Ransomware gangs target SMEs01-11-2022 Author: Jan Tissler
Today, criminals hardly need any expertise for ransomware. Like other software, "blackmail Trojans" are offered as a bookable service. Smaller organisations are therefore now also increasingly at risk.
Ransomware is malware with a business model: first it encrypts a company's data, rendering it unusable. Then it demands a ransom to reverse the process.
A second means of coercion is now frequently added: the criminals threaten to publish sensitive information such as a customer database or sell it to the highest bidder. In some cases, the blackmailers even go so far as to demand a ransom from the company's customers.
Targeting small and medium-sized enterprises
Small and medium-sized enterprises are now also being targeted by attackers, who up until this point had primarily targeted major organisations. Specialised knowledge is no longer required thanks to "Ransomware-as-a-Service". Just as you can find the right software for any business purpose with a few simple clicks, so too can you get your hands on malware such as "blackmail Trojans".
Meanwhile, the ransomware gangs are getting more and more professional. Some even offer a reward if someone finds a security hole in their malware. Until now, only large providers have been known to offer such "bug bounty" programmes.
The criminals have enough resources, because the past few years have been enormously profitable for them. Officials such as the National Cyber Security Centre (NCSC) warn against paying the ransom. After all, it only shows the criminals that their machinations are worthwhile. But enough organisations still saw it as the best way out of their predicament.
"NCSC advises against paying a ransom. There is no guarantee that the criminals will not release the data after paying the ransom or make other profit from it. Moreover, any successful extortion motivates the attackers to continue, funds further development of the attacks and encourages their spread." – NCSC
In 2021 alone, ransomware attacks claimed more than 600 million US dollars, estimates cybersecurity specialist Sonicwall in its "2022 Cyber Threat Report". Two years earlier, the figure was less than 200 million US dollars.
How does ransomware work?
In order for the ransomware to take effect, the criminals must first infiltrate it onto a computer within the targeted organisation. This can happen, for example, in the form of a seemingly harmless email attachment. Other possibilities include security gaps, for example in functions for remote access to PCs – an important topic especially in the era of the home office and hybrid models. For particularly worthwhile targets, more elaborate methods such as spear phishing are also used.
Once this hurdle has been overcome, the ransomware tries to operate as inconspicuously as possible. Modern variants only partially encrypt the files. While the malware's activities are thus accelerated and at the same time less treacherous, the effect is the same for those impacted.
Once the work is done, the ransomware usually presents a full-screen notice about what has happened and how the ransom payment works.
How can you protect yourself?
Basic protection against ransomware includes the standard tips we already give in relation to malware in general. This includes training employees accordingly and sensitising them to the topic. All systems should also always be kept up to date. Read another article to find out which are the most typical gateways.
Another tip is to make backups that are not permanently connected to the computer in question or to an internal network. Otherwise, they would similarly be encrypted and thus worthless if worst came to worst.
What to do if it does happen?
As mentioned above, experts generally advise against paying the ransom. A first step is to identify the ransomware responsible on this website. The information comes from the Dutch police and Europol. With a little luck, the ransomware Trojan has already been cracked and the data can be restored.
Furthermore, it is important to find the gateway: How did the ransomware get into your own systems? Any security gaps must be closed in order to prevent further attacks along the same path. A more general IT security check is advisable, as criminals often try again after a successful attack.
If a backup is available, it should first be checked for possible compression by the ransomware. This is because in order to embed itself as deeply as possible, such malware often only becomes active after a time delay.
In the end, the affected systems will usually need to be reinstalled.
Further information on this can be found here at the NCSC.