Today, criminals hardly need any expertise for ransomware. Like other software, the "blackmail Trojans" are offered as a bookable service. As a result, smaller organizations are now also increasingly at risk.
Ransomware is malware with a business model: first it encrypts a company's data, rendering it unusable. Then it demands a ransom to reverse the process.
In the meantime, a second means of exerting pressure is often added: the criminals threaten to publish sensitive information such as a customer database or to sell it to the highest bidder. In some cases, the extortionists even go so far as to demand a ransom from the company's customers.
At the same time, while attackers previously targeted large organizations, they are now also targeting small and medium-sized enterprises. Specialized knowledge is no longer necessary: Ransomware-as-a-Service makes it possible. Just as it is now possible to find the right software for any business purpose with just a few clicks, the same applies to malware such as "blackmail Trojans".
Meanwhile, the ransomware gangs have become more professional. Some even offer a reward if someone finds a security hole in their malware. Such "bug bounty" programs are otherwise only known from large providers.
The criminals have enough resources, because the past few years have been enormously profitable for them. Officials such as the National Cyber Security Center (NCSC) warn against paying the ransom. After all, they say, it shows the criminals that their schemes are worthwhile. But enough organizations still saw it as the best way out of their situation.
"NCSC advises against paying a ransom. There is no guarantee that the criminals will not release the data after paying the ransom or make other profit from it. Moreover, any successful extortion motivates the attackers to continue, funds further development of the attacks, and encourages their proliferation." - NCSC
In 2021 alone, ransomware attacks claimed more than $600 million, cybersecurity specialist Sonicwall estimates in its "2022 Cyber Threat Report." Two years earlier, the figure was less than 200 million US dollars.
In order for the ransomware to take effect, the criminals must first introduce it onto a computer within the targeted organization. This can happen, for example, in the form of a seemingly harmless email attachment. Other possibilities include security gaps in functions for remote access to PCs, for example - a particularly important topic in the age of the home office and hybrid models. For particularly worthwhile targets, more elaborate methods such as spear phishing are also used.
Once this hurdle has been cleared, the ransomware tries to work as inconspicuously as possible. Modern variants only partially encrypt the files. The effect is the same for those affected, while the malware's activities are accelerated as a result and are less treacherous at the same time.
Once this work is done, the ransomware usually presents a full-screen notice about what happened and how the ransom payment works.
Basic protection against ransomware includes tips that we already give in connection with malware in general. This includes training employees accordingly and raising their awareness of the issue. All systems must also always be kept up to date. Read another article to find out which gateways are particularly typical.
Another tip is to make backups that are not permanently connected to the computer in question or to an internal network. Otherwise, they would also be encrypted and thus worthless if the worst came to the worst.
As mentioned above, experts generally advise against paying the ransom. A first step is to find out which ransomware is the culprit on this website. The information comes from the Dutch police and Europol. With a bit of luck, the ransomware Trojan has already been cracked and the data can be recovered.
In addition, it is important to find the gateway: How did the ransomware make it into your own systems? Any security gaps need to be closed here to prevent further attacks along the same path. A more general IT security check is advisable, since criminals often try again after a successful attack.
If a backup is available, it should first be checked for possible compression by the ransomware. This is because such malware often only becomes active with a time delay in order to embed itself as deeply as possible.
Ultimately, it is also usually necessary to restart affected systems.
More information can be found here at NCSC.
