Skip to content
hostage

The ransomware attack dissected

Most IT Professionals will know about Ransomware. In fact, most will know of companies that have been hit by an attack, potentially even more than once. In this blog, I’m going to explore this issue in detail and examine if companies are doing enough to stay safe. 

There are many different kinds of ransomware attacks, but the basics are simple:  

  1. Infect a company network with a ransomware virus 

  1. Let the virus work its way through files, or even complete systems, encrypting as much as possible 

  1. Wait until the victim notices they can no longer access their files 

  1. Make sure the ransomware help desk is open for business. Yes, they actually have support agents helping you with payment and decryption.  

The whole business of ransomware (which, given the size of payments, is big business) depends on trust. This may sound odd when you’re paying a criminal entity but, unless you are confident that paying will lead to decrypted files, there’s no point in paying. Infections take place in a few different ways… n 

  1. Email   Attachments from a fake source, that usually look quite trustworthy, will contain a compressed (ZIP/RAR) file. A user clicks the email attachment and nothing happens, at which point they might well just close the email and get on with their day. This is the virus that gets to work. It’s at this point that I’ve had customers call me, who quickly disconnected their workstation as soon as they realised something weird was happening… clever! 

 

  1. Malicious web code  While browsing the internet, it’s not only your personal and tracking data that’s being targeted. Malicious code is also hidden in websites and banners that have been the victim of a hack themselves. This method is used to install a virus on your computer. From there, it will start encrypting network shares, or simply spread as a virus on the network, depending on the type of attack. 

  1. Social engineering and spearfishing  The third and final method is more cunning. Instead of trying to infect as many people as possible, this focuses on individual companies and people. 

 

Hackers will research an individual to ascertain how best to target them, with the aim of delivering targeted, personal emails that will trick the user into installing ransomware.  n nOne of our customers ran an awareness campaign on this type of ransomware, which led to about half of their staff entering credentials into an external copy of a local site after receiving an email that looked like it came from IT. The more the attacker knows about an organisation, the better it is and the harder it is to spot. 

data

The painful facts

Attacks happen. A lot. It’s hard to find actual numbers and statistics on attacks as companies aren’t particularly proud when this happens, but what I did find tells a consistent story… 

 

  • 51% of businesses had to deal with some sort of infection in 2020 

  • around 25% of those have paid the ransom required by the criminals 

  • Average ransom is around $180,000 for larger companies, $6000 for smaller companies 

  • Email infections are the most common 

  • Business is interrupted for days or weeks as a result. 

There’s some further information on this, with numbers, over on the Veeam site.  

 

So we can see that this is a big problem. You’d expect every company to be very worried and actively working to eliminate this problem, right? 

Ladies and Gentlemen, We Have a Hostage Situation

So let’s imagine you work in IT (this won’t be hard for most of you!) and you’re woken up by an endless stream of text messages. 

 

There’s something wrong with your company’s systems. This happens sometimes so, at first, you’ll have to figure out what’s going on, and how bad the problem is. It only takes you a few moments after receiving the first screenshots to figure out that, well, you are no longer in charge of IT… someone has taken your systems and data hostage. Now what? 

 

Obviously, the first thing you need to do is stop the spread of encryption. I’ve seen a few ways of limiting the attack vector by shutting down infected machine(s), disabling network connectivity or simply shutting everything down. 

 

?After this, a large investigation begins. What is encrypted? Can we restore it? What services are affected? Now the real problem begins. Even if you have backups, restoring both systems and severs within a limited timeframe can be a problem. 

When you check the backup logs, you notice that, for the past two weeks, files have been encrypted by the virus and, unfortunately, the unencrypted ones are already going out of retention. It could be this bad. 

 

It’s not surprising that around 25% of infected companies end up paying the ransom instead of just restoring the data. Imagine having 500Tb of data using a 10Gbit line, even at capacity, you’d reach 36Tb per hour or 864Tb over the whole day.  

 

It would be a challenge to find a system that can pull data from across several backups at this kind of speed to begin with, and that relies on backup data being unencrypted in the first place. 

 

This is a grim view, I know, but remember my opening question… are we doing enough? 

Things we Should (and shouldn’t) Do

In general, the advice to prevent a ransomware attacker getting hold of your data is simple…  

 

  • Educate users not to open attachments from unknown sources. Do not browse certain websites. Don’t share information with anyone. Don’t let someone posing as the helpdesk install something on your PC. 

  • Have backups. Backup those backups. The well-known 3-2-1 rule is mentioned here by Microsoft, for example. 

  • Keep everything up-to-date so it’s less likely to be vulnerable in the first place.  

  • Have a security model where access to folders, files and systems is limited. If all or most users have elevated privileges, it’s easy for ransomware to spread. 

  • Look at solutions from specialist providers, or within your existing backup suite or infrastructure tooling. Many providers have solutions that can reduce the risk of being infected or that can reduce the damage upon infection. 

Are we doing enough?

Finally, the burning question… Are we doing enough? Well, obviously not. The number of companies affected is growing, which is only motivating attackers to continue with this practice. Since the methods are getting more sophisticated, the least we can do is understand these infections and work around them. 

There are a few things I’ve picked up or figured out myself, and I’d like to hear your opinions and ideas too. Ultimately, as is always the case with data protection and security, the basics should not be neglected. 

7 Ways to Stay Safe

  1. First aid is best taught through accidents, rather than in a classroom   As I mentioned above, someone at a company I used to work for called me after opening attachment he didn’t trust. It was too late, the PC was infected.  

 

In an attempt to teach staff something about IT security, I told them to disconnect their PC and give me or our IT company a call. Everyone now knows what to do when it happens again. The user in question did have his machine infected but only some of his personal, local files were encrypted. n 

  1. Build monitoring systems to check for changing behaviour   It should be possible to detect the effect of a ransomware attack – lots of (old) files changing, load on CPUs, I/O etc. I read that some providers are experimenting with this, for example Veeam has detection options in ONE to provide an early warning.   

  1. Look for changes in backup behaviour  This is something we can offer our customers: a warning when backups suddenly change. If you run incrementals, you’ll have a lot of new backup data when a ransomware infection is encrypting and changing your data.   

  1. Stop using file shares and place everything in web-based environments  Not suitable for a lot of companies, and probably not something that will happen anytime soon, but worth mentioning.

  1. Switch to a Zero Trust model for user and application rights   Instead of giving an application or person access to everything because it’s convenient, they will only have the exact rights needed for a specific task.   

  1. Offer a rapid response team as part of a ransomware help service 

Fending off ransomware and dealing with the repairs and restores is specialist work. n 

  1. Use one of our awesome infrastructure services and go back a few snapshots, restore some data and live happily after. Or, at least, have a contingency plan for when you quickly need to restore data and systems. With a lot of data and systems, this isn’t easy.  

 

At Ekco, we specialise in protecting customer data, building trustworthy systems and managing the day-to-day risks involved in running them. You can learn more about our leading backup and DR services here – thanks for reading! 

Question?
Our specialists have the answer