A ransomware is a malicious software that blocks access to a computer or the data it contains until the victim pays a determined amount to the attacker. In 2022, 493.33 million ransomware attacks were recorded worldwide, making it one of the most serious cyber threats facing businesses today. This guide describes the most common ransomware attacks and explains how to protect against them.
If you are concerned about ransomware, secure your data today with Veeam's anti-ransomware protection.
Ransomware: a growing threat to modern businesses
Ransomware attacks are now commonplace. While most people have a general idea of what they involve, few truly understand how they work and why they are so severe. According to the British Economic and Social Costs of Crime report, the overall cost of cybercrime in the United Kingdom runs into "the billions". On a global scale, the cost of ransomware attacks is expected to reach $265 billion by 2031.
While some victims are fortunate enough to decrypt their data, decryption tools exist for very few ransomware variants. In such cases, the victim has only one option: restore from backups. If no backups exist, or if they have also been compromised, the cost in terms of data loss and downtime can be significant. Our 2023 Ransomware Trends Report demonstrates just how severe a ransomware attack can be for certain organisations.
Understanding anti-ransomware protection
Anti-ransomware protection requires different strategies. In addition to basic cybersecurity best practices, it involves the use of more targeted strategies and technologies to detect and respond to ransomware attacks, including those already in progress.
While conventional firewalls and antivirus solutions can prevent certain attacks, it is also essential to train all teams to detect phishing emails, malicious websites and potentially dangerous executable files. Modern anti-ransomware tools go further by monitoring network and file system activity to identify signs of an attack, such as unusual communication patterns or file access/encryption activities.
Network administrators can use a number of IT and security tools to protect against ransomware. Endpoint protection and intrusion detection and prevention systems can be combined with behaviour-based analysis techniques to rapidly detect attacks and limit damage.
While it is unlikely that any of these strategies alone will be sufficient to protect a company's IT systems against ransomware, combining different protection techniques, passive analysis and proactive measures helps reduce the attack surface and increase the chances of successful remediation when needed.
Key components of anti-ransomware protection
Effective protection against ransomware requires a multidimensional approach.
Network security and monitoring
Firewalls and intrusion detection systems constitute the first line of defence against various attacks, not just ransomware. A firewall analyses incoming and outgoing network activity and blocks connections it considers unauthorised.
Unauthorised activity can take the form of port scanning, allowing an attacker to connect randomly in an attempt to discover services running on a server. Alternatively, an attacker may attempt to connect to a server using brute force, or simply carry out a denial-of-service attack by sending a large number of successive requests.
Intrusion detection systems detect malicious activity, and are in this respect similar to firewalls. These tools operate according to a set of predefined rules. They can, for example, trigger the execution of other tools or alert the system administrator to analyse the problem and intervene manually.
Anti-ransomware protection is a genuine arms race in which it is impossible to rely solely on static rules and malware definitions. Even heuristic virus analysis does not guarantee the identification of all malicious code. It is therefore important to prioritise real-time monitoring and behavioural analysis to track evolving activity on systems and increase the likelihood of detecting suspicious activity.
For example, real-time monitoring can detect any access to or modification of a large number of files within a short period of time. It can also detect the sudden opening of files that have not been used for a long time. And even if it does not involve ransomware, this may reveal an entirely different security issue, such as an internal threat.
Incident response and restoration
Security tools represent only part of the equation. Even when sophisticated tools are deployed, the risk of a security breach remains. It is therefore vital to establish an effective incident response plan to minimize damage in the event of an attack.
A ransomware incident response plan unfolds in several stages:
Identify the affected systems.
Disconnect peripheral devices from the network where possible.
Power down affected equipment if necessary.
Review system logs to determine how the attack occurred.
Identify the ransomware and determine whether other malicious software is present on the system.
Depending on the nature of the attack, the steps to follow may vary. Administrators must assess whether it is financially more advantageous to leave infected devices powered on (and therefore allow the attack to continue) or to shut down the system (and therefore lose any evidence stored in volatile memory).
When recent backups are available and protected/isolated from ransomware, it may be worthwhile to leave infected systems powered on, disconnecting them from Wi-Fi or the LAN in order to analyze them.
Data restoration represents only part of the equation. Ideally, the attack is stopped quickly to prevent it from spreading. In many cases, ransomware gains access to a network via a targeted phishing attack on an employee's computer. The malware then spreads to network drives and other systems, searching for a target to infect.
When the attack is identified quickly, the malware has less time to spread and infect drives. Depending on the system initially infected and the configuration of file access privileges on the network, the damage will be limited to the user's computer and a few non-critical network shares.
Adopting a systematic approach to control and restoration
System administrators must always bear in mind that ransomware can act in different ways. Some will simply encrypt files; other malicious scripts will delete the victim's data if payment of the ransom is refused. There are also particularly dangerous ransomwares that scan files for potentially valuable data and send them to the attacker. The attacker then threatens the victim with publishing their data if they refuse to pay the ransom.
Such data breaches can cause serious harm to a business. It is therefore important to take all necessary precautions against a ransomware attack. Rather than rushing the data restoration step, it is better to take the time to thoroughly clean all infected systems. Depending on the severity of the attack, it may be more effective to simply wipe these systems or reinstall their system image.
To reduce the risk of a further attack, change all your system passwords and review the rules of all your firewalls, check block lists and malware detection systems to ensure they are up to date and functioning correctly. Train your teams on phishing and social engineering attacks.
When you are certain that the malware has been completely removed from your network, you can begin the process of restoring critical data from your backups. Make sure to thoroughly scan the backups before restoring them: they could be infected. This is an unlikely eventuality if the attack was thwarted quickly. Nevertheless, if you perform frequent backups, the most recent one may be infected and you may need to restore a "cold" or "off-site" backup instead.
Avoid paying the ransom
Although some high-profile attacks have targeted large enterprises by demanding enormous sums of money, most ransomware attacks are opportunistic. Their perpetrators typically demand small amounts, between $700 and $1,500, on the assumption that if they request a low ransom, the victim will be more inclined to pay it in order to recover their files as quickly as possible.
Ransom payment methods most commonly rely on cryptocurrencies (Bitcoin, Litecoin, or even Dogecoin). Widely available on exchange markets, they are therefore easy for victims to acquire. Attackers often use cryptocurrency "mixers" in order to reduce the traceability of the funds they receive, and thus to convert them more easily into real currency.
For a business executive pressed for time and faced with a locked screen, paying the ransom may be tempting. However, before choosing between restoring data or paying, it is important to consider the impact of each decision. The ransomware developer's promise is the only guarantee you have of recovering your data by paying the ransom, and their ethical standards remain unproven. Furthermore, even if you do recover your data, there is no guarantee that the malware will not infect your other systems in the future if they are not cleaned.
Another consideration is the ethical issues surrounding the payment of the ransom. Cryptocurrencies are often used to fund drug trafficking, money laundering, human trafficking, and terrorist activities. By purchasing them, you are indirectly supporting such activities, and by paying the ransom you are rewarding cybercrime.
In certain parts of the world, paying a ransom is even illegal, as it amounts to transferring funds to an entity subject to financial sanctions. This is not the case in every country, but it is a fact to consider. If you are the victim of a ransomware attack and are considering paying the ransom, seek legal advice before making your decision.
Continuous improvement and training
You may quickly feel distressed if your organization falls victim to ransomware: you wonder how it could have happened and whether you could have prevented the attack. Always keep in mind that even the largest companies with dedicated IT teams and substantial budgets fall victim to cybercrime. Try to draw lessons from the incident and design new strategies to counter ransomware.
If you can do so without violating confidentiality agreements or sharing corporate data, communicate publicly about the attack to help others learn from it. Explain what happened and discuss ways to improve your protection.
Another option is to simulate ransomware in order to test your preparedness and identify areas where your teams may need additional training or where your intrusion detection systems or other defenses have gaps.
Other aspects related to ransomware
We focus exclusively here on anti-ransomware protection, although other related points could also be addressed:
Early prevention of attacks;
Response to identified attacks;
Data restoration following an attack.
By combining all these elements, it is possible to design an effective anti-ransomware strategy. That said, they overlap significantly: an effective ransomware protection strategy will use the same tools as ransomware prevention and will include a rapid response plan. Nevertheless, it may be worthwhile to develop each strategy individually to ensure robust security and backup systems.
Strengthening your company's anti-ransomware protection
If the potential impact of ransomware on your business concerns you, seize this opportunity to review your protection strategy.
Designing a comprehensive strategy
Review your existing cybersecurity measures and conduct a comprehensive security audit. Consider running incident simulations to identify potential gaps.
Following this review, develop a plan that integrates prevention, protection, and response to cover all eventualities. Do not simply copy another company's plan; make sure you tailor your own strategy to the specific needs of your organization.
Leveraging technology and collaboration
Ransomware is so widespread today that there are numerous monitoring and intrusion detection tools available, and threats are very well documented. Do not try to build your own tools. Take advantage of the rich expertise available and collaborate with your peers. Together, we can combat ransomware.
Ransomware does not discriminate
Ransomware represents a pervasive and opportunistic threat. It can affect both an individual user's computer and the IT systems of a multinational corporation. This is why it is so important for those concerned about protecting their data to deploy a proactive defence strategy.
By designing a multi-component anti-ransomware protection strategy combining prevention, protection, response and recovery, it is possible to deploy a resilient cybersecurity infrastructure capable of effectively combating constantly evolving ransomware.
Source: VEEAM partner blog
If you would like to learn more about how we can help you protect your company's data