Ransomware Attacks: Part 1 – Understanding and Prevention

In 1989, ransomware was first introduced to the world during the AIDS Trojan, the first-ever ransomware attack to be documented. At that time, individuals were unsuspecting of the threat, the internet was non-existent, and using 5 ¼” floppy disks and snail mail to try to exploit individuals proved relatively ineffective. Since then, along with the advancement of technology, ransomware has evolved at an alarming pace.

Cybercriminals are now using ransomware as an illegal business model to make money, hoard and destroy sensitive information, disrupt international politics, and wreak general havoc. As we saw with the WannaCry attack in 2017, ransomware has the potential to cause whole industries to effectively shut down by denying organizations access to critical, sensitive data, like Personal Identifiable Information (PII) or Protected Health Information (PHI).

With ransomware-as-a-service (RaaS) being offered in underground forums, along with bitcoin as a secure method to collect ransom, cybercriminals are being all the more drawn to the business model, according to Trend Micro. As a result, RaaS has become a billion-dollar enterprise!

What Exactly is Ransomware?

We see ransomware as another business risk like commodity price fluctuation, political unrest in foreign countries, supply chain vendor continuity, and the list can go on further. This, however, falls within technology and is similar to other computer and network viruses. A system can be infected by ransomware when a user visits a malicious website, downloads a malicious file, or, most commonly, clicks on a link inside of an email. What makes ransomware unique is the manner in which it affects the network. Through ransomware, an attacker encrypts files that are only able to be recovered through the use of an encryption key to decrypt the files. The files are essentially held hostage, whereby the infected party is required to pay a ransom in order to receive the encryption key. Unfortunately, if the attacker is intent on creating disruption and devastation, there may be no chance of getting your information back.

WannaCry Attack (2017)

The WannaCry attack was a single, rapidly spreading ransomware attack in May of 2017. It affected over 200,000 computers in 150 countries and severely impacted the healthcare industry in the United Kingdom. By exploiting a flaw within the Microsoft Operating System (which could have been prevented by proper patch management), the ransomware attack caused hospitals to literally stop providing life-saving services because they were unable to access patient health records in order to avoid providing care that could potentially harm a patient. In total, the WannaCry attack is estimated to have created between hundreds of millions to billions of dollars in damage.

The Real Danger of Ransomware

Like a virus to the human body, ransomware quickly spreads itself to anything that it is connected to that isn’t protected. So if a network is susceptible to the ransomware, once it is introduced into the network, it will spread throughout it, infecting all those devices that it connected to as it moves along, including end-user machines and servers. According to the U.S. Department of Justice, it is estimated that ransomware infects over 100,000 computers a day around the world — and that annual ransomware payments are close to $1 billion dollars. In fact, in 2017 Merck & Co, Inc., one of the largest pharmaceutical companies in the world, lost an estimated $915 million as a result of a single ransomware attack named NotPeyta.

If you’re targeted by a ransomware attack, you’re never guaranteed to receive the encryption code after the ransom is paid. Many times the intent of a ransomware attack isn’t just about restricting access to information but the actual possession of the data itself. Many hackers hoard data to use as leverage for personal or political gains, or to later destroy themselves, once they have exploited what they want from it.

In a November 2017 security survey sponsored by Barkly and conducted by the Ponemon Institute, 54% of companies surveyed experienced a ransomware attack — and 43% of those companies had experienced the attack in the last 12 months.

Generally speaking, both organizations and users become susceptible to ransomware attacks because they don’t employ a proper patch management system. Even those that do install patches usually don’t do it frequently enough to capture all of the critical and necessary updates to the different software that they use. Additionally, many individuals and organizations do not test the patches to ensure that each is actually fixing the potential security vulnerabilities they’re intended to address.

An Ounce of Prevention is Worth a Pound of Cure

The best way to combat ransomware attacks is to expect and prepare for them. There are two main aspects to preparing for ransomware attacks: the technical side and the human side.

Technical Prevention:

A dedicated cybersecurity partner should work with your internal IT team to employ gateway and endpoint protection measures to prevent ransomware attacks from having a chance to reach end-users. Common technical prevention methods include:

• Firewalls with Routine Patching
• Routinely patching critical infrastructure (e.g. firewalls, operating systems, applications)
• Antivirus Protections
• Web Filtering
• Spam Filtering
• Intrusion Prevention & Detection Systems

Human Prevention:

This is maintained through continued security awareness training for users, taking a “trust but verify” approach. It is especially important to put an emphasis on how to avoid phishing attacks. Phishing attackers can easily trick users by crafting special, targeted emails designed to increase the likelihood of the user clicking on the malware. Some examples of human prevention include:

ABOUT WITHUMSMITH+BROWN, PC (WITHUM)

Withum provides clients in the hospitality, vacation ownership and other industries with assurance, accounting, tax compliance, and advisory services. For further information about Withum and the services they provide to the industry, contact Lena Combs (LCombs@withum.com) or Erik Halluska (EHalluska@withum.com) at (407) 849-1569 or visit www.withum.com.