Learn about the growing cyber threat that attackers use to make money… by taking yours.

Once an attacker has their target and has gained access, or “gotten in,” there are multiple ways they can “profit” from the cyberattack:

• Siphoning or exfiltrating valuable data from the victim

Organizations all hold valuable data, even small businesses that may think they have nothing an attacker would want to steal. Financial information, customer data, health records, and even proprietary business records are of value to an attacker for either furthering the impact of an attack or for sale on the dark web. There is not a single industry or type of organization that is considered “safe” from cyber risk—all organizations of every size hold some level of valuable resources that attackers are always after.

• Transferring actual funds

If an attacker can easily get access to financial records, accounts, or otherwise obtain actual funds to reach their goal, your organization’s money will be at risk.

• Demanding a ransom

This method is back on the rise after doubling in frequency in 2019. Attackers can use system or network access to deploy a malicious program that locks down an organization’s files to hold them for ransom. Attackers appear to favor this method because it’s a fairly simple attack tactic that allows them to get paid quickly, and directly from their victim.

How does ransomware work?

The concept of ransomware, as one traditional AV provider put it, is actually one of the more simple cyber attack concepts in today’s threat landscape:

“Lock and encrypt a victim’s computer data, then demand a ransom to restore access.”

 

It should be no surprise that a cyberattack with such a simple explanation is also fairly simple for attackers to carry out.

As explained in the Cyberattack Series, after an attacker has chosen their target and gathered information about that target, they have a variety of options and possible next-steps to compromise their victim. In terms of ransomware attacks, because the payload comes in the form of a simple piece of malicious software, cyber attackers can choose almost any method to carry out the attack:

• Malicious attachment in a phishing email
• Drive-by-downloaders on compromised websites
• Placing the file directly on the user’s system (possible only if the attacker has gained access to the system using other methods, like exploiting an unpatched vulnerability)

No matter how the attacker chooses to deliver the payload, the following progression is always quick and easy.

First, if the ransomware file is allowed to execute (i.e. it gets onto the user’s system and is not blocked), it will immediately begin encrypting the files on the system.

Next, it will display a message to the user informing them that their files have been encrypted, usually paired with a message demanding a hefty ransom payment in return for their files to be unlocked. Different attackers will use different styles of ransom message screens and phrasing, but whether it’s a fake government-themed page or a big red screen, it is meant to get the user’s attention and inspire urgent action.

Attackers will use ransomware to obtain payment in the form of a cryptocurrency, like Bitcoin, because the currency provides a level of anonymity that makes the exchange virtually untraceable back to the attacker. That’s great news for bad guys and not-so-great news for their victims: if the attacker can’t be traced, they can’t be caught.

The final step and end-goal for ransomware attacks, therefore, is to receive the ransom payment (usually via cryptocurrency) and move on to their next target.

Ransomware in action

In the short video below, watch as Security Engineer Will explains how easily a ransomware attack can be executed, and walks through a few methods to prevent and detect this type of attack in your organization.

Cybersecurity Game Plan

Offense

When an organization is hit with a ransomware attack, the first question is whether or not to pay the ransom to the attacker. What do you do?

It’s important to note that while an organization with a robust backup system in place is able to bypass the ransom and simply restore the computer or system that was compromised, the ransomware issue is still far from resolved.  A case of ransomware can range from a “one-and-done” malware drop to a

• How long did the attacker have access?
• How did the attacker deploy the attack?
• Did they bring other malware into the environment along with the ransomware?

These are the vital questions to ask after a ransomware attack—not just, “How can we get our data back?” Whether a ransom is paid, or a system is restored from a backup, those steps don’t provide any insight into whether the attack is actually over.

This is why detection, investigation, and incident response are vital offensive measures after being hit by an attack.

An Endpoint Detection & Response (EDR) solution is key in these stages, as it allows security experts to review the activity taken on an endpoint, like the laptop or desktop that gets hit by ransomware, and trace the full path of the attack. Expert security investigation is faster, easier, and cheaper when endpoint data is actively collected and correlated as the attack takes place.

Whether EDR is present on the system or not, post-breach investigation is always necessary to ensure that the attacker behind the ransomware is locked out, security is restored, and a plan is created to prevent the attack from happening again.

Defense

Why wait until you’ve been hit with ransomware to start taking action? Defending your organization’s security is possible—prevention is possible—with the combination of malware prevention an advanced endpoint antivirus and security experts to back it up.

Traditional anti-virus (AV) solutions are struggling to keep up with new and advanced malware-based attacks. Relying on a database of malware and malware identifiers is what sets traditional AV behind—the programs simply can’t stop an attack that is new or unique, because they have no reference to identify an unknown piece of malware. A database for malware is a good first step, but the bad guys caught on to that a long time ago…

Today, they just make new variations of malware—called Zero-Day Malware—and easily bypass traditional AV solutions to hit their targets.

Next-generation Malware Prevention uses advanced techniques to analyze and identify malware of all kinds, so it doesn’t rely on a “repeat offenders” list of known malware to operate. This type of malware prevention is 99% effective, versus the 40-70% efficacy of traditional solutions. When paired with a 24x7 Security Operations Center (SOC) that actively monitors endpoint activity and AV alarms, it’s guaranteed that your organization will not suffer the consequences of a ransomware attack.

But what if you could stop the ransomware attack before the malicious file even makes it onto the computer?

In the case of email-delivered ransomware attacks, this is entirely possible with the combination of a robust email security solution and security-aware users.

Your email client, like Office 365 or Google’s GSuite, may have some basic security features built-in to monitor for spam emails or warn you about suspicious email content, but carefully-crafted phishing emails can, and do, make it through to unsuspecting inboxes every day. Organizations can reduce the number of phishing emails they receive by adding a layer of security to their email platform that scans for malicious email content, confirms it through the use of sandboxing, and retains malicious emails in a quarantine environment—keeping attacks out of users’ inboxes.

And if email security doesn’t do the trick? Training users to identify and avoid phishing emails, or other signs of an attack, is another key security layer that helps keep malware from getting onto your organization’s computers.