BLOG - POST

WHAT IS A RANSOMWARE ATTACK?     

To cyber-criminals, it’s simple — spread malware to as many company systems as possible, lock down all their data, demand a ransom and wait to get paid.     

Malware has now become so sophisticated that it can evade anti-virus software and other defences created by the IT security industry. In a scenario where malware has already bypassed your existing security solutions, it is now effectively “whitelisted” to attack your business, causing as much disruption as possible by encrypting as many files in the shortest possible time. The process doesn’t alter the file names so it is hard to see which files are corrupted, meaning it can take hours or days before an organisation realises it has been victim to an attack. 

WHAT ARE THE CONSEQUENCES OF A RANSOMWARE ATTACK?     

By the time organisations realise they have suffered a ransomware attack it is often too late – much of the network is compromised, and entire systems may be locked down for days or in extreme cases over a month. From operational downtime affecting the productivity of your staff to huge revenue loss and reputational damage, the problems are vast. They can have repercussions for months if not years following the attack.     

As well as locking down your data, attackers would be able to access any personally identifiable information you hold on customers and staff; which is a significant bargaining chip for negotiators. As a result of stricter data protection laws, cyber-criminals are aware that being investigated by an ICO regulator can result in enormous GDPR fines up to 4% of an organisations revenue.  

SECTORS MOST AT RISK OF RANSOMWARE ATTACKS?     

Ransomware attacks are costing UK companies £346 million per year. But what are some of the worst affected sectors?     

Government – Currently, 17% of ransomware attacks are targeted at the government. This sector has enough funds (or insurance) to handle paying ransoms and is often understaffed in terms of IT support, making their systems vulnerable. Due to the nature of these businesses, any downtime could be detrimental to operations as well as being costly.      

Energy Sector – This sector is an attractive target to Ransomware attackers with a political motive. If control of critical company networks is lost, the company is at the mercy of ransom-seeking hackers leaving them powerless.     

Education – Unfortunately, the education sector (in particular higher education) is one of the most prevalent victims of ransomware attacks. One study on UK universities found that 63% had been hit with Ransomware at some point. Educational facilities may be more vulnerable due to the fact they have less control over devices that connect to their network, e.g. students bringing in malware-infected laptops.     

Healthcare Sector – One huge global trend in ransomware incidents was a series of attacks on health care organisations such as the NHS in 2017 and more recently, Rouen University Hospital-Charles Nicolle in France. This may be because cybe-rcriminals recognise that this sector can’t afford extended operational downtime as it could impact lives, making them very likely to pay the ransom. Although the healthcare sector is not always the wealthiest target, it is likely they will have cyber insurance due to the enormous amount of Personally Identifiable data they handle.

HIGH PROFILE CASES OF RANSOMWARE ATTACKS     

Ransomware attacks are wreaking havoc for businesses causing extensive downtime and economic harm. Here are some of the most high-profile ransomware attacks:     

NHS – In 2017, the NHS was attacked on a government scale with over 40 UK NHS hospitals and over 200,000 devices infected. It resulted in thousands of appointments and operations being cancelled. Staff had to go back to old fashioned pen and paper as all critical systems, including telephones, were down. Despite happening over three years ago, the NHS is still feeling the strain.        

Eurofins – The UK’s biggest forensic services provider faced an attack in 2019. The highly sophisticated malware caused disruption to their IT systems resulting in a backlog of over 20,000 DNA samples. Eurofins was reported to have paid the ransom to restore access to its network.     

Travelex – One of the most recent ransomware attacks happened towards the end of 2019. The attack cost over $200 million and shut down the entire network. It took over 30 days before they could get back into their systems. The knock-on effects of the attack meant they lost $85 million in revenue and suffered severe reputational damage.     

Police Federation of England and Wales – Representing over 119,000 police officers, the Surrey-based headquarters suffered a data breach due to malware. Local servers and networks were infected, and backup servers were deleted. The breach also led to a GDPR investigation from the ICO.

QUESTIONS YOUR BUSINESS SHOULD BE ASKING?     

• How do you see which files are encrypted and where they reside?
• How do you identify which user and which device initiated the attack?
• How do you stop the ongoing encryption immediately before significant damage occurs?
• How long will it take you to restore hundreds of thousands of files, and what is the total cost of downtime?
• What amount of time is needed to accurately report GDPR if thousands of files with personal information has been lost to illegitimate encryption?

 

WHAT SHOULD YOU DO IF YOUR BUSINESS SUFFERS A RANSOMWARE ATTACK?     

First and foremost, authorities advise never to pay the ransom. It is a short-term solution that only encourages more problems in the future. In fact over half of ransomware victims who pay do not successfully recover their files, either because the blackmailers have no intention of giving over the promised keys or have implemented encryption algorithms so badly that the keys don’t work.      

The most legitimate remediation strategy for retrieving your files is based on IT best practice. All organisations should have a robust backup strategy in place so that uninfected data can be restored if an attack should happen. But beware, criminals are innovating malware, so not only are they harder to detect but in some cases, backup severs have also been targeted.   

DOES MY CYBER INSURANCE COVER RANSOMWARE?     

As Ransomware attacks become more frequent cyber insurance rates are beginning to go through the roof. The central issue is the cost of fulfilling claims. Once an organisation suffers an attack and the policyholder is locked out of their network, there are only two options; pay the ransom or retrieve data from backups. If the client doesn’t have an adequate backup, then they are forced to pay. If payment is made and hackers fail to unlock compromised systems, then the insurance policy not only needs to cover the ransom amount, but also the cost of recovering systems essential to the organisation.      

Organisations must ensure they are doing everything possible to mitigate the risk of ransomware attacks so that they don’t get stung by insurance loopholes or extortionate pricing. Having a backup strategy is no longer enough. Organisations must be more proactive in their approach. That means having a solution that will identify any threat and shut it down before it has had a chance to encrypt multiple files. A containment-model is the best form of action. 

WHAT IS A RANSOMWARE CONTAINMENT SOLUTION?      

Organisations must not rely solely on a reactive response to modern malware threats. Your future defence strategy needs to include business continuity and disaster recovery with a Last Line of Defence solution, which enables automatic alerting, shutdown response and quick recovery without the enormous costs often associated with ransomware attacks.     

Containment Solutions are designed to put you on the front foot by reacting instantly as soon as a ransomware attack is activated. It supplements your firewall, network and endpoint security by quickly identifying and containing ransomware outbreaks that have passed all other security tools undetected, stopping it from spreading and highlighting affected files for easy recovery. Using built-in scripts, they shut down compromised devices and disable the user in the Active directory to contain any intrusion, locking down any devices that have been infected. 

HOW CAN DIGICORP HELP YOUR BUSINESS STOP RANSOMWARE?     

Ransomware is a threat you can’t ignore! Through our partnership with Bullwall, we bring you RansomCare a unique military-grade security solution that stops Ransomware in its tracks, minimising the damage done to your systems.     

• RC is a new and innovative technology from a central server installation (Agentless), detects ransomware attacks by looking into the heuristics of your actual data files from Word, Excel, PDF. etc., stored on your entire storage platform and in the cloud.
• RC will always detect when files are being encrypted, and once an attack starts, RC prevents the majority of files from being encrypted.
• RC is entirely agentless, continually looking for signals / unusual behaviours which are common in connection with Ransomware attacks (encryption, speed of file changes etc. on the files where none of your current protection operates).
• RC empowers IT teams to respond to attacks, shut them down instantly, recover quickly, and report the information back to the Data Protection Officer while minimising disruption and cost.

Learn more about RansomCare in this short video.

Get in touch with us to talk about building a reliable and proactive cybersecurity strategy for your Business. Email [email protected] or call us on 020 3929 3003.