The success of a modern business is heavily reliant on the network of which its computers and employees operate. With many risks looming online, a secured operating system and network are critical for most businesses to perform to their full ability.
One of the most prolific threats to modern business is ransomware. With global ransomware damage costs are predicted to reach $20 billion by 2021 organizations need to ensure their security posture is sufficiently mature to protect against this pervasive malware.
In this article, we’ll dive into the history of ransomware, and then provide solutions on how to prevent, remove, and respond to ransomware attacks.
Table of ContentsIBM defines ransomware as a “form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid.” This is not too unlike ransom cases that we see in war and crime, where criminals hold people as hostages in return for large sums of money. But instead of people, cyber-criminals withhold valuable data and files in hopes of a big cash return.
Ransomware, just like other forms of malware, is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. There are two primary types of ransomware: locker or crypto.
Research from the Beazley Breach Response (BBR) Services found that ransomware attacks increased by 131% between 2018 and 2019 alone. Cybersecurity Ventures predicts businesses will experience a ransomware incident every 11 seconds in 2021, up considerably from every 40 seconds in 2016.
“The ransomware landscape has been rapidly evolving. Back then, instances of ransomware typically involved the target’s data being encrypted, but not accessed or exfiltrated. Today, however, not only has the frequency of ransomware attacks increased substantially, but the added threat of a data breach makes them potentially much more damaging.”
2020 Breach Briefing, Beazley Breach Response (BBR) Services
This type of malware blocks basic computer functions. For example, a user of an infected computer may not be able to access the desktop files or properly use the mouse and keyboard. By locking users from their computers and preventing them from using certain programs, cyber-criminals aim to have victims pay a ransom to regain control of their machines.
Crypto ransomware is malware that has been designed to encrypt the important data that is stored on a computer hard drive or network. Common targets include secured documents, files, photos, and other forms of personal information. Hackers will demand a ransom from their victims, promising to release the stolen data upon payment using a decryption key.
There are two major forces driving the adoption is ransomware: Ransomware-as-a-Service businesses lowering the barrier to entry and the sheer profitability for threat actors.
Ransomware-as-a-Service allows malware developers to rent out their malicious software in exchange for a cryptocurrency (such as Bitcoin or Monero) or a share of what the victims pay. This allows threat actors without programming skills to spread ransomware without spending their time on development.
Why is ransomware so profitable? Simply put, victims are willing to pay; even against FBI recommendations. Cybercriminals prioritize their targets based on the perceived odds of receiving a ransom payment from their victim. Researchers from IBM Security’s X-Force surveyed executives at 600 businesses and found that 70% of those that were hit with ransomware have paid the ransom.
Ransomware can be deployed in several ways, but it is most commonly spread through phishing emails, malicious websites, torrents, and shared networks.
Often disguised as a promotional offer or free product, fraudulent emails containing malware are sent to users to retrieve personal information from infected devices.
Some websites attempt to install malware onto the computer of unsuspecting visitors, usually through popups or malicious web links.
Online file sharing and downloading is a particularly dangerous realm of the internet as ransomware can be downloaded through a file without the user knowing.
Computers connected through a shared network are at a high risk of being attacked if there has been a security breach and the system has been infected. Malware is capable of spreading from one computer to another on a shared network, making the need to prevent ransomware even more of a priority for organizations that rely on a broad network of shared devices with many users.
It is reported that the first-ever successfully deployed ransomware virus was created in 1989 by a Harvard student. 20,000 infected floppy disks were distributed to attendees of the World Health Organization’s AIDS conference. Disguised as technology that could analyze a person’s risk of getting AIDS, the floppy disks were used to infect the computers, hiding directories and encrypting the names of all files on the C drive. Victims were greeted with a cryptic message asking for a payment to recover their files.
Despite the elementary technique of the 1989 ransomware attack, the software used and the relative success paved the way for a long road of cyber-crime.
Throughout the ’90s and into the 2000s, ransomware technology developed alongside the increasingly powerful computers that became more and more mainstream in society. As businesses and civilians began purchasing computers and using them regularly, the ideation of widespread ransomware infections began to circulate throughout the criminal underworld.
In 2006, Archiveus Trojan and GPcode ransomware were developed by cyber-criminals to deploy wide-scale attacks. The ransomware was mainly distributed to victims through email and would aim to withhold information such as social security numbers and bank account information from the attacked computers.
With the technology capable of attacking a mass volume of computers, ransomware was becoming a highly lucrative business.
By the mid-2010s, ransomware had become a multi-billion dollar industry for cyber-criminals. Connecting through online forums and chat groups, hackers developed and shared open-source software code for malware that made it more simple to create successful ransomware attacks. And since 2016, over 4,000 ransomware attacks occur daily within the US.
Cybersecurity threats have become widespread in our personal lives and within the business world. Every day people are falling victim to ransomware and large corporations are investing millions to increase the efficiency of their digital security systems.
And these threats aren’t superficial in any regard. ThreatPost.com reports that the volume of ransomware incidents around the world increased 151% for the first six months of 2021 as compared with the first half of 2020. Europe, specifically, saw the highest jump in volume, spiking +234%.
The biggest reason for the continued increase in ransomware incidents is, quite simply, the profit. Steve Morgan, a cyber-security expert, believes that the rise in ransomware incidents is largely due to companies that opt to pay a ransom. “It’s the proverbial get rich scheme,” says Morgan. Paying the ransom provides hackers with more incentive to continue creating the malware and tools necessary to generate even more money from their cyber-criminal schemes.
With only 25% of business executives willing to pay between $20,000 and $50,000 to regain access to encrypted data, generating the profit from their schemes is a numbers game for hackers. Given the variance and low likelihood of a payout, hackers will continue to increase the frequency of their attacks to maximize their profit.
As the internet continues to make it easier for users to learn new skills and connect with like-minded people, the prevalence of ransomware will become more and more substantial in society and business. Crime, greed, and technology can be a dangerous combination.
The overall costs of ransomware can be tough to calculate as the effects of an attack are complicated. And unfortunately, paying the ransom does not always guarantee that the hackers will be cooperative in the recovery process.
According to Sophos’ The State of Ransomware 2021 report, the average cost of a ransomware attack was $1.85 million in 2021. This estimate takes into consideration a large number of factors, including hours of labor, reputational damage, and the ransoms paid.
When an attack occurs, companies will need to allocate resources, such as an IT team, to help restore backups and operating systems in an attempt to recover stolen and encrypted data. For most small to medium-sized businesses, outsourcing a team of cyber-security IT experts will often be necessary.
Other areas of business, such as marketing and human resources, can also be affected. A marketing team may have to focus energy towards maintaining positive public sentiment, while an HR team may be bombarded with questions and concerns from their staff.
The protection of customer and patient information is paramount for businesses in today’s world. However, as most ransomware is designed to retrieve personal information such as a home address and medical records, a company affected by ransomware will incur major reputational damage. Current and potential customers and patients will be skeptical of doing business with a company that has been hit with a network breach, fearing poor security systems and negligent staff members.
Despite the FBI’s recommendation to not pay hackers their ransom, many businesses do end up paying the high costs as a means of recovering their stolen data and minimizing the impact of the incident. In 2021, the average ransomware payment is $570,000, an amount that would financially cripple most companies.
Hackers do not discriminate much when it comes to the targeting of their attacks, though certain industries are particularly appetizing for cybercriminals. These industries include the education sector, information technology, health care, and retail. With a desire for hackers to steal personal information from customers and patients, these industries are at a particularly high risk of ransomware attacks.
The information of thousands of students, including their gender and race, was the target of a March 12th ransomware attack on the Buffalo Public Schools. Upon detection, the schools involved were forced to shut down as the school board hired a security team and requested support from the FBI to investigate and respond to the incident. Although the school board refused to pay the ransom, the response to and relief of the incident has cost nearly $10 million.
In May of 2021, a group of hackers deployed the DarkSide ransomware strain that was responsible for the disruption of the Colonial Pipeline, America’s largest pipeline of refined products. The impact of the ransomware attack was felt immediately as gas prices soared above $3 for the first time in seven years. The pipeline operator immediately paid the hackers their $5 million ransom to minimize the impact and resume their operations.
DarkSide is a new ransomware variant, associated with the DarkSide hacker group, that operates as ransomware-as-a-service (Raas).
The Health Service Executive, which is the publicly funded healthcare system in Ireland, was attacked in May by a variant of Conti ransomware. The incident forced the HSE to shut down all of its IT systems, causing a great disturbance for the country and those relying on the HSE for health services.
The attackers have demanded a whopping $20 million in Bitcoin as ransom, a sum that the HSE and Ireland have thus far refused to pay.
A Pan-Asian retail giant, Dairy Farm, was the victim of a sophisticated ransomware attack carried out by the cyber-criminal group REvil. Dairy Farm, which operates a wide range of retail outlets including grocery and convenience stores, had its network and encrypted devices compromised in the attack that occurred in January of 2021.
The REvil group has demanded $30 million as a ransom for decrypting the stolen data and not leaking business information on the dark web.
There are many challenges and variables involved in the recovery process of each ransomware situation, making each case uniquely difficult to manage. Fortunately for companies, there are proven systems and solutions to help stop ransomware from happening in the first place.
Any worker who uses a computer and the internet is susceptible to the threat of ransomware and could put their company at risk. And as we know, ransomware may come in many different forms, so training employees on what to look out for when on their computers will be an important first step to prevention.
Considering that phishing is one of the most commonly used methods to deliver malware, employees should be able to identify potentially harmful emails. Understanding what a phishing scam email looks like will be important for employees to help prevent the success of cyberattacks.
Need to restrict internet access in your network? In this tutorial you will learn how to block websites using a free trial of BrowseControl, CurrentWare’s web content filtering software.
With BrowseControl you can…
Block websites based on URL, category, domain, or IP address
Schedule unique internet restrictions throughout the day
Assign custom policies for each group of computers or users,
and enforce internet usage policies, even when devices leave the network
There are 3 ways to block employee internet access with BrowseControl
1) Block access to specific websites with the Block List
2) Restrict internet access to only certain sites with the Allow List
3) Using the Category Filtering feature you can block access to content categories such as Porn, Virus Infected, or Social Media
For complete control over internet and application use in your network, you can combine BrowseControl with BrowseReporter, CurrentWare’s internet monitoring software.
All right, let’s get started.
To begin, sign up for a free trial of BrowseControl at CurrentWare.com/Download. After filling out the form you will be provided with the files you need to get started with BrowseControl.
To install BrowseControl, run CurrentWare.exe on the administrator’s computer and follow the installation instructions; this will install the CurrentWare Console and Server.
After that, deploy the CurrentWare Client Setup file (cwClientSetup.exe) on all of the computers you would like to control.
From there you can import your Active Directory organizational units or manually create your desired policy groups.
For full installation instructions, please visit our knowledge base at CurrentWare.com/Support.
Now that you have BrowseControl installed, I’ll show you how to block specific websites based on their URL, domain, or IP address with the URL Filter.
This feature can be used to block your employees from accessing distracting websites like Facebook, TikTok, or Instagram.
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on the URL Filter then select “Blocked List”
From the drop-down menu, select the group of computers or users that you want to restrict
Enter the URL, domain, or IP address of the websites you want to block to the master URL list, then press the Enter key or click “Add”.
BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be blocked as well.
In the master URL list, select the websites you want to block for the chosen group, then click “Add to Blocked List”.
If you would like to add the selected websites to the block list of multiple groups, you can press the drop-down arrow and select “add to multiple groups”, select the desired groups, then click “add to blocked list”
If you have a large number of websites you would like to block, you can also use the import feature to import an existing list.
Finally, click “Apply to Clients”.
That’s it! You have now blocked your employees, students, or patrons from accessing those specific websites.
Next, I’ll show you how to restrict internet access to only certain sites.
This feature is ideal if you want to prevent your employees, students, or patrons from accessing websites that are not explicitly allowed by your organization.
The process is identical to how you would block a website, except this time you will set the internet to “off” and add the websites you would like to allow to the Allow List.
With this method, your users will only be able to access the exact websites that have been approved by your company.
Here are the full instructions.
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on the URL Filter, then ensure that “Allowed List” is selected
From the drop-down menu, select the group of computers or users that you want to restrict
Next, set the internet to “Off”. This will ensure that only the websites that are added to the allowed list can be accessed.
Enter the URL, domain, or IP address of the website you want to allow to the master URL list, then press the Enter key or click “Add”. BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be allowed as well.
In the master URL list, select the websites you want to allow for the chosen group, then click “Add to Allowed List”
If you would like to add the selected websites to the Allowed list of multiple groups, you can press the drop-down arrow and select “Add to Multiple Groups”, select the desired groups, then click “Add to Allowed list”
If you have a large number of websites you would like to allow, you can also use the import feature to import an existing list.
Finally, click “Apply to Clients”.
Next, I’ll show you how to block websites based on content categories such as Porn, Virus Infected, and Social Media
With BrowseControl’s category filtering feature you can block billions of websites across over 100 URL categories. More than 10,000 new domains are added each day, making it simple to restrict internet access even as new sites emerge.
Here’s how:
First, decide whether you want to control internet access based on users or computers, then select the desired mode.
Next, click on “Category Filtering”
From the drop-down menu, select the group of computers or users that you want to restrict
Select the web content categories you would like to block, then click “Add to Blocked List”
Finally, click “Apply to Clients”.
That’s it!
The Allow List can also be used in tandem with the Category Filtering feature to allow websites that would otherwise be blocked based on their content category.
For example, you could use the Category Filtering feature to block Social Media while still allowing access to LinkedIn.
Now that you’ve seen the 3 key ways you can block a website with BrowseControl, I’d like to show you how to restrict internet access at certain times.
With BrowseControl’s Internet Scheduler you can schedule custom block or allow lists throughout the day.
This feature will bring some flexibility to your internet restriction policies; in this example, we will allow our employees to browse the internet during lunchtime.
Here’s how to use the internet scheduler
First, decide whether you want to control internet access based on users or computers and select the desired mode.
Next, click on “internet scheduler”
From the drop-down menu, select the group of computers or users that you want to restrict
Next, click “New Schedule”
Set the start and end time of the schedule. Then, select the schedule type.
Internet On will allow internet access to all websites that are not on the URL Block List
Custom allowed list will only allow access to specific websites.
Custom blocked list will block access to a specific list of websites and allow access to the rest of the internet.
Custom Category blocked list will block specific categories and allow access to the rest of the internet.
Next, set your desired schedule frequency.
Daily will enable the schedule every day during the specified time period.
Weekly will enable the schedule only on specific days of the week.
Monthly will enable the schedule only on specific months.
Next, click “Add Schedule”.
If you selected one of the custom block or allow list options, you can click the link provided under the “schedule type” column to set the websites or categories that you would like on the list.
And finally, click “Enable Scheduler” if it is not already enabled
That’s it for today. If you’re ready to start blocking websites you can get a free trial of BrowseControl at CurrentWare.com/Download.
If you have any questions during your evaluation our support team is available to help you over a phone call, live chat, or email.
See you next time!
90% of IT departments surveyed by Spiceworks restrict web access to protect against malware/ransomware infections
Preventing employees from accessing any of the millions upon millions of malicious websites that are infected with malware is a critical component of protection from ransomware.
Web filtering helps fight against ransomware attacks by proactively blocking websites that are used to execute ‘drive-by downloads’ that infect a user’s machine with the ransomware software without their knowledge.
Web filtering software allows employers to create dynamic lists of specific websites and website categories to be allowed or locked from employee access. To apply tighter restrictions, a company can create a list of the websites that workers are allowed to access while blocking all other websites. A well-curated blocked website list will prevent access to websites that contain ransomware.
Many different vendors offer software designed to prevent and remove ransomware. Depending on the scale and threat of the organization, customized anti-virus software solutions are available to help protect the business from an attacker.
To minimize the impact of a successful security breach and ransomware infection, companies should prioritize maintaining secured backups of company data. Companies that maintain backups will not have to worry about paying the ransom to recover their data and can instead focus on identifying and improving the internal security flaws that failed the system.
A proper backup recovery from a ransomware attack can be as simple as reverting to a restore point, discovering the inciting incident, and remediating the vulnerabilities that made it possible.
Maintaining backups is easier said than done; if the only available backups are connected to the network they can become encrypted as well.
Learn More: How Successful Companies Backup Data
How an organization responds to a ransomware infection will determine the impact of an incident and how long it will take to recover.
While regaining access to encrypted files is seldom possible with the decryption key there are important steps to take in response to a ransomware attack to help reduce its effects and reduce the spread of the malware.
The FBI and other law enforcement or government bodies will recommend never to pay the ransom. Doing so often further encourages the attackers, supporting their operation with more money to fund more attacks.
Although the attackers may be motivated to maintain a reputation that they will honor their end of the deal, there is no guarantee that data can be recovered after payment. HelpNetSecurity.com writes that, in 2020, 56% of companies impacted by ransomware paid the attacker, but only 66% of those were able to recover their files.
In addition, organizations that pay ransomware demands prove that they are willing to pay, increasing risks for future attacks on their systems.
To minimize the spread of malware infection throughout the network, isolating and disconnecting the machines that have been infected is very important. This should be the top priority to prevent ransomware from having a devastating effect.
Knowing which piece of the network was the source of the ransomware infection is important in understanding how attackers gained access to the system. Doing so will not only help to resolve the situation, but it will also help organizations to address vulnerabilities and reduce future risks.
No matter its scale, any victim of a ransomware incident should consider reporting their incident to authorities. The FBI asks all victims of ransomware to report their experience to their local FBI field office, stressing that it is important for law enforcement and local authorities to be aware of cyber-criminal activity. Affected businesses can contact the FBI’s Internet Crime Complaint Center (IC3).
In Canada, the National Cybercrime Coordination Unit (NC3) and the Canadian Anti-Fraud Centre are working on implementing a new cybercrime and fraud reporting system for Canadians and businesses
Hacking will continue to be a real-world problem for businesses in 2022 and beyond. As hackers and cyber-criminal organizations profit more and more from their sophisticated schemes, the frequency at which they choose to attack will continue to rise.
For businesses, knowing how to prevent, remove, and respond to ransomware will be important for remaining consistent in this ever-evolving world of technology and the threats it brings with it.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |