Ransomware: Better to be afraid than to be frightened

About 200 cases were reported the last 6 years, in Luxembourg. Will you be the next one?

Ransomware is a type of malware (malicious software) that encrypts the files on a victim’s device or a network’s storage devices. Yes, this malware can infect not only desktop computers, but also mobile devices, smartphones, and tablets as well. Also, ransomware does not make any distinction among victims: a private person can become a victim just like a huge corporation.

Ransomware often threatens the victim with permanent data destruction unless a ransom is paid to the cybercriminal. The payment usually should be done through a tough-to-trace electronic payment method such as Bitcoin.

The screenshot below from CIRCL (Computer Incident Response Center, Part of Securitymadein.lu) shows an example of the most prominent type of ransomware (called ‘CTB-Locker’), and how an infected device looks like:

Source: https://www.itnation.lu/new-wave-crypto-ransomware-targeting-luxembourg/

How Does Ransomware Spread?

There is nothing new under the sun: this malware is most typically distributed through spam email attacks: 91% of cyberattacks begin with spear phishing email.

The spam email usually has an attachment disguised as a legitimate file or includes a URL link in the body of the email.

As soon as the receiver of the e-mail downloads the attachment, the malicious code gets activated and starts to encrypt files on the device. If the attack vector is a link, and the user clicks on it, the victim is taken to a web page where the ransomware is delivered to the device without the knowledge of the user.

Once the encryption is finished, your computer is blocked and you receive a message telling you that your device has been encrypted and provides further information on how much you have to pay to receive a decryption key to be able to recover your data.

The Evolution of Ransomware Attacks

Ten years ago, these attacks were more sporadic, rather opportunistic, and much less targeted and sophisticated. As of today, they have become highly targeted, extremely damaging, and corporate-level extensive massive attacks causing even weeks of downtime for whole corporations.

Cyberattacks do not know borders or geographical boundaries, yet countries are still very unwilling to share information or act together fighting against such threats. The different legal regulations among countries make it also hard to react or warn other countries or even investigate the same case when an affected company has offices in different countries.

The attacks are not only becoming more severe, targeted, and more noxious, but also their frequency is dramatically and constantly growing:

Ransomware is expected to attack a business every 11 seconds by the end of 2021’ – Steve Morgan, Editor-in-Chief, Cybercrime Magazine

How Much Does It Cost Globally?

The number of reported or discovered cases is just the ‘tip of the iceberg’. It is a big myth that ransomware damages equal the costs to ransom payouts. Firstly, it is very important to understand that even when the ransom was paid, there is no guarantee whatsoever that the decryption key would ever be provided. Secondly, do not forget about the ‘accessory’ costs: damage and destruction (or loss!) of data, lost productivity and revenue during downtime, forensic investigation, restoration of available data and storage. The majority of companies do not count with reputational harm either although it can be very significant.

How Can I Reduce the Risk of Ransomware?

1. Cybersecurity Hygiene: Educate People

‘Ransomware still uses social engineering as its main infection vector’ – Stu Sjouwerman

‘Vaccinate,’ your employees against a ransomware attack by educating the weakest link in your cyber defence system: the user. The majority of ransomware attacks require someone to activate the malicious code. Therefore, the most effective and cheapest way to fight against malware infections is to educate users about how to recognise and defend against cyberattacks. The infectious vectors are mails and social engineering techniques to trick the employee into downloading malware.

2. Patch, Patch, Patch… Patch and finally, Patch!

‘Every new cyberattack is a reminder of why patching is important, as well as the risk of not applying security patches.’

Always keep your devices up to date by using the latest patches: failing to implement a rigorous approach to patching known security vulnerabilities is like waving a red flag in the ocean of cyberworld and shouting, ‘Rob me!’ or putting a flyer on the main square of your town with the text ‘I will not be at home in the following two weeks and my address is as follows…’

No one would do that, right? Well, most of us still vividly remember the WannaCry ransomware attack and none of us would like to ‘cry again’, yet even months after the EternalBlue vulnerability was exploited for the WannaCry and NotPetya ransomware attacks, an estimated 38 million PCs remained unpatched …5.

3. Back Up Your Data Frequently

‘Being too busy to worry about backup, is like being too busy driving a car to put on the seatbelt.’ – T. E. Ronneberg6

Now, you reached the most important message of this article. If you do not remember anything but the following sentence, it was worth reading it:

If you do not have a working backup, your data is most likely lost.

You can train yourself, use the fanciest devices with the newest and trendiest software installations: if you do not have a backup, no one on Earth would be able to restore your data … you are infinitely defenceless and you can only ‘trust’ the benevolence of the person who caused you the trouble for the first place. Do you think that person will pity you and will restore your data, your family photos, the video about the first steps of your son or daughter…?

In the world of business, company formation contracts, trade secrets, patents, employment contracts, etc. can be mentioned in the sense that they are cannot be replaced in the case of data loss – if you do not have a backup.

To prevent the above to happen, is not it easier to make a backup?

Ransomware can also encrypt backups stored on network servers: companies should review their approach to backups: are employees backing up important files to a network drive? If so, how often? Are the backups from the employees’ devices and the file servers then backed up to a cloud backup service? Can the backup from the cloud be restored easily? Have you tested all the above scenarios? Do you have a risk management plan? Depending on the amount of data produced and the importance of data, you should apply an adequate method for backing up your data.

4. Use Multiple Layers of Defence

‘Your computer system should look like an ancient castle surrounded by various walls: the treasure is kept in the center and attackers have to fight past the walls, one by one, to reach their goal.’ – Andra Zaharia

Have multiple layers of defence: make it harder for the bad guys to cause you harm, steal your data, encrypt your data or abuse your data. Utilising multiple security layers means that if one layer does not block an attack, you have additional layers that can mitigate the threat. So, what layers of security do you have in place? What are the tools you use to secure your Internet traffic? Do you store data in the cloud or on your local drive? What are the tools you use to keep your data intact?

Global Ransomware Landscape

The table below shows the percentage distribution of ransomware attacks by country in 2020 as per Symantec:

Ransomware Statistics in 2020: From Random Barrages to Targeted Hits

Safety Detectives: Ransomware Facts, Trends & Statistics for 2020

Not only the number of incidents is on the rise, but the average amount of ransom paid per incident as well:

For a detailed, international report, please read the ‘State of Ransomware 2020’ full report created by Sophos. It is an independent survey of 5000 IT managers across 26 countries.

What is the Situation in Luxembourg?

The situation is none better in Luxembourg, and we need to stay vigilant and take all the precautions to become a victim. Though we do not have aggregated statistics, let me include a couple of examples to demonstrate how serious the situation is.

In 2015, the Computer Incident Response Center (CIRCL) already reported a wave of crypto ransomware attacks targeting Luxembourg.

Ever since, such attacks are with us, and in the last 6 years about 200 cases have been reported to CIRCL. The highest reported ransom demand was €1 500 000. Regarding the question as to ‘How well prepared are Luxembourg organizations for ransomware attacks?’ CIRCL reported that ‘Many private people don’t have backups at all or no offline-backups. They would lose everything accessible on their computer in case of a successful attack. In professional environments we have seen good and bad preparedness, regardless of the size of the company/structure. It should be advised to review regularly the state of the backup system, configuration, and strategy as well as perform a regular test.’

Great efforts have been made to control the situation and reduce damage. The ‘No More Ransom’ portal was launched in 2016, and since then nearly 1.6 million people from more than 180 countries have accessed the website to find a solution for their ransomware-related problems.

There are now 52 free decryption tools on this portal, which can be used to decrypt 84 ransomware families. More than 35 000 people have managed to retrieve their files for free, which has prevented criminals from profiting from more than EUR 10 million.

On 17 January 2020, a large Luxembourgish construction firm was hit by a major ransomware attack. The hackers encrypted the company’s files and asked for €450 000 as ransom. The company was paralysed since about 150 employees could not work for some time and were forced to stay at home. The company had a backup, yet it had to replace all its IT devices with the cost of €300 000 which took 6 weeks.

Three Cactus stores (Windhof, Bonnevoie and Merl) have been forced to close for several days due to a ransomware attack.

Because of the Covid-19 lockdown measures, a lot more people are working from home creating a much more vulnerable environment and become a victim of a cyberattack.

‘… there has been a significant increase in cyberattacks in the wake of Covid-19, as hackers seek to exploit coronavirus-related panic, along with vulnerabilities created by an increase in remote working.’

As the NTT report (NTT Luxembourg PSF) narrated:

‘Hospitals, in particular, have experienced a wave of threats, at the exact time that their resources are focused on saving lives and handling an overflow of patients. Ransomware, encrypting applications and files until a ransom is paid, has been the main threat, along with attempts to steal financial information and patient medical records.’17

Conclusion

Since its creation in 1989, ransomware has become the number one security risk to businesses and users.

Stay vigilant, keep up with the latest news and best practices by checking the CASES and CIRCL websites, and follow the advice described above and report incidents to CIRCL.