What is Ransomware?
Ransomware, also known as hostage software, is a type of malware. Hackers prevent companies and users from accessing their computers, systems or personal files. In exchange for unblocking everything, hackers demand ransom from their victims. If you meet their demands and pay them, they promise to release your data. Whether this will really happen, you never know for sure.
E-mails are often the cause of an attack. At first glance, they look reliable, because they seem to come from a friend, colleague or trusted authority. In reality, hackers adjust small details. The email can contain a dangerous attachment or links to malicious websites that trigger a cyber attack as soon as you click.
In the past, hackers often hid a malicious code in a macro, which was then processed in a Word, Excel or PowerPoint file. Fortunately, many enterprises have anti-malware tools that automatically block macros. Today, hackers make less use of macros to infect Office files, but have more sophisticated techniques, which means that traditional protection is no longer sufficient.
PDF files can also contain the same fraudulent codes. In some attacks, the PDF reader itself is the weak link, allowing files to execute their malicious code. Keep in mind that PDF readers are not always applications such as Adobe Reader or Adobe Acrobat. Most browsers also contain a built-in reader, which can also be misused.
Fake software, often free to download in the form of a ".sad" file, is also called SAD computer ransomware. It resembles a legitimate software program that wants victims to believe that they are downloading a reliable application. Through an innocent pop-up window, hackers lure the user into the trap by making him or her click ''yes''. Something we all do unconsciously on a daily basis, right?
How do I discover ransomware?
If your files are encrypted immediately, you will notice this as a victim immediately, but more often than not, an unsuspecting victim will not notice after hours or even days that he or she is infected. It is important to know that as soon as you open a malicious file or give permission to download/install something, the rest takes place behind the scenes and is therefore invisible.
Hackers like to cover their tracks. They deliberately create a delay between the infection and the encryption to cover their tracks and make it more difficult for security researchers to find the cause of the infection. The first time ransomware hit the radar, the code wasn't activated until the victim's machine was started 90 times. Criminals are patient and like to wait when they know this will be more profitable for them afterwards.
It is often the larger companies that are in the news, but SMEs are the biggest victims of cyber attacks. The CCB (Centre for Cyber Security Belgium) indicated that 60% of all attacks in 2018 were targeted at SMEs. This number is so high, because not every SME has an IT department, which means that the topic may remain underexposed. In that case, the consequences of an attack are often particularly large.
Ransomware attacks are increasingly targeting large corporations. In 2019, several multinationals in Belgium were technically out of work for several days, and sometimes branches abroad were crippled by malicious malware that paralyzed the entire production. This caused not only a major financial loss but also damage to the company's image.
The first ransomware viruses targeted individuals, who saw their PC encrypted by a virus and got their files back on payment of a limited amount of money. Today, the attacks are more likely to target companies, but it remains important for private individuals to always carry out the latest security updates and to be wary of suspicious e-mails and/or attachments.
'Global figures show that attacks with ransomware are decreasing in number, but at the same time the impact is increasing.’
Walter Coenraets, head of the Belgian Federal Computer Crime Unit in "De Tijd" .
The amount of the ransom (ransom) depends on the case. For private individuals this often varies between 100 and 1,000 euros, while a worldwide study shows that in Q3 of 2019 the average ransom amounted to 41,198 dollars. The trend is upward: hackers are focusing more and more on larger companies and the sums demanded are rising. Amounts in excess of $280,000 have already been reported.
Downtime is the cost of your business interruption. These are 5 to 10 times higher than the direct costs. For SMEs, this cost was estimated at an average of 127,000 euros in 2019. The public sector also suffers from ransomware, with an average downtime of 12.5 days and indirect costs of up to 670,000 euros. Insurer Hiscox, in turn, estimates the average indirect cost of a cyber attack at 330,000 euros.
Because of the external consequences, as a victim of a Ransomware attack, you often have no choice but to make the attack public. Although this leads to indignation and disapproval from customers, investors and other stakeholders, communicating in a timely and transparent manner can limit the adverse consequences for your customer retention or the company's share price on the stock exchange. Data can be restored, not always the trust of stakeholders.
It is not uncommon for dissatisfied customers to resort to legal means of compensation or some kind of compensation after a ransomware attack. As a company, you can be sued for breach of privacy, negligence and, in cases involving hospitals, even the disruption of medical care. Everything depends on what the additional damage caused by the hackers is and what data they disclose.
Although this is not the typical behavior of ransomware-related hackers, it sometimes happens that they use the stolen data for other malicious activities. In most cases, hackers opt for quick payouts, but if they also target your partners and customers through the stolen data, their costs as indirect costs can also be reduced on your business, if proven.
And unfortunately, after all the damage caused by the attack itself, the victim, even when paying the ransom, has no guarantee of safe retrieval of the encrypted data. We fully follow the advice of the government agencies who strongly advise against paying the ransom. It is not a guarantee for the safe retrieval of your encrypted data.
This statement is wrong! Paying the ransom does not guarantee the safe retrieval of encrypted data.
Step 1: Isolate the infection
This does not mean that you have to immediately paralyse your entire IT infrastructure. Exclude the infected endpoints (desktop, laptops, tablets, servers, etc.) from the system so that the malware cannot spread. Do not shut them down. Just deny them access to the network. Also, do not restart the backup system immediately, as in the case of ransomware, this will result in infecting the backup.
- Disconnect from the Internet and disable remote access.
- Install scheduled security updates or patches
- Manage and maintain your firewall settings
- Change passwords (create new and stronger passwords)
Contact your security partner even if the hackers ask for an "affordable" ransom. You're not sure you'll actually get your data back. Paying the ransom will only lead to publicity among other hackers who will also take their chances. Don't you have an IT security partner? Don't hesitate to contact one. An external third-party audit by professionals can only promote the possible recovery of data.
Contact the local police, this way they can already start the administrative procedure and make the first findings. In case of larger cyber attacks on critical infrastructures, they contact the Quick Reaction Force of the Federal Police. In all other cases, the Federal Computer Crime Unit is contacted. All Belgian companies and (government) organizations can contact CERT.be to report a cyber attack and/or request advice on cybersecurity. You can report an incident via firstname.lastname@example.org or by telephone on +32 2 790 33 33.
Step 4: Find out which type of malware it is
Because both your IT security partner and government agencies need to know what kind of cyber attack it is, you need to look it up. There are different types, and you don't need to inform the police for every type. The most common ransomware attacks at the moment are: Ryuk and WannaCry. There is also a big difference between Crypto Ransomware and Locker Ransomware.
Your IT security partner will probably help you with this. They can work with your response team consisting of in-house people (IT specialists if you have them) to identify vulnerabilities that may need to be patched.
- Find out who has access to the infected endpoints.
- Check which network connection it was about
- Find out how the attack was initiated
If your company is more severely affected by the cyber attack, it is best to inform your customers and stakeholders openly. It can avert possible lawsuits and only benefit your image. Immediately check your own legal conditions so that you can inform everyone personally. Make a clear PR plan or a statement to the outside world.
In the aftermath of a successful attack, it has become clear that your security systems are inadequate. If you know what caused the attack, it is best to have a thorough security audit carried out. You can also do this preventively in order to discover weak links.
Step 8: Train and inform your colleagues
Create awareness about ransomware and/or cyber attacks as a whole. Often employees are the weak link in the process because hackers use cunning tactics whereby they impersonate colleagues by using social techniques. Therefore, communicate internally about the cyber attack and how it originated, but above all, train your employees on how to deal with it. It is important to involve the management level. Teach them the security protocols and, if necessary, hang them out visibly so that they can fall back on them.
Insist on the importance of strong passwords! Nowadays a password of 8 characters is no longer sufficient. All too often, passwords like azerty123 or passwords containing the name of your company occur.
Inform employees about the way ransomware (malware) spreads (e-mails, files, etc.) and make sure it is repeated sufficiently. Have your CISO or IT department take the test regularly, not to check on employees, but to raise awareness. Your IT partner can also help you with a penetration test.
You can install any technical protection tools you want, if your employees continue clicking on suspicious links, download and install whatever they find on the internet, or use weak passwords, you're still vulnerable.
Benefit from our complete Security Awareness Training program as part of your IT security governance program.
As described above, all users and employees must be aware of possible threats. But what can you do as a manager? As a company, we are becoming more and more dependent on technology, which has made IT business crucial. "As CEO, you therefore hold the key to stopping ransomware and other cyber attacks. More than ever, cyber security must be a top priority at all levels. Only by making sufficient budget available for this will this be possible". (Datanews) That line of reasoning is true, but it's only a downside. You can do a lot more as a company:
Make an incident response plan
The purpose of this plan is to identify and combat possible attacks. The plan is formed by ICT professionals (if you do not have these in-house, you can always contact an IT security partner) and consists of 6 phases: 1. Preparation, 2. Identification, 3. Controlling, 4. Combat, 5. Recovery, 6. "What have we learned?".
The importance of a backup should not be underestimated and the regularity with which it happens is much less. After all, it will determine how much data you will or will not lose. This backup is best kept offline or in the cloud of your security partner (Remote backup as a Service) will ensure business continuity and ensures that backup data is not encrypted when ransomware hits your business.
Make sure all your software and systems have the latest security updates and have been patched. Ransomware is all too happy to exploit vulnerabilities in popular software. Use Endpoint Firewal Control, so you have visibility over the traffic to and from the endpoints and you can exclude unauthorized data traffic.
Regardless of how strong your password may be or how often you change it, you only trust what someone knows without proof that it is you. two-factor authentication ensures that attackers have little or no chance. The two-step authentication ensures that you need to identify yourself and sends a notification every time you attempt to log in. Install it where you can.
This way you as a company keep the focus on what you are good at and you do not have to concern yourself with this often complex matter. EASI works with the most renowned partners in the field (SentinelOne, F5, ESET,...) and offers a very strong protection against ransomware.
A modern, secure IT environment consists of tons of technology components: next-generation firewalls, anti-virus, anti-spam and malware solutions, web filters, proxies, secure remote access solutions, authentication solutions, WAN acceleration, application delivery, load balancing, switching, Internet VPN connections, wireless solutions, data center security, PKI infrastructure, web security scanning (PCI), not to mention mobile device management.
Keeping a clear overview of IT security in your organization can quickly become a complicated exercise. In order to maintain this overview and to ensure that ransomware doesn't stand a chance, it's best to conduct a Security Hardening Audit. Want to know more about how this happens? Then be sure to take a look at this page
Investigate if you'd need a cyber insurance
Policies for cyber insurance are relatively new in the market. However, insurers across Europe have already taken measures to help society prepare for cyber risks and increase the resilience of businesses in this area.
We expect the demand for these cyber insurances to grow rapidly. However, we believe that insurance should always be complementary to a robust program focused on risk management of cyber resilience. Together with HDI, we offer a cyber insurance that can provide this extra security.