Imagine if you owned a physical office, which contained not only your computer and other essential equipment, but also boxes packed with every scrap of information you need to do your job — from customer details to a detailed schedule of everything you’ve got coming up in the next several months.
One day, you turn up for work, only to find that the front door has been padlocked, and there are a couple of tough-looking people standing outside. The only way they’ll let you in, they say, is if you go to the nearest ATM and withdraw $10,000 to give to them. If you don’t, they’ll keep the door locked, and you’ll never again have access to anything in the building.
As extortion tactics go, this one sounds more than a little ridiculous. But, while such a thing might not be common practice in the real world, it is increasingly commonplace in the digital domain.
This is the world of ransomware, a nasty form of cyberattack in which users are blackmailed into handing over cash in order to (hopefully) regain access to the files and computer systems that are rightly theirs. Ransomware can be devastating to those without the necessary file security in place.
Brief history of ransomware
A typical ransomware attack works by using malware to encrypt a victim’s files. This malware could find its way into their system in multiple ways, with one of the most common delivery methods involving phishing spam messages. These messages trick users into inadvertently downloading a file to their computer, which then sets about encrypting files.
The victim subsequently receives a message telling them how they can regain access to the encrypted files, which typically involves paying a fee to get hold of a decryption key. This fee is usually demanded in cryptocurrency, such as bitcoin, since this makes it tougher to trace the identity and whereabouts of the extortionist. To add more urgency to the situation, the ransom demanded may increase over time. If the ransom is not paid within a specified period, they may be told that the files will be permanently lost.
The first ransomware attack was reported in 1989, distributed to 20,000 people on floppy disks. However, the connected world of the internet has made it significantly easier — and cheaper — for would-be attackers to spread ransomware. Anyone can be a target of ransomware attacks, although businesses and large organizations are often the main targets since they are more likely to pay large sums of money to quickly regain access to files so as to not lose valuable time.
Because the monetary amounts demanded are so high, an attacker only needs a very small number of victims to pay the ransom for it to be worth their while staging such attacks. As the coronavirus pandemic has made people even more reliant on connected infrastructure, the number of ransomware attacks has only increased.
The evolution of ransomware
Ransomware continues to evolve. Attackers continually switch up their behavior to avoid evasion and to maximize intimidation. Attackers no longer limit their attacks to depriving victims of access to their files. Increasingly, they utilize something referred to as “leakware” to steal data and then threaten to publish it if a ransom is not paid. This adds an extra incentive for organizations to pay up, since losing access to their data no longer just means the files in question; it could also mean losing the competitive edge that those files give them. Information leaked could include anything from future plans to email chains to customer information.
Ransomware attackers count on the fact that, for some organizations, paying a ransom will prove less financially costly than losing access to their files. But paying up doesn’t solve the problem.
For starters, there’s no guarantee that doing so will result in a decryption key being handed over or copies of stolen files being deleted by attackers as promised. Just like your home being burglarized by thieves could make it more likely that they will return in future, being successfully targeted once could increase the chances that you will be targeted again in the future.
Assuming that stolen, valuable data will be deleted by thieves because they’re behaving honorably as part of a legitimate transaction ignores how they have behaved leading up to that point. It puts a lot of faith in criminals who are extremely unlikely to do the right thing.
Prevention of attacks is the best course of action
In the days when encryption was the main challenge with ransomware, people could defend themselves by making regular backups of their work and critical files. This is still good practice, but it’s also clearly not enough in an age of leakware. Prevention of attacks is the only real, guaranteed option.
Fortunately, the tools exist to help users protect themselves. For example, File Integrity Monitoring (FIM) tools can be used to monitor operating systems, databases, and application software files. It can then carry out forensic examination of files following security incidents to see whether any suspicious activity has been carried out for reporting reasons. To help block attacks, smart firewalls can be deployed to stop malware getting into systems and spreading. Meanwhile, data masking and encryption allows users to obfuscate data they consider sensitive so that, even if it was somehow extracted by an attacker, it would be useless to them.
These are just a handful of examples of ways in which modern cybersecurity is able to help protect against ransomware. Engaging with these tools — and using them proactively — is one of the best business decisions you can make.
