 2018 – 45%, and in 2019 – 58%. In other words, the hacker business is doing well.
This article should be very important for companies throughout the world. but every single person can take something for itself.
How ransomware works
To answer the question of whether it is worth paying tribute, you first need to understand how ransomware works from the inside out.
Ransomware mostly infiltrates computers through human error. The user receives an e-mail or clicks the link where the download file is located. Such a file may pretend to be, for example, an invoice, a Microsoft Office document, or some other type of attachment that appears to be safe.
After opening such a file, the ransomware is initially asymptomatic. The task of the software is to encrypt data on the computer as quickly as possible and at the same time to get to other computers that may be unsecured or otherwise vulnerable to attack.
It is worth paying attention to the fact that updates and antivirus software play an important role. Like almost any type of virus, ransomware reproduces itself using exploits, i.e. flaws in the security of existing programs. If the system is kept up-to-date, there is a chance that the vulnerability used by the ransomware has already been fixed as part of the update. However, if the computer has a valid anti-virus license, it can detect such ransomware almost immediately and disable it.
Solving the problem
In a situation when the data is already encrypted, the user has three options:
#1 Pay the ransom and receive the key
Can you trust the people who just hacked your computer? Paradoxically, yes. Malware authors, in a sense, care about good PR. If they conscientiously send passwords (keys) to people who have paid the ransom, they can count on more “customers”. Any skirmishes with decrypting data or not sending passwords would practically destroy their business.
It is also ironic that paying the ransom may be the cheapest solution to the problem. Perhaps the most famous example of incorrectly estimating losses that ransomware could generate is the city of Baltimore in the United States. When municipal computers were infected with malware in 2019, city officials were asked to pay approximately $ 76,000 in exchange for the data. For various reasons, the city authorities refused, which resulted in catastrophic financial losses. The city lost more than $ 18 million in one year by halting the work of various facilities and departments.
#2 Decrypt the data “on your own”
Because ransomware is most often a virus, i.e. it spreads itself on the Internet – it is very likely that other companies have also dealt with the same version of the software. Some companies, instead of paying the ransom, may invest in developing tools that will decrypt data without paying the ransom (developer time may turn out to be cheaper than paying the ransom for multiple servers).
When choosing this option, you should consider the time itself, as ransomware can increase the ransom amount depending on the amount of time since the infection. Some types of ransomware even warn that after a certain number of days, even with the ransom payment, the passwords will not be sent. Naturally, this is to deter users from trying to fix the problem on their own.
However, if we choose this path, the first step should be to disconnect the computer from the network to isolate it from other devices that may be infected. The second step is to find out what type of ransomware has attacked your computer. Any Internet search engine into which you can enter the content of ransomware messages will work here. If luck is on our side, you may find that data decryption software is widely available, or we can buy it from a reliable crypto company for a small fee. The third step is trial-and-error, i.e. trying to decrypt the disk with various types of software.
#3 Don’t pay the ransom
… and don’t decrypt the data. While this option may seem like the worst, the wolf is not as bad as it is painted.
If we have copies of data in the form of backups (backups), data storage in the cloud, or various types of snapshots, ransomware can do little to us, apart from contributing to delays at work.
For example, if the server uses snapshot technology (data dumps), it should take from several minutes to several hours of IT work to go back to the date when the machine was working properly. If your data is protected in the cloud, it’s a good idea to scan the content of that data to make sure no ransomware has crept between. If we have daily backups, restoring the data can take from a few minutes to several days, depending on the amount of data, the method of backing up, and the solution that was used. Naturally, it is worthwhile to preemptively audit the software and data of all devices to eliminate the possibility of the return of ransomware that could hide inside the network.
Ransomware is another example that data security should be an important item on the agenda for the company owners, not just the competence of the IT department. Ransomware enters corporate networks mainly due to the lack of knowledge and carelessness of employees, as they are usually not trained in good cybersecurity practices.
On the other hand, ransomware wreaks the greatest havoc where IT departments are underfunded or have too few employees. In such situations, administrators focus more on maintaining the current infrastructure in operation than preparing contingency scenarios. The victims are backup systems and procedures that are sometimes neglected because they are not used every day and do not bring real benefits to the business … until they become the key to restoring the entire infrastructure.
Ransomware is a profitable business for the authors of this type of software and we can expect newer and newer variants. Just like social engineering attacks, ransomware attacks use an element of surprise, unpreparedness, and post-factum chaos. If we want to avoid an emergency, the best medicine is to use good cybersecurity practices, audits and invest in proven backup systems. Remember that business continuity and data security are in the interest of the entire company – not only the IT department.