The threat posed by ransomware is high and the methods used by fraudsters are becoming increasingly perfidious. At the same time, the topic of IT security is still falling by the wayside in many companies despite increasing digitalization: “Hackers still have it just as easy as they did a few years ago, and there is currently no end in sight to this trend,” says Aaron Hartel of Trufflepig Forensics, summarizing the situation. Find out here how ransomware works, what impact it can have on companies, and what steps you can take to effectively protect yourself against it.
Ransomware is malicious software (malware) that aims to prevent access to its own systems or data or to encrypt them. The attackers then demand a ransom from the victims to release the data or system access again. Possible victims can be both private individuals and companies. The consequences range from the loss of confidential data, production stoppages, company IT failures and financial losses to a significant loss of reputation and even the threat to survival. In order to end the attack as quickly as possible, victims are often willing to pay large sums of money to put an end to their suffering. While this may seem like the faster and more convenient option, paying the demanded ransom does not necessarily mean the attack will end.
Performing a ransomware attack is easier than ever. This also means that both small and medium-sized companies can be affected. The report published by Sophos on the State of Ransomware 2022 shows that last year, two-thirds of medium-sized companies in Germany were affected by ransomware attacks. Almost half of those surveyed stated that they had paid the demanded ransom, and in just four percent of cases was it possible to decrypt all the data in full afterwards. The University Hospital Düsseldorf was also affected by a ransomware attack in September 2020. The result: a widespread failure of the IT infrastructure. The hospital was forced to postpone operations and to sign out of emergency care. It was only two weeks later that normal operations were restored. The attackers had managed to penetrate the system via a vulnerability in a VPN product. In February 2023, a Europe-wide coordinated ransomware campaign compromised more than 2100 Internet access points. Hundreds of companies were also affected in Germany. The attackers managed to gain access with little effort via the Internet to virtual machines set up with software from VMWare. The data stored there was then encrypted using ransomware. Mimecast and Statista (https://www.silicon.de/41708380/m365-sicherheit-deutschlands-mittelstand-im-visier-der-cyberkriminellen) surveyed 2000 companies about their IT security regarding MS Office applications. The results show that 80% of the associated ransomware attacks took place in companies with fewer than 500 employees. Among companies with 1000 to 4999 employees, two-thirds were victims of a ransomware attack at least once.
Infection: To carry out a ransomware attack, attackers look for vulnerabilities in the system that they can use to penetrate it. These can be fundamental deficiencies in IT security, infected downloads, seemingly harmless spam or phishing e-mails, or exploit kits that enter the system via drive-by infections, for example compressed websites or malicious advertisements (malvertising). According to the BKA (https://www.tagesschau.de/inland/cyberangriffe-deutschland-bka-100.html), phishing is the main gateway for such malware in Germany. Thanks to generative AI tools, this is now possible in all languages to a deceptively high degree of realism. Propagation: Once inside the system, attackers try to spread. Weak passwords help them, but Remote Desktop Protocols (RDPs) and generally poor security protocols also favor their rapid proliferation. The more systems are condensed, the higher the potential damage for affected companies in the end. Encryption: After gaining access, ransomware begins encrypting files and systems. This encryption measure effectively denies users access to their own systems and leaves them at the mercy of the attacker. Without the appropriate decryption key, the data remains unreadable and unusable. Attackers often demand a ransom to hand over the key, threatening to permanently delete the data or to publish confidential information. Payment: In many cases, the attackers demand that the ransom be paid in Bitcoin or other cryptocurrencies. This is advantageous for them because it eliminates the need for a middleman and thus a potential weak point in their strategy. However, even if the blackmailers" demands are met, it is by no means certain that they will actually release the systems and that all data can be restored. Rather, it can be an incentive to attack again at a later date. If a ransomware attack is not followed up by IT professionals, there is also a high risk that the attackers will remain hidden in the IT system unnoticed in order to strike again at a later date.
There are two basic types of ransomware: Loose ransomware prevents the use of basic PC functions. Among other things, the attack prevents access to the desktop, only displaying the lock screen. Only the keyboard and mouse are still partially usable to communicate with the blackmailers and transfer the demanded ransom. Apart from that, the device is unusable for the duration of the attack. Loose ransomware is usually not aimed at encrypting or destroying data, but simply at locking you out. A timer is used to increase the pressure on victims and force them to transfer money quickly. Crypto Ransomware, also known as cryptotrojan, aims to encrypt files and data, but usually does not restrict PC functions. Victims can still see their sensitive files, but can no longer access them. If the ransom is not paid within a certain period of time, the attackers threaten to permanently delete the encrypted data. Attacks like these show how important it is to regularly back up and secure your data. For a long time, these were the two main forms of ransomware. However, the scams used by fraudsters are constantly evolving, resulting in new and increasingly devious threats. Scareware uses alarming messages to scare users into installing malware. These messages often appear official and legitimate, but deliberately urge the user to act quickly so as not to give them time to think or doubt. The dangerous thing about this is that the victims are made to believe that their device is already infected, but that it is only by clicking on the supposed antivirus software, for example, that it is installed on the PC by their own hands. Typical of scareware are intrusive pop-up windows or fake buttons. Leakware threatens to publish the hijacked data, but does not aim to destroy it. Common victims are banks, government institutions or companies that have confidential data. With ransomware-as-a-service (RaaS) at the latest, ransomware has become a business model. Providers sell ready-made ransomware, enabling even fraudsters with limited IT knowledge to carry out attacks. In a sense, ransomware is being made accessible to the masses, resulting in a massive increase in ransomware attacks.
Ransomware attacks are a regular reminder of the IT security lapses that can occur. A well-thought-out, comprehensive IT security strategy is needed to prevent attacks. Here are some steps you can take to protect your business. Trufflepig Forensics is at your side on your journey to greater IT security. Together, we can build on your existing strengths and minimize your vulnerabilities.
