Global ransomware attacks have dropped over the last few months, but a cyber security expert fears that things could be about to change without international cooperation.
What is ransomware?
Ransomware is a type of malicious software that’s used to block you from accessing your own data. Cyber criminals use this software to encrypt the files on your system by adding extensions to the attacked data. They’ll then hold this data hostage until you pay the ransom to have it released.
Once the hackers have your data, there is no guarantee that your data will be given back or decrypted, even if you meet their demands. There is also no guarantee that you will not be a target a second time around. Often, once an attack is made, the hacker will sell the details on to their associates to go after the victim again.
What is the new ransomware threat?
National Security Agency cybersecurity director Rob Joyce revealed that global ransomware attacks have decreased in recent months, as a potential result of sanctions against Russia. According to Databarracks, attacks are likely to rise again soon due to the breakdown in international cooperation caused by the Russia-Ukraine conflict.
Barnaby Mote, Managing Director at Databarracks, said: “International cooperation is a necessity for policing ransomware. One of the causes of ransomware’s growth is that some states turned a blind eye to ransomware gangs, as long as they did not target local victims.
“The Ransomware Task Force outlined clearly what needs to be done to address the issue: ‘…exert pressure on nations which are complicit, or refuse to take action against domestic ransomware groups’.
“We saw the benefits of this approach with REvil earlier in the year. The group was broken up and several members were arrested in Russia following pressure from the US to take action.
“As relations with Russia are at rock bottom, there are already signs REvil is active again, with some speculating that Russian authorities released those arrested at the start of the year.”
According to Mote, the uncertain outlook means businesses should be prepared for a new surge in ransomware attacks.
He added: “You can’t rely on international diplomacy to keep a lid on ransomware in the best of times, so it’s even less sensible to do so now. If you want to be able to reject a ransomware demand, you need to be prepared to recover your data yourself.
“Protection from ransomware covers all aspects of cyber security from user awareness training and patching through to incident response and recovery.
“The NCSC has issued guidance on ‘Actions to take when the cyber threat is heightened’. We would also recommend the NIST’s Cybersecurity Framework. Preventing an attack altogether is obviously preferable but it is not guaranteed. Rapid detection and response can significantly limit the damage and minimise the scale of the recovery effort.
“The last line of defence is always to recover from backups. Advanced ransomware attacks now will either target backups directly or will delay detonation to outlast shorter backup retention policies. Protect your backups using immutable storage and physical or logical air-gaps to prevent them from being changed or encrypted.”
How to protect against ransomware attack?
Prevention is the best cure for cyber attacks, so always use virus scanners and content filters on your mail servers. This will help cut out any spam with malicious attachments or infected links before it hits your mailbox.
It’s not 100% safe though, so always be vigilant when opening emails and clicking on links, especially from addresses you don’t recognise. But be aware that people in your address book could be hacked to send the malicious file, so treat all attachments with caution, even if you recognise the senders.
What to do if your hit by a ransomware attack
Timing is crucial when it comes to ransomware attacks. If your business is hit, follow these four steps:
- Contain the breach by isolating all affected devices from other computers and storage devices. You should also disconnect these devices from the internet, turn off the WiFi and disable core network connections.
- Identify the breach so you know how to fix it. This should become apparent from the ransom note, but you may have to investigate further. To find out where the attack originated, you could try to geo-locate the logins from the network.
- Remove the malware and any back doors, close ports and reset passwords.
- Restore your network using any backups you have.
Once this has been done (or while it’s ongoing), you should notify any affected parties. If third party data has been compromised, you’ll need to inform everyone this affects. You may also need to tell your bank, and you should definitely report the incident to the police and your insurer.
Image by Pete Linforth from Pixabay