Criminal gangs have been using ransomware to attack businesses for over three decades. The first recorded attack was against a hospital and executed by distributing infected floppy disks. Today, email is the main attack vector with ransomware families such as Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker, Conti and REVil able to encrypt data and, in some cases, exfiltrate that data first.
The goal here is always the same. The criminals executing these attacks are motivated by money. They want you to either pay for decryption keys to retrieve your data – two-thirds of the companies hit with ransomware in India paid the ransom last year according to the recent Sophos State of Ransomware report – or pay to prevent stolen data being made public.
The problem is not going away. Data from India’s National Crime Records Bureau reveals that the number of attacks doubled between 2018 and 2019 with no sign of relenting. According to Sophos’ data, 82% of businesses were hit with ransomware attacks in 2020. It doesn’t matter whether the business is large or small – everyone is a potential target.
Aaron Bugal, the Global Solutions Engineer at Sophos, says, “Ransomware doesn’t discriminate –
every organisation is a target, regardless of size, sector, or geography. And the ransom amounts are not fixed. Attackers vary them based on what they believe the victim can pay.” The ransomware groups set the ransom price based on what they think the victim can pay. The group behind the WastedLocker ransomware analysed its targets and set ransoms according to the size and scale of the organisation. While some received demands for US$500,000, others faced a whopping US$10M to regain access to their data.
“The take-away here is that the ransom demands businesses are receiving are most likely attributed to information the attacker has been able to steal, analyse and use to evaluate your target worth,” says Mr Bugal.
But not all attackers are looking for huge paydays using sophisticated tools.
“At the other end of the scale is your more fast-food variety of ransomware such as Dharma, which forms the basis of ransomware-as-as-service operations,” says My Bugal. “Less sophisticated cybercriminal outfits can purchase malware on the dark web and go after small- to medium-sized businesses. Ransom demands using Dharma average around US$8,000, which is still considerable for many smaller organisations.”
The most common attack vector used by ransomware gangs is email. In order to craft an email with the greatest chance of tricking someone to open a malicious attachment, click a link to a malware-laden website or provide log-in credentials, the criminals use public resources of information such as search engines, social media, open-source intelligence tools and previously exposed data dumps to determine an easy method to break into an environment.
“Once they’re inside, the attackers use native tools like Powershell, Windows Management Instrumentation Commandline (WMIC), Certutil and others to maintain persistence, elevate privileges and laterally move onto other internal systems. Once they’ve got the lay of the land, they get a little more brazen and start stealing corporate information and turning to the use of more aggressive and destructive tools.”
Minimising the risk of an attack requires both a proactive and reactive strategy.
“Employing proactive security with 24/7 monitoring with automated software and threat hunting experts is key to quickly and effectively identifying, investigating, and mitigating anomalous behavior,” says My Bugal. “Services such as Sophos Managed Threat Response combine the best tools with the most experienced threat hunters to help identify and neutralise active threats, limit recurrence, and minimise the chance of ransomware taking hold of your business assets.”
This needs to be supported by staff education so your people can identify suspicious email and applications and report them quickly and easily.
If an attacker manages to bypass the proactive controls you have in place, then you need to contain and neutralise the attack. Once you have stopped the spread, assess the damage.
“Assess what data has been lost, which endpoints, servers and operating systems were affected and whether your backups are still intact or if the attacker has deleted them. If they are intact, make an offline copy immediately. And look for machines that were protected as they’ll be critical in getting you back on your feet,” says My Bugal.
You may also need to engage a third party, such as Sophos Rapid Response, for specialist incident response to neutralise an active attack and conduct post incident analysis to access what happened and help you mitigate future attacks.
Ransomware costs Indian businesses millions of dollars and causes massive business disruption. By taking proactive and reactive steps, it’s possible to break the criminals’ business cycle. By making it harder for them to receive the financial rewards they crave, you can protect your business and remove the incentive for them to attack.