Understanding the tactics and techniques attackers use — and how to defend against them
As part of Cyber Security Awareness Month, Field Effect is publishing a series of blogs to help you stay informed and aware of the threats facing small and mid-size businesses and what you can do to defend against them.
You’ve probably seen something about ransomware in a news report or an article online. Maybe you’ve heard the horror stories of business operations grinding to a halt following an attack, or companies forced to close up shop due to the costs of an attack.
Unfortunately, they’re not just stories; these attacks can and do occur, and when they hit, many companies are stuck between a rock and a hard place.
The reality is that ransomware is a serious concern for all businesses, no matter their size or the sector they work in, although small and mid-size businesses (SMBs) continue to be major targets.
“Ransomware is a serious concern for all businesses, no matter their size or sector.”
Every vertical market is a ransomware target
The days where cyber attacks were exclusively a problem for large enterprise are long gone.
Cyber security is critical to businesses of all sizes, and as more workforces operate remotely and leverage internet-connected technologies to maintain operations, companies are facing a growing number of risks.
Unfortunately, ransomware threats have grown in lockstep with this transition.
The Canadian Internet Registration Authority’s (CIRA) 2020 Cybersecurity Report found that malicious software (malware) such as ransomware remains the top-of-mind concern for IT professionals, with 57% of CIRA’s respondents saying malware could have the greatest impact on their organization.
And according to Verizon’s 2020 Data Breach Incident Report (DBIR), ransomware is a growing threat and may be far more common than the data suggests, accounting for well over a quarter of all detected malware attacks. What’s more, nearly a third of all victims are SMBs.
That shouldn’t come as a surprise; after all, the data you rely on to operate your business is highly valuable to attackers looking to steal it, sell it, ransom it, or leak it. Adding fuel to the fire, small businesses often lack the resources necessary to put strong cyber security measures into place.
That’s why it’s more important than ever for SMBs to stay informed of the threats they face and secure their operations against an attack.
What is ransomware and how does it work?
Starting with the basics, ransomware is a form of malware intentionally designed to block access to your computer, demanding a ransom payment (hence the name) to restore access. Ransomware attacks may lock data on your computers, smartphones, networks, or other internet-connected devices.
But for that to happen, attackers first need access.
This access is most often obtained through phishing or similar social engineering tactics, where an attacker sends an email or text (or another digital message, possibly through a social networking site) that contains a link or attachment. These messages and links are designed to look as authentic as possible in an attempt to get users to click.
Clicking one of these malicious links or downloading a malicious attachment triggers the installation of ransomware, which (in most cases) will then encrypt the data on the device, making it inaccessible. The victim receives a message demanding payment if they want their data back.
Still, awareness of phishing and social engineering tactics may not be enough; some attacks target known security vulnerabilities, exploiting unpatched hardware or software to gain access.
What’s more, paying a ransom is no guarantee you’ll get access to your data again — in fact, paying up might even be illegal, depending on where you do business.
Even after major disruptions to your operations and the resulting financial loss, attackers might just take the money and run, making recovery even harder. Now you’re stuck reporting on a data breach and dealing with fallout as you explain the situation to customers, in turn creating lasting damage to your reputation.
What are the most common types of ransomware?
Ransomware’s widespread use over the last decade has resulted in a number of varieties:
- Crypto ransomware: When most people think of ransomware locking up their files, chances are they’re thinking of crypto ransomware. This type encrypt the data on a device or network before demanding ransom, promising a decryption key if the victim pays up. Crypto ransomware is by far the most common variety, with attacks frequently making headlines, including a recent attack on Canadian law firms. “At this point, we do not know when or if they will ever regain complete access to their kidnapped data,” commented the Law Society of Manitoba. Major strains include WannaCry, b0r0nt0k, and Ryuk.
- Locker ransomware: Locker ransomware, despite its name, does not encrypt data to extort payment from victims. Instead, this type of ransomware blocks access to files by locking users out, and in some cases will display a message claiming to be a law enforcement agency to extort a “fine” payment from users. Reveton, one major strain, used a falsified message claiming to be from the FBI to scare users into paying.
- Doxware: Doxware (also known as extortionware) threatens to exfiltrate data from an infected device or network if a victim does not pay up, taking its name from the practice of “doxing,” or leaking highly sensitive personal data. These attacks are highly targeted at organizations or users with sensitive data. Some attackers have used the Maze ransomware strain to seize data before leaking it publicly, and a recent attack on a UK-based university resulted in ransomed data being exposed online.
There is often significant overlap between each variant, with individual ransomware types building off variants that have succeeded in the past. Ransomware is always evolving as attackers modify the techniques and tactics they use to extort a payment.
How to defend against a ransomware attack (and spot them before they happen)
Defending against ransomware attacks may seem intimidating at first glance, but the truth is that even a few simple, easy-to-implement best practices can help protect your business from an attack.
“Ransomware attacks may seem intimidating, but even a few simple best practices can help protect your business from an attack.”
- Back up your data. Regular backups of sensitive and important information can help ensure business continuity in the event of a ransomware attack. If an attack does lock up your IT systems, a recent backup can be restored on a clean, secure device or network to get your business up and running.
- Update and patch systems and software. Regular patching, updating, and maintenance help protect against or eliminate known cyber security vulnerabilities in your IT systems and network and prevent attackers from accessing your systems via the internet.
- Protect systems that connect to the internet. Using a DNS firewall will allow you to limit access to known malicious websites, helping defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to your network from remote locations.
- Develop a culture of cyber security. Train employees to watch for and understand the tricks attackers use, to spot and avoid potential phishing links, and to flag requests for personal information or credentials. Password policies, password managers, and multifactor authentication (MFA) can also provide ways for employees to take responsibility for keeping their devices and company data secure.
- Monitor your network for threats. Staying ahead of ransomware demands a view into what’s happening across your IT environment. Tools that allow you to monitor your network, end-user devices, and cloud services for suspicious activity or traffic can help you identify potential threats early. Look for a proactive monitoring solution that also prioritizes threats and provides guidance about the actions you can take to prevent ransomware infections.
Just because cyber attacks on SMBs are becoming more common doesn’t mean you’re powerless. Knowing what to look for, how to respond, and how to protect your business can prevent costly downtime, data loss, reputational damage, and legal risks.
To stay informed about cyber risks and how threat monitoring and detection can protect your business from cyber threats, sign up for our newsletter below.