Anatomy Of A Ransomware Attack

Ransomware is the most concerning and dangerous type of malware that can cause severe financial and reputational damage. What separates it from other malware, is the word “ransom” which is a form of extortion. And cybercriminals are successfully using it to disrupt services and steal from Australian businesses and individuals. In fact, over the past 12 months, Australia has faced a 15 per cent increase in ransomware cyberattacks.

With estimates showing that there is a ransomware attack on a business every 11 seconds, no business can afford to ignore ransomware. It is vital for every business to understand how these attacks occur and put measures in place to protect against them. So let’s look into ransomware a little bit more to understand it.

WHAT IS RANSOMWARE?

Ransomware is a type of malicious software (malware) that encrypts victims data and then holds it for ransom. Once this type of malware has infiltrated your device or system, it blocks your files by encrypting them rendering them unusable. Cybercriminals are then in a position of power and may demand payment in return for the decryption key. This can have huge implications to your business such as legal fines, reputational damage and serious financial costs. Costs can vary from thousands to even millions of dollars, which explains how the global cost of ransomware in 2020 reached a staggering $20 billion.

Some of the most recent, high-profile examples of ransomware and its aftermath include:

• Colonial Pipeline - a ransomware attack in May 2021 against Colonial Pipeline’s billing system and internal business network saw the American oil pipeline system shut down. Fuel distribution was disrupted for over a week, with shortages leading to chaos and panic. To avoid further disruption, the company eventually gave in to demands, paying $4.4 million dollars in bitcoin.
• JBS Foods - computer networks at JBS, one of the biggest meat processing companies in the world, were hacked in June 2021. There weren’t any major food shortages, although the public was informed not to panic buy meat in response. Eventually, as the disruption threatened food supplies and risked higher prices for consumers, the company paid $11 million in ransom, one of the largest ransomware payments of all time.
• Kaseya - a fake software update was sent through the American software company’s virtual system administrator in July 2021, reaching clients and their customers. One million systems were encrypted and held for ransom, with around a thousand businesses impacted. No ransom was paid, and the company managed to restore the IT infrastructure, but many companies were impacted for over a week.

HOW RANSOMWARE ATTACKS WORK

There are several trajectories that ransomware can take to access a computer or system. The most common amongst them is phishing, where attachments or url links within an email are masqueraded as trustworthy. Malware can also be planted on malicious websites, links, links in SMS’s, social media posts and downloadable applications, which means that any device connected to the internet is at risk.

Once malware has been inadvertently downloaded onto a computer or device, there are several things it can do. The most common action is for it to encrypt some or all of the files and to send a message to the user explaining that they need to make a payment (usually in Bitcoin) in return for access. However, advanced features to ransomware now enable cybercriminals to also steal data before encrypting it. Once they have access, they search for sensitive files and then threaten to publicise the data if ransom demands aren’t met.

PROTECTING AGAINST RANSOMWARE

Once ransomware encryption has taken place, it’s often too late. That’s why preparation and prevention are at the forefront of managing the risk of ransomware attacks. Especially with endpoint security as each employee has multiple devices connecting to an organisation’s network.

Infotrust partner CrowdStrike offers Falcon Platform; the leading endpoint protection solution that brings together intelligence, technology, and expertise to successfully stop ransomware in its tracks. The platform uses a colossal data set of five trillion events per week alongside threat actor intelligence to fuel its AI-powered machine learning algorithms. To proactively see and stop the stealthiest of attacks, the platform incorporates:

• Endpoint Detection and Response - A solution that acts like a surveillance camera across all your endpoints, using machine learning to automatically detect malicious activity so your business can respond quickly to threats.
• Threat Hunting - A dedicated team of expert threat hunters who proactively hunt across all your endpoints, constantly analysing and looking for anything that has been missed by your other protection measures.
• Threat Intelligence – Provide context and help you to understand your adversaries, know what to look for, anticipate the next serious threat and proactively deploy countermeasures before the worst happens.
• Incident Response Planning - Seasoned security experts will help you create an incident response plan so you can limit damage, recover data successfully and get your business back up and running quickly in the event of an attack.
• Adversary Simulations – a covert exercise designed to mimic a real-world ransomware attack to help you assess how your defences stand up.

HOW TO ACHIEVE ENDPOINT MATURITY

Defending against ransomware not only needs secure backups and a detailed incident response plan, but also requires a solid endpoint protection solution to defend each attack vector and endpoint. By having this solution in place your organisation can mitigate the risk of a ransomware attack, but more importantly matures your endpoint security journey.

To find out more about how you can bolster your defences to combat ransomware attacks, contact Infotrust today for a consultation on endpoint maturity.

‍