In this blogpost:
It’s a lucrative business for cybercriminals, so how do you make sure they stay away from your company?
In a few years, ransomware has become a huge problem. In 2021, the damage increased dramatically, and dealing with it is a complicated puzzle. Ransomware has become a scalable, efficient industry, according to
Currently, the State Department is working to get legislation passed between countries, but since many gangs operate from Russia, it remains to be seen what can be done on the threat side.
What is ransomware?
Ransomware is malicious software, or malware, that holds your computers and files hostage. Hence, in the Netherlands, we also call it hostage software. Criminals encrypt or block your files, computers or sometimes even the entire network and only release things when you pay a ransom.
That ransom must often be paid in cryptocurrencies such as Bitcoin.
Types of ransomware
We know of two forms of ransomware: a cryptor that encrypts files in your system and a locker that locks your access screen. There are also advanced ransomware types that can encrypt databases, backups, USB sticks and data in the cloud.
How does ransomware get into your business?
This can be done in a variety of ways and devices. We often see malicious macros in Microsoft Office, coming in through Office documents that are in the attachment of an email. When you enable macros, your system gets infected easily.
But it can also go wrong through a wrong link in a phishing email, through a rogue attachment or through an infected download or advertisement on a website.
Practical examples of ransomware mails
Numerous fake emails are circulating from KPN, Ziggo, Intrum Justitia and transportation companies. These emails contain an infected attachment or rogue link.
But we are also seeing something else lately. For example, we regularly see emails passing by that are supposedly sent from colleagues, with Microsoft Teams formatting:
Cybercriminals pose as colleagues and customers, and it really is vital that you check the sender’s email address with every attachment or link. After all, that one always gives it away immediately.
The facts and figures
2021 has been the most lucrative year for cybercrime ever. In July, SonicWall released a survey with impressive numbers. In the first six months of 2021, global ransomware volume reached an unprecedented 304.7 million attack attempts.
In all of 2020, that was 304.6 million attempts.
Ransomware attacks in 2020 and 2021
It didn’t stop there by a long shot. Another record was broken in the third quarter: there were 190.4 attack attempts. Overall, the number of attempts reached 495.1 million, a 148% increase over last year. 2021 is the most expensive and dangerous year ever.
Ransomware predictions for 2022
Needless to say, the misery only increases.
Security firm Sophos has released a
released with predictions, and they are not tame.
Over the past 18 months, we have seen a change in tactics: increasingly large organizations are being targeted, and the business model that dictates how ransomware attacks occur has evolved.
It is up to IT professionals to proactively deal with the trends below to meet the challenges on the horizon.
Ransomware as a Service (RaaS)
Ransomware as a Service does not sound good, and it absolutely is not. Ransomware groups buy services on the Dark Web and seek specialists there to set up ransomware attacks.
There are even special manuals on how companies have been attacked, in order to “inspire” other gangs.
This model is worrisome. Whereas previously the same group developed and used its own ransomware, now it specializes.
For example, one group may specialize in abusing vulnerable Internet services, such as Remote Desktop Protocol (RDP), while another group specializes in buying access to organizations.
In the RaaS model, all these details are obscured, making it more difficult to determine exactly who is behind an attack.
The RaaS trend started in 2021, we saw attacks on Conti and DarkSide.
Sophos believes the RaaS model will continue to dominate the ransomware threat landscape in 2022 and beyond.
Indeed, the model allows experts to continue to build their product, while access specialists can remain focused on it.
RaaS threats were already finding new ways to break into increasingly secure networks, and that will only get worse in 2022.
The company also predicts that by 2022, criminals will employ a combination of extortion techniques to put more pressure on victims.
By 2021, there were already 10 different extortion techniques, including data theft, threat phone calls, public disclosure and DDoS attacks.
Combining techniques is also lucrative: in the first half of 2021, criminals were asking $570,000 for the data held hostage.
That’s an 82% increase over the previous year!
A ransomware attack, now what?
Oh no, your equipment is encrypted. Now what? Above all, don’t panic. After all, all is not yet lost.
- Don’t pay! This sends the message that this kind of activity is profitable.
- Find out which malware has infected your disk with the Crypto Sherrif. In fact, it could just be that there is already a decryptor out there, which will get your data back in no time. This website is supported by Europol.
- Isn’t there a decryptor available? Then keep checking the No More Ransom website, because who knows, one will become available soon.
What can you do to prevent a ransomware attack?
According to Forrester, cyber insurance premiums are rising 30% and some insurers are even having to exit the market. Extortion demands are rising, which has put a dent in a once highly profitable industry.
Forrester also expects at least one of the top 10 cyber insurers to stop new business.
So plenty of reasons to be wary. You can’t prevent it completely, unfortunately, but you can make sure your fortress is properly secured.
You can do this with a cybersecurity checklist, so you won’t have any surprises.
Below we collect a few do’s and don’ts surrounding ransomware.
1. Don’t pay a ransom!
Because that only encourages and funds the criminals.
And even if the ransom is paid, you have no guarantee that you will regain access to your files, because who knows, there may be more money to be taken from you.
Hand on the line, then. If we all stop paying, the fun will soon be gone.
2. Make sure you have a good backup
Always have a good backup of all your files. This is really the fastest way to regain access to all your data.
Encrypt backups to keep them out of the hands of cybercriminals.
With an encrypted clean backup, you can prevent the ransomware from reaching your backup and have your data back quickly.
Here are some best practices to protect your backups from ransomware:
Maintain a second offline backup
When ransomware strikes, the malware can attack anything the infected system has access to.
It is unlikely that your end users are backup administrators, but there are indirect paths through which backups can be infected.
If this happens, there is no way to recover because both the master copy of the data and the backup will be encrypted. Keeping an offline backup can reduce this risk.
One easy way to do this is to use traditional backup tapes, which are impossible for ransomware to crack.
Use immutable storage
Also known as WORM (Write-Once-Read-Many), immutable object storage can store data in a bucket and lock it to prevent further modification.
Most disk-based backup systems protect data at the block level and use monitoring of changed blocks to protect files as they are changed.
The problem is that ransomware modifies many storage blocks, so your backup system can eventually back up the now encrypted files.
Immutable storage ensures that backups remain unchanged.
Endpoint protection on backup servers
Modern endpoint security platforms are capable of detecting ransomware processes as soon as they begin to infect a system.
By recognizing their abnormal behavior, even if the type of ransomware is new and unknown to security specialists.
They can immediately lock down infected systems and isolate them from the network to prevent ransomware from spreading further.
This is useful for all endpoints in the organization, but is especially important on the backup server itself.
Increase backup frequency
Look at how often you back up your own data, which determines your recovery point objective (RPO).
The frequency of backups determines how much data can be lost in a ransomware attack.
Even if you back up once a day or once every few hours, you have to consider what it will cost if you lose all the data since the previous backup.
Consider backing up business-critical data at least once an hour.
The 3-2-1 backup rule to mitigate ransomware risks
The 3-2-1 rule is a general best practice for recovery and backup that can help mitigate ransomware risks.
No backup strategy is foolproof, but following the 3-2-1 rule is quite a powerful approach to preventing loss of your data.
Here’s how 3-2-1 backup rule works:
- Have at least three copies of your data – one master copy and two backups
- Use two different media formats, for example, an SSD drive and cloud storage
- Keep one of these copies off-site. The safest option is to store data on a tape and keep it in a very secure location. Another option is to automatically take snapshots of data to a location for disaster recovery.
3. Be careful about sharing personal information
Do not provide personal information when responding to an e-mail, unsolicited phone call, text message or instant message.
Phishers try to trick both employees and individuals into installing malware, or obtaining information for attacks by posing as IT employees or a reputable company.
Never give your personal information to unsolicited persons.
Also, never send passwords through the mail, but use a password manager.
4. Use reputable antivirus software and a firewall
Maintaining a strong firewall and keeping your security software up-to-date are critical.
Use antivirus software from a reputable company, because unfortunately there is very much fake software out there.
5. Scan and filter your mail servers
Scan all your incoming emails for known threats and make sure your email servers are blocking all types of attachments that could pose a threat.
6. Keep your software up-to-date
Ensure that all systems and software are updated with relevant patches. Exploit kits hosted on compromised websites are often used to spread malware.
Regular patching of vulnerable software is necessary to help prevent infection.
7. A VPN is a basic necessity
Using a public WiFi network is not wise, but sometimes you can’t avoid it. Make sure you use a reliable VPN when surfing over a public network.
Do you drive a lot of miles for your business? Then make sure your IT department is aware of this.
It goes without saying that you never log into your bank over a public network, but we’ll tell you anyway.
8. Use multi-factor authentication
With multi-factor authentication, you use a combination of factors to validate access. This can be done with login credentials plus a second (or more) time-sensitive password, biometrics or a security key.
When someone tries to break into your account, it becomes quite difficult with MFA. After all, a password won’t get you there.
We ourselves use the YubiKey. Thanks to this key, you no longer need an app, just plug in the key. Ideal!
9. Strengthen your weakest link: your employees
We mentioned him earlier: your employees are your weakest link in your cybersecurity policy.
Actually, then, it should be at the top, because it is one of the most important points.
Make sure your employees are cyber experts. But then really. Provide them with regular training and make sure you keep the conversation open.
We share every rogue email internally and discuss it regularly in our meetings. Better safe than sorry.
Ransomware is evolving
Cybercriminals are getting smarter and ransomware more sophisticated. Make sure you are up to date and share everything with your colleagues. In this case, prevention is always better than cure.