With 2017 only a few days over, we have to determine this has been the most terrible year in regards to ransomware ever, with severe attacks all over the world. There has never been a year in which attacks caused so many problems worldwide for so many private individuals, companies and federal organizations before. Malwarebytes Labs, a data security firm, states in his latest report that ransomware attacks have risen in comparison from 2015 to 2017 by 2000% (!) with last year´s attacks being the worst ever.
The two worst ransomware variants that attacked companies and organizations in 2017 around the globe were NotPetya and WannaCry:
The WannaCry attack caused serious damage around the world in May 2017, when it infested presumably 300.000 computers in 150 countries. It targeted Windows operating systems which were not properly patched or were too old to be patched. The ransomware encrypted the data and demanded bitcoins to be paid. A further spread could have only be stopped by a new Microsoft patch and the detection of an implemented kill switch to prevent further spreading. Why the kill switch was available is still unknown. WannaCry relied heavily on an exploit that was released by the Shadow Brokers (who previously hacked the NSA and made their 0-day-exploits public). One victim was the German railroad, which then had problems with their information terminals, not showing arrivals or departures, but only the WannaCry screen demanding the ransomware money in bitcoins.
NotPetya started off as an Ukranian Tax Software update just one month later in June and infected hundreds of thousands of computers in more than 100 countries all over the world in just a few days. The financial impact was enormous, for example the global pharmaceutical company Merck suffered loss of more than 300 Million $ just in the third quarter of that year alone by this attack.
How come ransomware is having such a huge “success”?
Carbon Black, an anti-malware software solutions provider, released a study in last October identifying an increase of 2.500 % in ransomware software sales in the major dark net market places between 2016 and 2017. According to them more than 6300 sites are currently offering ransomware solutions to carry out your own attack.
With so many tools available in the dark net, it is no wonder that Sophos Labs, a data security software provider based in the UK, projects in his annual security forecast for 2018 an increase of ransomware attacks in 2018. They state that “it is a fair bet that Android and Windows will continue to be heavily targeted with ransomware and other malware, given the success attackers have had thus far”.
And according to the data security analyst and software provider Kapersky Lab even more ransomware attacks will be aimed at companies. From those attacks that they were able to fight off 26.2 % were targeted against firms. This is an increase of 3.6 % compared to 2016. The experts from Kapersky also stated that 65% of the companies that were hit either suffered a severe data loss or were not able to access their files anymore. While Kaspersky doesn’t explicitly predict more ransomware attacks for this year, they warn about more advanced attacks to come for mobile devices and a rise in so called destructive attacks.
What are destructive attacks?
A new breed of ransomware arrived on the scene last year: Ransomware that is actually not a real ransomware, but more of a destruction tool. The ExPetr/NonPetya ransomware late last year appeared as a ransomware, but actually aimed at wiping the data of the victim completely. Kaspersky believes that more of these attacks will happen during this year. And since obviously the attackers are not specifically targeting the victims, everybody is in danger being hit by such a “wiper ransomware”. (Read more on this subject in another article which follows in a few weeks here.)
How to protect effectively against ransomware, malware and other viruses?
While there are many things to consider fighting ransomware. As there are – as laid out before – many different types of these viruses around these days, keep in mind the following three main tips and execute accordingly:
- Email security is king! According to Sophos and other experts “Email will remain the primary attack vector threatening corporate cyber security, especially in the case of targeted attacks”. Therefore securing this main factor of vulnerability is essential to everybody, who runs a network or is connected with the internet.
Remember: Most ransomware attacks are triggered by a normal email with an infected attachment such a document, photo, animation, video or any other file. There is not much knowledge needed to insert a piece of malware into a file. In many cases there are many how-to-articles inside or videos on Youtube on how to hide code, so even a school kid can do that nowadays.
With this in mind, opening an email attachment from an unknown sender is AN ABSOLUTE NO-NO! If you are sure that this email is not addressed at you, delete it immediately!!! And also inform your company data security advisor immediately.
If you are unsure, do not open it until you have made a phone call or reached the sender in another way, to check for his identity. Remember even if you are wrong, keeping your companies IT secure and intact is always the right decision.
- Make your network and IT environment secure! That one single computer is encrypted by a ransomware is definitely a bad incident, but when a ransomware spreads all over the network it can become not only a nightmare for the IT department, but endanger the whole business!
Companies who did not already have done so, should consider implementing a data security software solution which is especially designed to check all incoming emails before they are delivered from their exchange server to the intended recipient. With such a solution, the risk that a virus spreads over inside a company network is reduced dramatically. Additionally the IT administrators and management should consider implementing another network security software, which automatically monitors the network and its files. Such a solution would send an alarm if a ransomware would try to encrypt files in huge amounts over the network. These solutions also check frequently outgoing traffic, so when the ransomware tries to connect to their external server to start the encryption process, this could be terminated in a pretty early state.
And last but definitely not least: Always update your software and operating systems with the latest patches as they are available. As pointed out so often, hackers only get successful, when the victim offers gaps in his security!
- Make your employees smart! We have written about ransomware and malware in our blog before, but what we see, is that in the case of an encryption attack even the most experienced computer users get in panic. Therefore EVERY employee in a company should exactly know what to do, when he gets attacked.
A ransomware attack should not only be part of a business continuity plan for the higher management or the IT experts, but precise tips on what to do, when hit, should be hanging on a piece of paper on the wall in every office. Simple tips – like for example…
- disconnect from the internet and internal network
- try to properly shut down the device or
- immediately call IT security/IT administration
… will be then available in a couple of seconds just by looking at the wall. And can be seen and noticed every single day.
Especially IT security and administration staff alike should always be informed best about the latest developments in cyber security and hacking. Reading the latest blog news, keeping up to date about new developments in this scene and loop holes in network or software solutions should therefore be a necessity for these employees. (Keeping the company secure is what they are paid for, you know, so no excuses here, please…)
What if your data was hit by a ransomware?
If for one or another reason, a ransomware got thru your defense line and data was encrypted, you should do the following:
- Never pay the ransom! We do not say that because the law enforcement organization told us to, but because of the simple fact, that you do not have a guarantee that you will get a decryption key by the criminals at all. In many cases – and most definitely if it is a ranscam or wiper you got hit by – you will not get your data back, but only lose an additional sum of money.
- Do not try to decrypt your data by yourself if you are not familiar with it. For some older versions there are decryption tools already available on the internet. While for some computer specialists it is possible to recover their data, you have to have some expertise. And it is risky – if something goes wrong, you could destroy your data forever.
Better contact a data recovery specialist like Ontrack, they have all the necessary tools available to rescue your data when possible. And when it is an easy case, it does not take that long and is therefore much cheaper, than to lose data a second time.
How can data recovery experts help in a ransomware case?
Out of the perspective of a data recovery specialist every ransomware case is different. There is not only a big difference in how the ransomware variants – that are currently available – encrypt the data and spread through the network and technological basis, but also in their targets e.g. your computer or network environment. For the attacker it is irrelevant what kind of system the ransomware encrypts if it is successful and the victim pays the ransom. For the data recovery expert however it is not. Some systems and data structures are more challenging and need more time to recover than others. And time means money especially in data recovery. So watch out for ransomware attacks in 2018, otherwise you pay the price either way.
With all these attacks in 2017 ransomware will most likely be a serious threat to both private individuals and companies like in 2018 again! Regardless if the attacker aims for getting money out of this “business” or wants to destroy infrastructures or businesses, they will find gaps in your network, operating system or your data security processes. So the best defense is to have a proper backup procedure in place to make your infrastructure run again as fast as possible.
Therefore it is absolutely necessary to store backups of your business critical data on external storage devices which are not connected to your network and are functional at any given time.
In case your backup is not working or it is infested by a ransomware virus, it is best to contact a professional data recovery service provider who is able to recover both ransomware encrypted or broken backups like Ontrack.
For over 30 years Ontrack specializes in recovering data from all major backup solutions as well as from ransomware infected storages. Over the last years the specialists have gathered the knowhow and developed new tools to currently decrypt 225 different types of ransomware and recover the data. Additionally we are constantly developing new tools and methods for newly created and more advanced types of ransomware.
So if you are hit by a ransomware attack, the best thing to do is to shut down the system and to contact Ontrack immediately. The experts will give you the best advice on how to recover your precious data in your unique ransomware case.
For more information see: https://www.krollontrack.com/services/data-recovery/ransomware/
Picture Copyright: Antje Delater / pixelio.de