The world of cybercrime never rests and they are always looking for new strategies with which to obtain benefits.
Cybercriminals no longer act alone and sometimes work in groups, making them more dangerous. On this occasion, we are going to talk about ransomware attacks, and whether we should rescue the data by paying cybercriminals. We will know all the dangers, and how we can avoid paying for the data ransom
What is ransomware and what consequences does it have
When we suffer a ransomware attack, the malware is in charge of encrypting all our data on the PC where it has been executed, and it is also possible that all the data that is shared in the local network is encrypted, therefore, we must not only protect our equipment , but all the company's teams and properly check the write permissions that they have.
If we want to return to normality, we must delete and restore the servers and PCs using our backup copies, if we have applied a good backup policy. The other option is to use a decryption key to be able to unlock files and data. The downside is that to obtain that decryption key, in the vast majority of cases we have to pay a ransom to cybercriminals.
Ransomware causes a huge negative impact that disrupts business operations and can also lead to permanent data loss. The causes that it causes to the company are: downtime, loss of productivity, income and reputation. But that's not all, also your confidential business information can be destroyed or publicly disclosed.
Evolution of ransomware attacks
Ransomware attacks in the first 6 months of this year 2020 have increased at a dizzying rate. According to the Bitdefender 2020 Mid-Year Report, the number of global ransomware reports increased by 715% year-on-year. If we classify by the number of attacks received, the United States ranks first, followed by the United Kingdom.
Another thing to keep in mind is that a ransomware attack is rarely targeted. In this sense, 99% of them do not stalk their victims or make a deep examination. Their tactic is to send e-mails indiscriminately and then wait to see who they have hit.
Pay the ransom or restore data from backups
As we have mentioned before, cybercriminals seek to collect a ransom, and if we pay it, then they will give us the key. This ransom is normally paid in cryptocurrencies such as Bitcoin, although the attackers could stipulate another. Despite the fact that working with Bitcoin is relatively simple, it can take days to get everything ready. In addition, during this period you will not be able to operate normally on the infected system, or at least, you will do so in a very limited way.
In the case of paying the ransom, there is no guarantee of data recovery. Sometimes ransomware decryption doesn't work, or you lose some of your data. Even if your files are decrypted well, you are still likely to be infected by malware, Trojans, and keyloggers. Therefore, our system will not be clean and unreliable after the decryption process is finished.
To summarize, we are going to give you a series of negative points for which paying the ransomware ransom is not a good idea:
- You are helping cybercriminals with their extortion business.
- Nobody guarantees that the decryption key works, first you pay, and then they may not send you anything or it may not work.
- Cybercriminals could have introduced additional malware, to infect you after a while, and you have to pay again (because you have already paid once).
- It will always be cheaper to have a good backup policy, and not have to pay cybercriminals.
Restoring from backups, even if it takes longer, may be the solution. However, it is only possible if we have:
- A robust backup procedure, ideally with the 3-2-1 backup scheme.
- The established procedure has been followed.
- Backups have been tested in drills and simulated incidents.
However, the cybercriminals behind ransomware also have ways to ensure that our backups are also infected. For this reason, companies need to plan and safeguard their backups in a way that guarantees their integrity when we have to use them.
Prevention and staff awareness
Prevention against ransomware attacks involves having an incident response plan. In the same way that, for example, we have home or other insurance, we hope not to have to use it, but in the event of a misfortune we are covered. Another important element is the awareness of the workers of a company to avoid a ransomware attack. Most infections of this type are due to an employee falling for a phishing attack.
On the other hand, employees must be prepared by taking security awareness courses. In addition, if we hire a private company that tests workers with a surprise phishing campaign, it can add a security bonus. It does not pose any risk, and thus we check if they have learned to act correctly.
How to improve security in our company
An important element is the application of the principle of least privilege. Here we must ensure that employees have the minimum access rights to perform the functions defined by their role. They should not be able to access functions that do not correspond to them, thus, if their account is compromised, as their functions are more limited it is less dangerous. In this sense, it is necessary to adequately limit the people who have access to an administrator account.
A good configuration of the spam filter can also help, thus, by reducing the volume of spam, it will allow us to spend more time looking for anomalies in the emails we receive.
We must also have a good antivirus and antimalware that must be updated every day. In addition, the operating system and the programs we use must be up to date with the latest security patches. To this we must also add that our network equipment has the latest available firmware installed to avoid security breaches.
Regarding the network topology, it is best to work with sections segmented into VLANs and with access controls. In case of problems, if a segment is infected, it is easier to solve, and mitigate the impact, than a network where we have all the equipment connected.
Good backup policy
In a ransomware attack, one of the things that will allow us to emerge triumphant from the attack is to have a good backup policy. This should be based on:
- We should have three copies of our data: the live system, plus two backups.
- Those two backups must be on different media.
- One of those backups must be done off-site.
The regularity with which we make these backups will determine the information that we can lose, therefore, it is highly recommended to make daily backups, and for critical systems, it is essential to make backups every hour.
In addition, a very important detail is that the backup copies must be encrypted. However, none of this will help if cybercriminals manage to infect your backups. The ransomware is set to take a while before it activates so your copies could be infected. If we want to combat this, we can use immutable backups. These are backups that cannot be written to once made. This means that they cannot be infected by ransomware or any other type of malware. The problem you have is that it is expensive, but it could save your business.Date update on 2020-11-16. Date published on 2020-11-16. Category: Computer class Author: Oscar olg Fuente: redeszone