What is a ransomware attack?
- 20 Feb 2020
- Business Security, Data Breaches
Ransomware is a type of malware (malicious software) that can lock down a computer system and encrypt all the files on it rendering it useless. The attackers then demand a ransom to unlock the files that have been encrypted.
These kinds of attacks are more common now as getting paid in Bitcoin can be easy and difficult to trace.
How do ransomware attacks occur?
Generally staff will open emails attachments which have been sent by the attackers, these are known as phishing emails and are generally disguised as being from a legitimate source. Sometimes social engineering can be used to find out more detailed information about a specific person in an organisation, they can then be targeted in a spear phishing email scam which will seem very legitimate to them. Once the attachment has been downloaded and opened it can then take over the system and spread like a worn through the organisation.
Other means of entry include systems exposed to the internet like open ports on a server or router. If these have known vulnerabilities then an attacker can find these and access the system to run the ransomware.
Who are the attackers and what do they want?
They want money. They are hackers, or criminals that have employed hackers to try and scam people. It mostly isn’t targeted and is just a case of sending out enough emails or scanning enough ports open on the internet to get lucky.
How do I prevent my business being victim to a ransomware attack?
Some of these basic steps can help you protect your company from a malware attack.
Train your staff about the kinds of scams they are likely to see like ransomware attacks. Teach them to check emails are legitimate when linking off to other websites and downloading content.
Don’t give staff admin privileges
When setting up computers for staff set their privileges so they can’t install software from unknown sources.
Use antivirus and anti malware software
This can detect malicious software like ransomware as they arrive, it can also whitelist software to prevent unauthorised software running in the first place.
Patch and update your software
Software is always being updated to fix security holes. Applying patches and running these updates regularly will help protect your systems.
Backup your data
Having a robust data backup process in place is essential. This should also include an offsite option and if possible and an air gapped option. An air gap is a backup that isn’t connected to the system or internet. It’s not just important to have this, but essential that you test that it works and you can restore these files should anything happen. This isn’t good just to protect from malware but all fires.
Get a vulnerability assessment and a penetration test
Vulnerability assessments scan your network, find all the devices on it and check for known vulnerabilities, these can then be patched so you are more secure.
A penetration test is carried out by an ethical hacker. This is a test to help identify weak spots in a company's network so they can then be fixed before a real hacker finds them
How much should it cost?
In the WannaCry ransomware attack on the NHS in 2017 the attackers demanded around £230 per computer, so that over 200,000 computers is a lot, this then was set to double each week it went unpaid. The eventual cost was around £19m in lost output, £500k in IT support costs during the attack and £72m in the following months after the attack.
The average cost to a business can vary a lot depending on how robust the backup process is and how many It items (computers, printeres, servers) they have.
Ransomware is a growing threat research has revealed that 40 per cent of UK companies reported falling victim to an average of five attacks last year costing them £329,976 each year.
Should I pay the ransom?
The general advice is no, but it all depends. You can put this down to a risk/cost analysis. Some attackers don’t always unlock the files and just take the money.
Can it be fixed?
It is possible to get back into a computer and remove the ransomware. It is incredibly difficult if not impossible to decrypt the files that have been encrypted.