Ransomware is a malicious software variant that encrypts data, effectively holding files or even entire devices hostage until a ransom is paid in return for a decryption key. This key is essential for regaining access to the encrypted files or systems.
Ransomware is typically spread through various means, the most common being the download of infected files that trigger a program infecting everything in their vicinity or visiting malicious websites. Some ransomware strains exploit vulnerabilities in your operating system or installed applications.
The first ransomware episode
The first known ransomware attack, the AIDS Trojan (also known as PC Cyborg), occurred in 1989.
Joseph L. Popp, an evolutionary biologist, distributed 20,000 infected diskettes labelled 'AIDS Information – Introductory Diskettes' to attendees of the World Health Organisation's international AIDS conference. This ransomware hid directories and encrypted file names on the victim's computer. To regain access, victims had to send $189 to PC Cyborg Corp. in Panama. Dr. Popp was eventually caught and indicted for blackmail as this was the most relevant charge at the time.
Fortunately, the AIDS Trojan was relatively simplistic and contained several flaws, allowing users to recover their data without paying the ransom. However, this incident marked just the beginning of ransomware attacks. Over time, ransomware evolved, and cybercriminals refined their techniques, leading to the sophisticated and damaging ransomware attacks we see today.
Evolution of ransomware
The evolution of ransomware has shifted from mere disruptions for fun to a profit-driven enterprise. It’s crucial to recognise that cybercriminals learn from past mistakes, continually improving their tools to exploit users effectively.
Initial ransomware attacks relied on blackmail tactics rather than encryption. The encryption aspect became prominent when cybercriminals found secure and untraceable methods to extract money from their victims.
The threat landscape is constantly evolving, and new ransomware variants have emerged over time:
- Cryptolocker: one of the early ransomware variants that gained notoriety for encrypting victims' files and demanding a ransom for decryption.
- WannaCry: widespread ransomware attack in 2017 that exploited a Windows vulnerability. It caused significant disruption to organisations worldwide.
- NotPetya: destructive ransomware strain that targeted businesses and organisations, encrypting their data and rendering systems unusable.
- Locky: ransomware strain known for its widespread distribution through malicious email attachments.
- Ryuk: ransomware variant often associated with financially motivated cybercriminals. It targets organisations and demands large ransoms.
- Sodinokibi/REvil: ransomware-as-a-service (RaaS) variant that allows other cybercriminals to use its infrastructure for attacks. It has been linked to high-profile attacks.
- Maze: gained notoriety for not only encrypting files but also stealing data from victims. The attackers threatened to release the stolen data if the ransom wasn't paid.
- DoppelPaymer: variant that combines ransomware with data theft, like Maze.
- Conti: Conti ransomware is known for its double extortion tactics, where it encrypts data and threatens to release it if the ransom isn't paid.
How to prevent a ransomware attack
Ransomware attacks can be devastating, but with the right precautions, you can significantly reduce the risk. Here is a comprehensive 12-step approach to preventing ransomware:
- Keep software and systems updated: regularly update your operating system, software, and applications to patch vulnerabilities. Many ransomware attacks target known weaknesses.
- User education and training: train employees to recognise phishing attempts and suspicious system activities. Encourage them not to click on suspicious links or download attachments from unknown sources.
- Use effective antivirus software: deploy reputable antivirus and anti-malware solutions such as CrowdStrike. Keep them up to date to detect and block ransomware threats.
- Promptly update 3rd party applications: vulnerabilities in third-party software can be exploited. Ensure that all applications are updated promptly to address security flaws.
- Restrict administrative privileges: limit administrative rights to essential personnel. This reduces the risk of unauthorised downloads and installations.
- Implement file integrity monitoring (FIM): FIM tools help detect and alert on unauthorised changes to critical system files, enhancing early threat detection.
- Regular backup practices: maintain secure and regular backups of critical data. Ensure backups cannot be overwritten by users and periodically test their restore functionality.
- Set important file-shares to read-only: configure critical file-shares as read-only to prevent ransomware from altering or encrypting essential files.
- Invest in off-site backups: storing backups off-site ensures data recovery even if on-site systems are compromised. This is essential for business continuity.
- Network segmentation: segment your network to isolate critical systems and data from potential ransomware attacks. This limits lateral movement for attackers.
- Incident response plan: develop a detailed incident response plan that includes steps to identify, isolate, and mitigate ransomware attacks swiftly.
- Regular security audits: conduct security audits and assessments to identify vulnerabilities and address them proactively.
Remember that prevention is key, but no security measure is foolproof. A multi-layered approach combining prevention, detection, and response strategies is essential for effective ransomware protection.
Our cyber security experts are ready to help you build a robust defence against ransomware. Contact us for personalised guidance to secure your business.