Ransomware: New Variants Exacerbate The Situation

Ransomware is one of the most widespread forms of cybercrime today. The BKA even describes ransomware attacks as the greatest cybercrime threat for companies and public institutions in its management report. In its current management report, the BSI writes that the damage caused by ransomware is a threat to the very existence of the organizations concerned. What many do not know: companies can easily protect themselves.

A spectacular example of a ransomware attack was the attack on the pipeline operator “Colonial Pipeline” in May of this year – with immense effects on the fuel supply situation in the USA. The attack on the Düsseldorf University Hospital occurred in September of last year, with severe consequences: the hospital had to deregister from emergency care for 13 days. A person is said to have died as a result because they could not be treated in time.

The consequences of ransomware are not always a threat to life and limb. In its current situation report, the BSI also emphasizes the enormous danger this type of attack poses to organizations. The BSI observed new developments that make ransomware even more dangerous. In autumn and winter 2020, further waves of attacks with the Emotet malware were observed. An Emotet infection enables attackers to reload ransomware on selected victims.

Extortion Of Protection And Hush Money

In a ransomware attack, cybercriminals demand a ransom to release previously stolen or encrypted data. Such blackmail attacks have long been part of a lucrative, criminal business model. No industry, region, or company size is immune to this today, and with every further development of the attacks, the ransom demands increase. It is not uncommon for them to amount to 1 million euros and more. Therefore, the Federal Criminal Police Office (BKA) describes ransomware attacks as the greatest cybercrime threat for German companies and public institutions.

The BSI observed protection money and hush money extortion as new developments. A global campaign by cyber extortionists could already be identified in autumn 2020, extorting protection money from wealthy victims under the threat of distributed denial-of-service attacks (DDoS attacks). In the case of DDoS attacks, websites are attacked so heavily with requests that they can no longer be reached. The extortion of hush money is increasing because data is no longer encrypted in an attack but also stolen. The attackers then threaten to publish the information if payment is not made.

The president of the digital association BITKOM, Achim Berg, warns: “The force with which ransomware attacks are shaking our economy is worrying and affects companies of all industries and sizes.” In a recent study, the digital association BITKOM has shown that ransomware has been the primary driver of the massive cyberattacks over the past year. The damage caused this way would have more than quadrupled compared to the previous years 2018/2019 (+358 percent). One in ten companies (nine percent) currently see their business existence threatened by cyber attacks.

How Does Ransomware Get Into The Network?

Ransomware attacks are often spread via file-sharing networks and phishing emails – hidden in images or as executable files attached to emails. One of the more popular ransomware attacks, WannaCry, exploited a vulnerability in a Microsoft protocol that made any unpatched computer connected to the Internet vulnerable to infection. Other attacks use unsecured remote desktop services. In times of remote work and home office, there are therefore a considerable number of weak points.

In its current management report, the BSI describes a three-stage attack strategy often used to spread ransomware: First, the Emotet Trojan is introduced. It serves as a door opener. The Trickbot malware is then reloaded to spy on the network, spy out passwords, and view accounts. Only then were the Ryuk ransomware installed and ransom extorted for particularly worthwhile targets. Such a very targeted attack on financially strong victims is also known as “big game hunting.” The Emotet virus has now been shut down. However, it is only a matter of time before new – possibly even more intelligent – variants of such door openers appear.

Who Is Particularly Affected?

Blackmail attacks are about money – so financially strong companies, in particular, are targeted by the attackers. Companies that store sensitive customer data are also more likely to fall victim to attacks that demand hush money. Companies that count among the critical infrastructures are also increasingly affected. These include energy suppliers, financial institutions, food, and transport companies.

The blackmailers also rate the success as high since a failure or severe impairment of such KRITIS companies leads to disruptions in public safety or supply bottlenecks. The examples in the BSI management report show what effects such attacks can have on a hospital or an oil pipeline. According to a study by the analyst Tec consult , the most common attacks on CRITIS companies are phishing attacks – a vital door-opener for ransomware. Every third company stated that clicking on such an email had already led to a security incident.

How Should Companies Respond To A Ransomware attack?

If an attack threatens the business capability, many companies feel compelled to pay – assuming they can quickly regain access to business-critical data and information. But there is no guarantee that the data will be activated again after payment. In its current status report, the BSI writes: In addition, individual attacker groups expanded their strategy to the effect that it was initially illegally stored before data was encrypted.

This means that in the event of a ransomware attack, it must now be assumed that the data has been permanently compromised, even if a ransom or hush money has been paid. With this variant, the attackers do not threaten to destroy the data but to publish it.

THEREFORE, the BKA advises that companies that are affected by an extortion attack should by no means comply with the ransom demands. Every successful blackmail animates the attacker to continue. Ransoms also finance the further development of malware and promote its spread.

Inform The Police

In a ransomware attack, companies should instead take a picture of the blackmail message on the screen and report it to the police. All infected computers should then be disconnected from each other, from shared storage, and the network as soon as possible. To regain the data, it can help set up the computer again and upload data backups.

To avoid legal consequences, companies should also check whether they

• Have to report the attack to the BSI (Federal Office for Information Security). Providers of digital services such as online marketplaces, search engines, and cloud computing services are obliged to meet a “state-of-the-art” IT security level. Incidents must be reported by Section 8c of the BSI Act.
• Have to report the attack to the supervisory authority. The attack can threaten the protection of personal data if it is not backed up. That would be a violation of the EU GDPR. Blackmailers can also sell spied and criminally encrypted data to third parties or threaten to do so, which means that the confidentiality of personal data is no longer guaranteed. This is also a violation of the EU GDPR and is punishable by heavy fines.

How Can Companies Protect Themselves From Ransomware Attacks?

The good news is: companies and authorities can protect themselves against ransomware or minimize the risk of an attack. With the following measures:

• Closing security gaps: Software manufacturers regularly publish so-called patches. With these program corrections, known errors in programs can be repaired or security gaps closed. Patches should be applied periodically and promptly to all devices in a company’s IT network. This is the best protection against any hacking attempt, including ransomware. Regular software updates are another important protection mechanism against cyber attacks and ransomware.
• No outdated systems: The age of the devices plays a vital role in network security. Outdated systems with no longer supported operating systems – such as Windows XP – should never run in a network connected to the Internet.
• Use trustworthy links: Attachments or links that are not beyond doubt of a safe origin should not be opened under any circumstances. The employees must be trained accordingly.
• Verified download sources: Employees should never download programs from the Internet that are not offered by confirmed bodies.
• Secure data with backups: Regular backups on external data carriers secure access to company-critical data.

In addition, several very effective IT security technologies can be used to ward off ransomware attacks.

• The most important protection is to secure internet access. Because the Internet is the number one gateway for attackers, this is possible with a virtual browser. This allows surfing the Internet without hackers gaining access to the company networks.
• Secure remote work & home office: If remote workers use the Internet via private or public Wi-Fi networks or other unsecured networks, their end devices can be infected or compromised. When they later access corporate or government networks with the same device, the infection spreads. This can be prevented with a highly secure VPN connection.
• Protecting web applications: The online infrastructure in companies is growing steadily, and web-based applications have long been part of everyday life. But they increase the number of possible security holes. With a firewall, such web applications can be monitored and patched in good time—additional information.

Also Read: How Cybercriminals Use AI To Manipulate Human Behavior