Year after year we’ve seen how ransomware attacks are still on the rise. Why? The answer is simple because they are still profitable for hackers. While some businesses are prepared to deal with it as an inconvenience, the majority don’t have essential security best-practices in place. 

In this post, we explain how ransomware attacks initiate so that you can be proactive about preventing their entry. Then we’ll give you 3 questions to ask the IT provider who’s assisting you with ransomware prevention.

Understanding Ransomware

Ransomware is malicious software that works exactly as it sounds - it takes your data for ransom and won’t give it back until you’ve paid up. Ransomware has one goal in mind: making money for the hacker that put it there.

This type of malicious software is not picky about whose system it attacks, and no size company is immune. Ransomware tries to proliferate itself as much as possible, to maximize the opportunity for payout. However, the United States ranks highest globally in ransomware attacks. Microsoft Windows is the preferred operating system for ransomware, mainly because it is the most popular operating system used by businesses today.

The ransoms are set at a level just low enough that people and businesses are willing to pay to avoid losing their data. For individuals, this can mean loss of personal financial information, family photos, or saved documents - inconvenient, but usually not devastating. For businesses, however, this could be permanent loss confidential information, customer records, or even files needed to operate the company on a day-to-day basis, and this can be crippling to any company.

How Does Ransomware Work?

Ransomware works in five steps:

1. Infection - malicious software is installed on the victim’s computer, usually by one of the four common methods listed previously.
2. Encryption key exchange - the malicious software connects back to a control server operated by the hacker and gets a unique encryption key (a secret code) to be used on the victim’s system. The control server keeps a copy of the key needed to decrypt the files.
3. Encryption - the malicious software uses the encryption key to encrypt every file it can access, including those on shared directories and in cloud services, then deletes the original copies.
4. Extortion - with the files encrypted and the originals deleted, the malicious software demands payment through an alert or file left in the directory where your files used to be. The malicious software sits and waits until the victim pays the ransom.
5. Unlocking - if the demand is met, the victim will receive the other half of the encryption key to enter into the malicious software, and unlock (decrypt) the files.

How Does Ransomware Spread?

Ransomware is primarily spread via four methods:

• Phishing - sending a targeted email that looks legitimate and requires an action on the part of the recipient, and is convincing enough to get someone to click on a link or open an infected document that installs the malicious software. This is the most common method.
• Spam - less targeted than phishing, spam may offer some financial incentive or prize, where the recipient is asked to visit a website or provide information, which ultimately allows malicious software to be installed
• Questionable websites - most often found on adult websites or ones offering illegal copies of movies or software, users will be asked to install something on their computer to access the content, and it’s embedded with malicious software
• Drive-bys - a hacker delivers malicious software to a laptop or mobile device via a public wi-fi connection using security vulnerabilities in the device’s software

The most common form of ransomware is where all the files the software can access on the victim’s system are encrypted, and the victim receives a demand to pay (usually in Bitcoin, due to its difficulty in being traced), and in exchange, the victim receives a key to unlock the files. There is a variation of ransomware involving lock screens, where the victim loses all access to their computer until the demand is paid. Yet another variety, commonly referred to as “extortionware”, threatens to leak all the files publicly if demands are not met within a given timeframe.

Now that you understand what ransomware is, here are some questions to ask IT about ransomware prevention:

• What’s our biggest weakness on the security front? Most ransomware originates with someone falling for a phishing attack. Whether they didn’t know better, or were just trying to do their job in responding to an email request, the biggest weakness most organizations face is human error. The best way to guard against human error is through education, and in the case of security, providing security awareness training and skills checks on a regular basis.  See if this matches up with what IT says about ransomware. Ask what’s being done for security awareness, how it’s working, and if they can provide metrics for phishing simulations.

• Who internally always falls for Phishing Simulations? IT should know how successful security awareness training is going, and a key performance indicator is through phishing simulations. Having a better understanding of who is not doing a good job at avoiding phishing attempts will help with more targeted training and remediation. In general, those with access to confidential or protected information tend to be more vigilant about requests for the information they are supposed to protect. Users with little or no access to sensitive data are the most likely to fail at phishing simulations because they have a different mindset. If IT correlates users with access to sensitive information as being the ones who fall for phishing simulations the most, there is an immediate issue that needs to be addressed.

• What’s the harm in bringing in a third-party to double-check? There is never harm in having a second set of eyes to confirm things are going well. Whether it’s network security, policy compliance, or security awareness training, an outside firm can validate things are going well, or find places to improve. Companies such as Connecticut-based NSI provide all of these services, either as a single engagement or as an ongoing managed service to supplement existing IT staff.

Ransomware is the digital equivalent of a criminal placing a giant lock on your business and demanding money from you to get the key. Unfortunately, it is extremely difficult to trace the source of the ransomware, or for law enforcement to locate the criminal behind the attack. Prevention is the best course of action when it comes to ransomware, and education is the best defense.