Ransomware

ENISA reported ransomware as one of the fastest growing attack and compromise strategies in 2022. Ransomware is called a type of malware (such as viruses, Trojans, etc.) that infects computer systems by making it impossible for the victim (partially or completely) to have access to a system and the data on it. The victim is then urged to pay a ransom (hence the name) to regain full access to the system and files.

The immediately profitable pattern of this attack has probably made it very popular among attackers, who choose, depending on the target, to extort small sums on a large scale or large sums on targeted targets.

Attackers resort to different types of tactics to achieve their goals.  One type of ransomware, such as the infamous Cryptolocker, encrypts the user’s files with a key known only to the attacker. Other ransomware (such as Winlocker) simply blocks access to the system but leaves the files intact.

Usually the user of a ransomware-infected system is usually faced with an extortion message (in some cases a Windows popup) asking the victim to pay the ransom through, for example, cryptocurrency payments, which allow the attacker to maintain anonymity.  In the case of Cryptolocker, the victim, after payment, receives the key and method to decrypt their files again and regain full access.

Ransomware has mainly 4 categories of impact:

• Lockdown: Ransomware prevents legitimate owners of machines or data from gaining access to them, through, for example, changing passwords or other credentials used by the system.
• Theft: Ransomware exfiltrates data from the legitimate owner’s machine. The data is transmitted to a third party that has no right to access it.
• Encryption: ransomware applies encryption to data, making it inaccessible to anyone who does not have the encryption key. In this case, all data is replaced by a copy of the data, which remains unusable unless unlocked with an encryption key.
• Erasure: Ransomware renders data on the legitimate possessor’s machine unrecoverable. The malicious software attempts to erase (using more or less invasive techniques) the data from the machine so that the rightful owner can no longer read or use it.

A ransomware can apply one or more of the impact methodologies described above.

In the first two cases, for example, it is not the data but the right of access to it that is impacted. This implies that the easiest and most effective solution, in the case of blocking or theft, is simply to restore legitimate access to the data. In the case of data encryption or deletion, on the other hand, restoring data is much more difficult if not impossible.

Please note that remedying one of these compromises, does not mean evading the consequences of the attack suffered. In the case, for example, where the blocked or stolen data is considered personal data, you will have to follow GDPR regulations and report the incident to the relevant authorities and users following the regulations. You can still think of different solution strategies depending on the action of the ransomware. To protect yourself from these impact categories, I will describe the most common preventive and remedial measures in the following sections.

We must first keep in mind that preventive measures are much more effective and widespread than restorative measures. For this reason, if you are afraid that your company or business could be severely impacted by ransomware, consider applying all possible preventive measures rather than relying on restorative measures.

• Account management: Periodic access review and multifactor authentication are the most fundamental IT hygiene practices that ensure the right users have access to the right resources. Today, most cloud service providers offer standardized access and account management profiles to minimize the effort of securely managing personnel. The same services, offer the ability to remove access at a deadline or as a result of prolonged inactivity. For smaller companies, a simple access list does a good job, as long as it remains up-to-date and findable.
• backup: make sure your data is backed up in a space disconnected from your core infrastructure. This simple remedy could minimize the impact of any kind of ransomware attack. Needless to say, again, cloud services help solve the problem; depending on the criticality of your data, regulatory requirements and the immediacy with which you need to back it up, consider physical devices internal to your infrastructure as well. Having your most important data physically close by is not always a matter of preference.
• Software protection: major antivirus providers offer additional protection against ransomware that is often effective. Because these, many times, act by replacing data en masse, their behavior is easily recognized by antiviruses that can effectively block suspicious operations. In case then your system is infected by a ransomware already recognized by the antivirus, the suspicious file would be quarantined immediately.

Evaluate these measures from a cost-effectiveness perspective since in some cases it may be costly and burdensome to implement them. If preventive measures are not sufficient, consider restorative ones.

These measures should be considered as a last resort. Their effectiveness may significantly vary depending on the specific condition you are in, but if you have failed to prevent a ransomware attack and are trying to deal with the aftermath, first make sure that you have reported the incident to the proper authorities and personnel correctly. Inform those in charge that you are intent on remediating the incident, because they may want to investigate the infected machines and taking remedial action on them could bring more disadvantages than benefits. If you are confident that you can act on your infrastructure to try to recover data, you can pursue one or more of these avenues:

• Narrow the perimeter of impact: disconnect infected devices, or suspected infected devices, from all network connections. Evaluate whether it is necessary to disable Wi-Fi, line and data internet due to the fact that it could also affect your availability.
• Restore access: reset credentials, including passwords (especially for administrator and other system accounts), but make sure you don’t lock yourself out of the systems needed to restore.
• Recover what you can: if you have opportunities to perform forensic analysis on memory dispsitive with tools such as autopsy, you may be able to recover data that you have not backed up.
• Restore from a backup: safely delete infected devices and reinstall the operating system. Before restoring from a backup, verify that it is free of malware. You should only restore from a backup if you are very sure that the backup and the device you are connecting it to are clean.
• Remediate compromises: connect devices to a clean network to download, install and update the operating system and all other software. Install, update and run antivirus software. Monitor network traffic and run antivirus scans to identify if an infection persists.

A final note on an element that is much less obvious than we would like. Never pay a ransom, no matter how small the amount demanded.

There are many reasons for this, but it would suffice to mention three:

• You will have no guarantee that once you pay the ransom you will get access to the information back, and if it has been exfiltrated you have no guarantee that the blackmailer will not pass it on to a third party.
• You could compromise yourself in the eyes of authorities who may be involved (at your request or otherwise) in the investigation of the incident
• You are incentivizing the attacker to attack you again in the future

Cybercriminals, like all people, understand the basics of economics. Giving in to blackmail is the most effective way to incentivize the spread of ransomware.