In this post, we answer common questions about ransomware, including new guidance from the FBI based on recent activity from their most wanted cybercriminals.
What is the latest ransomware threat?
On Friday, February 4, 2022, the Federal Bureau of Investigation published a technical alert about recent LockBit ransomware attacks. The FBI requested that LockBit victims promptly report attacks to their local FBI Cyber Squad.
LockBit ransomware has been active since September 2019, when it launched as ransomware-as-a-service (RaaS), one of the four most common types of ransomware. LockBit was upgraded when hackers rolled out LockBit 2.0 in June 2021.
Six months later, in January 2022, it appears a Linux encryptor tool was added to specifically target VMware ESXi servers. With the addition of an encryptor tool, LockBit became a hybrid, combining ransomware-as-a-service and features of crypto-ransomware. It also caught the FBI’s attention.
What are the most common types of ransomware?
It’s generally agreed that crypto-ransomware is the most common and widespread of the four main forms. It encrypts some or all files on a computer, rendering their contents inaccessible without a decryption key. A ransom is demanded in exchange for the key. Based on years of wide-ranging experience with crypto-ransomware, once the ransom is paid, the key is delivered, the files are unencrypted, and the cybercriminals move on to their next victim.
Taking the crypto concept a step further, locker ransomware completely blocks access to the entire computer system. A message on the computer screen demands a ransom in exchange for access. As with crypto-ransomware, once the ransom is paid, the files become accessible again, and the cybercriminals move on.
Are there other types of ransomware?
Yes. Double-extortion ransomware and ransomware-as-a-service have become increasingly popular in the past few years.
Double-extortion ransomware encrypts computer files and exports their data, and then extorts victims into paying ransom by threatening to publish the stolen data. The double-whammy here is that paying the ransom does not guarantee that the data is safe, since cybercriminals have the data. Conceivably, they could make another ransom demand down the road by threatening to expose or sell the data on the dark web. Typically, as data ages it becomes less valuable, so the double-extortion threat may diminish over time.
Finally, ransomware-as-a-service (RaaS) is so named because its creators host their various ransomware strains on dark websites and allow other cybercriminals to purchase them on a subscription basis. Remember software-as-a-service? Subscription fees may vary depending on the strain’s features and are paid to the creators from the proceeds of the ransom.
Hybrid strains of ransomware are also common. One such example is DarkSide, a RaaS that targeted high-profile victims in 2020 and also used double extortion and other techniques. Similarly, Egregor is a RaaS that was used in highly publicized attacks in 2020 and also employed double extortion—as well as publicly ridiculing its victims for having poor security.
Ransomware in all its forms is operated as a business for profit, and as long as victims continue to pay ransoms, cybercriminals will continue to profit from their various ransomware attacks.
What does ransomware cost?
In 2020, the overall cost of ransomware attacks was $20.8 billion, according to Comparitech, a team of security researchers, writers, editors, and developers who study cybercrime and data security. This figure includes not only ransom payments but also regulatory fines and penalties and a wide variety of remediation costs for all victims.
In 2021, the average cost for one organization to recover from a ransomware attack was $1.85 million, according to Sophos. In addition to the ransom payment, this cost included downtime, lost business, manhours, device, and network costs.
Who are the most frequent ransomware targets?
While record-breaking, enterprise-level ransom demands make for shocking headlines, the fact is that 70% of all ransomware victims are small and medium-sized businesses, according to an article on Backblaze.
For any such business, spending $1.85 million to pay the ransom and recover from the attack poses a significant burden. In addition, the prospect of dealing with the fallout and all its moving parts is more than challenging for a small or medium-sized business.
Is it illegal to pay ransom to cybercriminals?
Most companies choose to pay the extortion fee, or ransom, to recover their data when it’s been captured by ransomware criminals.
Depending on the size of the initial demand, it is not uncommon for victims to negotiate the ransom down to a lesser payment.
It is not illegal to pay the ransom demand. However, various law enforcement authorities, including the FBI, strongly advise against doing so. That’s because rewarding data thieves by paying the ransom perpetuate the use of this extortion tactic.
Is there an alternative to paying ransom?
Yes. Some companies elect not to pay the ransom demand, Instead, they retrieve and restore their latest data backup and resume normal business operations. They are adhering to best security practices calling for complete daily data backups. However, even though they are able to resume business operations quickly if their data was actually stolen, the threat still lingers that the stolen copy of their data could be placed for sale on the dark web.
Is cyber insurance a viable option?
Cyber insurance has become more commonplace as ransomware and other attacks have skyrocketed. Cyber insurance covers an organization’s liability in the event of a data breach in which sensitive customer information is potentially compromised.
In cases where insurance policies are current and applicable, cyber insurers have reimbursed victimized companies for all or a portion of their claims. As with most insurance, rising threats and claims tend to increase the premiums, which happened in the summer of 2021. According to a July 2021 article on ZDNet, the relentless rise in costly ransomware attacks drove up cyber insurance premiums by 40%.
How do ransomware attacks occur?
Ransomware relies on a variety of delivery systems. Exploiting the human factor, cybercriminals frequently conduct phishing and spear-phishing schemes. These and similar social engineering techniques are used to manipulate employees into revealing information that allows access. Ransomware is sometimes delivered in email attachments or links.
Cybercriminals also exploit security vulnerabilities in networks, email systems, software, and websites in order to gain access to data. Upon accessing the data, they can install ransomware and begin the ransom process.
What can we do to avoid a LockBit ransomware attack?
To address human vulnerabilities, frequent employee training and security awareness programs are recommended. These help to sensitize employees to the threat of ransomware and educate them in actions to take if an email or phone call seems suspicious.
To address technology and infrastructure vulnerabilities, implementing security best practices is a great place to start. And complying with applicable regulatory requirements for network and data security is fundamental (and mandatory).
The FBI recommends the following actions be taken promptly to safeguard networks against the LockBit ransomware as well as other types of ransomware.
- Require all accounts with password logins, including admin accounts, to have strong and unique passwords.
- Require multi-factor authentication for all services wherever possible.
- Keep all operating systems and software updated.
- Remove unnecessary access to administrative files and systems.
- Use a host-based firewall to restrict connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
- Enable the protected files feature in Windows OS to prevent unauthorized changes.
- Segment networks to prevent the spread of ransomware and malware.
- Use a network monitoring tool to identify, detect, and investigate the abnormal activity.
- Implement time-based access for accounts set at the admin level and higher.
- Disable command-line and scripting activities and permissions.
- Maintain offline backups of data, and regularly test backup and restoration.
- Ensure all backup data is encrypted, unchangeable, and completely covers the data infrastructure.
Summary
The evolution of LockBit ransomware caused the FBI to issue an alert on February 4, 2022. The FBI alert provides specific guidance for strengthening network security and encourages organizations to act promptly to harden their systems. Because many ransomware attacks rely on social engineering techniques, employee training specific to ransomware and social engineering is also advised.
While exorbitant enterprise-level ransom demands dominate headlines, almost three-quarters of all ransomware attacks target small and medium-sized businesses. Implementing recommended security actions is as important for these businesses as it is for enterprises, if not more so.
The cost of failing to take the recommended security actions can be high. In 2021, the average cost for an organization to recover from a ransomware attack was $1.85 million, which included not only the ransom payment but also downtime, lost business, manhours, device, and network costs. And ransomware costs are only expected to rise.