What is a ransomware attack and how to recover from one?

You’ve heard of Ransomware in the media and of big businesses around New Zealand falling victim to them, but what actually is ransomware and can you as a residential user of the Internet be subjected to one too? The short answer is yes you can and today we’ll explore what it actually is, the types of attacks so you can be prepared and how to identify and protect yourself from a ransomware attack.

What is Ransomware?

Ransomware is a type of malicious software, or malware, that encrypts user files and data, making them inaccessible. The attackers then demand a ransom, usually in the form of cryptocurrency like Bitcoin, to provide the decryption key and restore access to the affected files. Ransomware attacks can target individuals, businesses, and even government organisations, causing significant disruption and financial losses.

Get your security in check by contacting Kapiti.IT for a security awareness audit.

Types of Ransomware Attacks

There are two main types of ransomware attacks: crypto-ransomware and locker-ransomware. Crypto-ransomware encrypts valuable files and documents on the victim’s computer or network, while locker-ransomware locks the victim out of their device, rendering it unusable. Both types of attacks have the same goal: to extort money from the victim in exchange for restoring access to the encrypted or locked files and systems.

Some well-known ransomware families include WannaCry, Petya, NotPetya, Locky, and Ryuk. These strains of ransomware have caused widespread damage and disruption to individuals and organisations across various industries.

Impact of Ransomware Attacks

The consequences of a ransomware attack can be severe, both in terms of financial losses and reputational damage. Direct costs may include the ransom payment, IT support costs for system recovery, and lost revenue due to downtime. Indirect costs can manifest as reputational harm, loss of customer trust, and potential legal liabilities arising from compromised data.

In addition to monetary impact, ransomware attacks often lead to operational disruptions as affected organisations struggle to recover their critical data and resume normal operations. In some cases, the encryption may be irreversible, resulting in permanent data loss.

Identifying Major Ransomware Variants

CryptoLocker: One of the earliest and most notorious ransomware, CryptoLocker surfaced in 2013. It targeted Windows systems by encrypting files using RSA public-key cryptography and demanded ransom payments in Bitcoin or pre-paid cash vouchers. CryptoLocker was eventually neutralized through a coordinated takedown, but its success paved the way for other ransomware families.

WannaCry: In May 2017, WannaCry wreaked havoc across the globe, affecting hundreds of thousands of computers in over 150 countries. It exploited a vulnerability in Windows’ Server Message Block (SMB) protocol, utilizing crypto-viruses to lock up user data. Its unique worm-like propagation allowed it to spread rapidly, but its damage was limited when a security researcher accidentally discovered a kill switch.

NotPetya: Appearing in June 2017, NotPetya was initially believed to be a variant of the Petya ransomware. However, further analysis revealed that this malware was designed more for destructive purposes than financial gain. It used a combination of the EternalBlue exploit (leveraged by WannaCry) and Mimikatz, a credential-stealing tool, to spread laterally within networks. NotPetya encrypted entire hard drives, rendering systems inoperable and causing considerable disruption worldwide.

Understanding Encryption Techniques and Delivery Methods

Symmetric Encryption: Many ransomware variants use symmetric encryption algorithms such as AES or DES to lock victims’ data. The same key is used for both encrypting and decrypting the data, making the recovery process contingent upon obtaining the correct key from the attackers. This typically requires payment of a ransom, often in cryptocurrencies like Bitcoin.

Asymmetric Encryption: Some ransomware strains employ asymmetric encryption algorithms like RSA or ECC, using a pair of keys – a public key for encryption and a private key for decryption. This method allows attackers to securely distribute the public key while maintaining sole access to the private key necessary for decryption. Victims are forced to pay the ransom to retrieve their crucial private key.

Delivery Mechanisms: Ransomware is often distributed through phishing emails, malvertising, drive-by downloads on compromised websites, or third-party software installations. Attackers may also exploit vulnerabilities in systems or software to gain unauthorised access and deploy ransomware directly.

Notable Features of Ransomware Families

Ryuk: A targeted ransomware, Ryuk primarily focuses on large enterprises and high-value targets. With a combination of manual hacking and automated attack tools, the threat actors behind Ryuk have gained access to victims’ networks and encrypted valuable data. They are known for demanding significantly higher ransom amounts than other ransomware operators.

GandCrab: Active between January 2018 and June 2019, GandCrab was a prolific ransomware-as-a-service (RaaS) operation. It employed an affiliate distribution model, where other criminals were recruited to spread the malware in exchange for a share of the profits. GandCrab utilised innovative tactics such as exploiting vulnerabilities in remote desktop protocols and adopting new evasion techniques to avoid detection.

Conti: First emerging in late 2019, Conti ransomware is suspected of having links to the Ryuk ransomware family. Known for its high-speed encryption capabilities, Conti can encrypt up to 32 files simultaneously, causing rapid damage to targeted organisations. In addition, Conti has been observed exfiltrating data as part of a double extortion strategy, threatening to release stolen data if the ransom is not paid.

Preventive Measures to Protect Against Ransomware Attacks

Implementing a Robust Security System

One of the primary steps in preventing ransomware attacks is to have a strong security system in place. Organisations should deploy firewalls, anti-virus software, and intrusion detection systems to monitor and protect the network from malware and other threats. Regular updates and patches must be applied to all software, operating systems, and applications to eliminate vulnerabilities that attackers may exploit.

Developing a Culture of Cybersecurity Awareness

Employees play a crucial role in protecting the organisation from ransomware attacks. Providing regular training and awareness programs on cybersecurity best practices, spear-phishing prevention, and risk identification can empower employees to recognise and report potential threats. Encourage a culture in which employees feel responsible for the security of their digital environment, and promote safe online behaviour such as using strong, unique passwords and avoiding suspicious emails or links.

Some organisations use software tools to imitate a phishing scheme to see which employees do go on and click on bogus links and put their credentials in to a fictitious website, before contacting them immediately to advise they’ve been compromised, hopefully giving them a life lesson for next time to ignore such scam emails.

Maintaining Regular Data Backups

Regular data backups are essential in recovering from a ransomware attack without paying the demanded ransom. Back up critical files and systems on a frequent basis and store these backups on offline or cloud-based storage to prevent unauthorised access. Conduct periodic tests to ensure the integrity of the backups and their ease of restoration. Implementing a reliable backup strategy not only protects against ransomware attacks but also ensures business continuity in case of hardware failure or natural disasters.

Controlling Access Privileges

Limit the damage of a ransomware attack by implementing the principle of least privilege within your organisation. Provide users with the minimum level of access required to complete their job functions, especially when it comes to sensitive information and systems. Regularly review and update user privileges and promptly terminate access rights for employees who leave the company or change roles.

Collaborating with Law Enforcement and Industry Partners

Working in partnership with law enforcement agencies and sharing threat intelligence with industry partners can help organisations stay ahead of the latest ransomware threats. Join cybersecurity groups, subscribe to threat feeds, and participate in information-sharing forums to gain insights into emerging trends, vulnerabilities, and potential countermeasures. By collaborating with others, organisations can better protect themselves from ransomware attacks while also contributing to the overall cybersecurity ecosystem.

Steps to Follow for Recovery from a Ransomware Attack

Identify and Contain the Threat

The first step in recovering from a ransomware attack is to identify the infected systems and devices as quickly as possible. Isolate them from your network to prevent the spread of the ransomware to other systems or enterprise equipment, i.e. turn off their Internet access as well as LAN access to other devices such as NAS – file storage. Disconnect any external storage devices and turn off Wi-Fi and Bluetooth on affected devices to limit potential damage. Notify all employees/associates immediately, so they can take appropriate precautions with their devices as well.

Should I pay the ransom?

This is entirely up to you but most businesses have a stance they will not pay a ransom. Ultimately you could pay, get your data back and then find it’s still up for sale on the dark web, however you may also never actually get anything in return. A lot of the time ransomware locks your files, but equally the unlock key they provide you after paying does not work, and further ransom demands keep coming. Potentially a $10,000 request, could end up being 5 x $10,000 payments costing you $50k instead of $10k. Once the threat actors know you’ll pay, they could keep asking for more.

Some major companies often get a huge ransom request, i.e. $10 million and sometimes if a deal can be brokered between the threat actors and the company, the ransom is paid and the keys are supplied to unlock the data again. This has happened many times over the years, often from countries outside the 5 Eyes, as the stance on countries such as Australia and NZ is to not pay a ransom. Sometimes it’s unavoidable -especially if you’ve not got a data backup! If this is you, please backup your data in multiple locations, asap!!

Ultimately you would decide if you pay the ransom – if you can, most require Cryptocurrency which is confusing and often seen as a scam in itself for most people. Often untraceable, you could pay and never see your unlock keys, or you could pay and get your files back, only for them to be leaked anyway.

Eradicate Ransomware and Restore from Backups

Once the threat has been identified and contained, the next step is to eradicate the ransomware from the infected systems. You may use reliable antivirus or anti-malware software to scan and clean the infected devices. After completely removing the ransomware, it is time to restore the encrypted files from a safe and recent backup. Regularly backing up your data is crucial to ensuring a smooth recovery process. Make sure you have a backup and recovery plan in place and tested to minimise downtime and data loss.

Some ransomware is completely unremovable and will require the device to be factory reset, wiped or otherwise disposed of, i.e. replacing the hard drive. This often requires reinstalling your Operating System. Having a backup of your important data is critical so hopefully you’ve got one. If you haven’t, as many small businesses have found over the years, you can lose years, or your lifes work so if you’re planning a safe guard for your business, now is the time to backup your data, either locally on a NAS, but also in 3 locations for data redundancy, i.e. local device (USB), NAS (Server) and Cloud (Google Drive, Onedrive, Wasabi, AWS or something similar).

Strengthen Security Measures

After recovering from the attack, it’s important to take the necessary steps to prevent future incidents. Strengthening your security measures should include updating your software and operating systems, using robust antivirus and firewall protection, implementing strict access controls, and educating your employees on how to spot phishing emails and other common social engineering tactics. A multi-layered security approach will help reduce the likelihood of another ransomware attack and make your organisation more resilient against cyber threats.

If staff are opening attachments from emails on a consistent basis, consider setting up a virtual machine to handle the process of validating and opening attachments rather than using a local machine on your network. A windows virtual server for around $30 a month can provide peace of mind for staff. Further services such as Any.Run can be utilised to check files before opening them locally on the network.

Ensure all staff have standard user accounts, not local admin and ensure all software run or opened is only done via an administrator account via a UAC prompt. Keep the local admin access limited to a few people in your organisation, effectively blocking ransomware that requires admin rights to spread through the local network – this may not stop the device that was infected, or NAS devices such as file stores, but will limit exposure to any other devices on your network.

Professional Assistance and Resources for Ransomware Recovery

Seeking Expert Support for Ransomware Recovery

You will likely need to notify the privacy commissioner as well as your customers if you have been breached so it’s important to quickly identify if customer data has been accessed and/or stolen during the attack. Larger attacks you’ll also need to notify the police (if you’re a business). It’s a difficult situation for all involved but silence will only annoy your customers and suppliers, vendors and other business contacts even more. Latitude Financial, took 3-6 months to notify customers their data was stolen when they knew within days, simply unacceptable hence the public backlash and class action lawsuits they are now facing.

When faced with a ransomware attack, it is essential to engage the services of professional cybersecurity experts who can provide guidance and assistance in ransomware recovery efforts. These professionals have extensive experience in handling ransomware incidents and can help you navigate the complex process of regaining control over your compromised systems and data.

Some specialised companies offer ransomware recovery services and can work with you to develop a step-by-step plan tailored to your specific situation. They may be able to help identify the type of ransomware involved, assess the extent of damage, and advise on whether paying the ransom would be a viable option for your organisation.

Homeowners and small businesses may not have the financial support to pay for such services as they often cost $500+ per hour up to $1,000 per hour for specific cyber security assistance. Kapiti.IT can assist with such security assistance at a fraction of the price.

Utilising Online Resources for Ransomware Remediation

There are numerous online resources available to help you combat and recover from ransomware attacks. These resources include security blogs, forums, and websites that provide information on the latest threats, as well as tools and strategies for ransomware removal and prevention.

For instance, No More Ransom (nomoreransom.org) is a joint initiative by various law enforcement agencies and cybersecurity companies that offers free decryption tools for some types of ransomware. This can be a valuable resource for those affected by ransomware attacks, as it may enable them to recover their files without paying the ransom.

Additionally, many antivirus software providers also offer free ransomware decryption tools on their websites. Some of them maintain up-to-date information about new ransomware strains and how to mitigate them, which can be particularly helpful in recovery efforts. Be careful though, some mainstream companies use ransomware as a hidden upsell for $100s of dollars for effectively nothing extra – just a marketing gimmick.

Collaborating With Law Enforcement Agencies

Contacting law enforcement agencies is an important step in addressing a ransomware attack. Not only do they possess valuable expertise and resources to potentially assist in restoring your data, but reporting the incident also contributes to a more comprehensive understanding of the threat landscape and helps in identifying and apprehending cybercriminals.

Depending on your jurisdiction, you may report ransomware attacks to your local police department or a specialised cybercrime unit. Some countries have dedicated cybercrime reporting portals, while others encourage organisations to contact their national Computer Emergency Response Teams (CERTs) for assistance.

By seeking professional assistance and leveraging available resources, organisations can significantly improve their chances of recovering from a ransomware attack and strengthen their defences against future threats.