WHITEPAPER RANSOMWARE ENEMY AT THE GATE ------------------------------------------------- ------------------------------------------------- ® 2 TABLE OF CONTENTS 3 INTRODUCTION ............................................................................................................................................................................................. 4 THE COST OF RANSOMWARE ...................................................................................................................................................... 5 RANSOMWARE: IN THE BEGINNING ..................................................................................................................................... 6 NOT YOUR ORDINARY MALWARE .......................................................................................................................................... 7 THE TYPICAL RANSOMWARE ATTACK ............................................................................................................................ 8 NEW ATTACK PATTERNS ................................................................................................................................................................. 9 RANSOMWARE TRENDS .................................................................................................................................................................... 10 KNOW YOUR RANSOMWARE ....................................................................................................................................................... 13 RANSOMWARE EXAMPLES ............................................................................................................................................................ 14 TO PAY OR NOT TO PAY ...................................................................................................................................................................16 TOP RANSOMWARE TARGETS .................................................................................................................................................. 17 ATTACK PREVENTION BEST PRACTICES ...................................................................................................................... 18 RANSOMWARE ATTACK SURVIVAL .................................................................................................................................... 21 THE CHALLENGE CONTINUES ................................................................................................................................................... 22 LEARN MORE ................................................................................................................................................................................................. 23 4 INTRODUCTION They are out there waiting... “They” are the notorious, largely unknown cybercriminals, ready to wreak havoc by taking advantage of information technology vulnerabilities. Their weapons of choice are an ever-growing array of sophisticated viruses, phishing scams, and a tool that’s proven to have devastating repercussions — ransomware. Ransomware is a type of malware that secretly enters a user’s system, usually because a computer user opened an email and clicked on a malicious link or attachment. Once in, the ransomware silently encrypts the user’s data. A ransom message is then displayed, demanding a payment for a key that can decrypt the data. Of the many types of cybercrime, ransomware is the fastest growing. By the end of 2021, it’s likely that a business will be targeted by a ransomware attack every 11 seconds. A ransomware attack could be happening right now, as unaware or negligent employees at any number of companies around the world click links in spam emails or activate macros in malicious documents. Their companies’ data will quickly be encrypted, and a ransom of hundreds, thousands or even millions of dollars will be demanded for the data to be unlocked. There is no single, guaranteed strategy for preventing a ransomware attack, or for recovering quickly if one does occur. However, there are protocols, practices, and processes to help mitigate attacks and minimize their damage. This whitepaper looks at some of them, and provides an overview of ransomware, how it works, and how to deal with an attack should one occur. 5 THE COST OF RANSOMWARE For cybercriminals, ransomware is a highly profitable endeavor. For the victims of ransomware, it’s a costly one. Industry analysts predict global ransomware damage costs to reach $20 billion in 2021 – 57 times more than the costs in 2015. Ransom money is only one half of the cost involved. There’s also the costs associated with downtime, which can bring business operations and revenue generation to a halt. With downtime due to ransomware attacks increasing, the related costs are likely to do the same. In the third quarter of 2020, downtime was 19 days compared to 12.1 day in the third quarter of 2019. Additional costs can be attributed to all the working hours required to restore systems, clean up the damage caused by the attack, and strengthen cybersecurity. On average, the cost to recover from ransomware attacks – without paying the ransom – totaled more than $732,520 in the US. When the organizations paid, the recovery costs nearly doubled to $1.4 million. 6RANSOMWARE: IN THE BEGINNING To combat ransomware and its ill effects, it’s that cybercriminals started employing difficult- leveraged a vulnerability in the Microsoft Windows important to understand how it originated and to-crack encryption algorithms such as RSA — a operating system. In just a few hours it infected why it’s become so pervasive. While its origins are public-key cryptosystem used for secure data more than 300,000 machines in over 150 open to debate, many cite the AIDS trojan as the transmission. In 2011, combatting cybercrime countries, encrypting data and demanding ransom first documented case of ransomware. became more difficult. Ransomware appeared payments in bitcoins. The list of victims read like a that looked like a Windows Product Activation list of ‘who’s who,” with names like FedEx, Hitachi, Also known as the PC Cyborg virus, the AIDS notice, making it difficult for users to distinguish Honda, the Ministry of Internal Affairs of the trojan was released via floppy disk in 1989 by between real notifications and malware. Russian Federation, Nissan Motor Manufacturing an eccentric biologist named Joseph Popp. UK, Portugal Telecom, Shandong University, and He distributed 20,000 disks labeled “AIDS Then in 2012, the ransomware game became the State Governments of India. Information - Introductory Diskettes” to attendees even more deceptive with the introduction of the of the World Health Organization’s AIDS Reveton worm. Also known as the “Police Trojan,” While ransomware attacks continue to impact conference. it would display a warning supposedly from a law businesses of all sizes, they’re increasingly enforcement agency claiming that the computer affecting everyday life. Case in point: In 2020 a While the disks included a program that measured has been used for illegal purposes. It would then ransomware attack blocked access to healthcare a person’s risk of contracting AIDS based on restrict access to the computer and files. Users and contributed to the first reported death. responses to an interactive survey, they also were literally locked out of their computers unless The attack locked a German hospital out of its contained a virus that encrypted victims’ files after they paid a “fine” through a service such as Ukash. systems, leaving it and unable to treat patients. A they had rebooted their computer 90 times. To woman requiring urgent care was rerouted to a regain access, users were ordered to send $189 to Cybercriminals upped their game again in 2013 neighboring hospital but didn’t survive. a designated PO box. with the release of CryptoLocker. The ransomware encrypted files and then demanded a ransom in Another example occurred in May 2021 when a Fortunately, an easily reversible form of return for a key to decrypt them. It infected more ransomware attack forced Colonial Pipeline, which cryptography had been used to hijack victims’ than 250,000 systems between September and provides roughly 45% of the East Coast’s fuel, hard drives. Decryption tools were quickly December 2013, earning its creators earned more to shut down operations and freeze IT systems. released, limiting the damage and costs. than $3 million before the botnet used to carry out Concerns about potential gas shortages led many Nonetheless, the AIDS trojan demonstrated how the attacks was taken out. It became the template people to panic buy, creating fuel shortages and easy it was to gain access to users’ systems and for most of the ransomware attacks since. long lines at the gas pumps. coerce those users into paying up. On May 12, 2017 the largest cyberattack, as of Various forms of ransomware appeared in the that date, ravaged businesses around the world. following years, but it wasn’t until the mid-2000s A ransomware worm dubbed “WannaCry” 7 NOT YOUR ORDINARY MALWARE Ransomware has distinctive features that distinguish it from other infrastructure and launch more attacks. What makes ransomware types of malicious software — and that make it far more sinister. For exceptionally difficult to stop is the fact that it uses a complex set of example, it can encrypt all kinds of files, including documents, pictures, evasion techniques to go