After the tumultuous year of 2017, which was marked by devastating ransomware attacks, a calmer period followed, as hackers turned their attention into crypto mining. At the end of 2017, the value of Bitcoin was near 20000 USD, and the price of most of the other popular coins peaked as well. This situation created a very lucrative opportunity for hackers, who quickly distributed various stealth applications that used victims’ CPUs to mine different coins, most notably Monero.
However, in the first part of 2018, Bitcoin, Ethereum, Monero, and the other coins lost more than half of their peak values, and the trend continued in 2019. This means that the profits from crypto mining plummeted dramatically, and we are now seeing the bad guys getting back to older means of extortion, including ransomware.
Looking back at the beginning of 2019, we saw a few targeted ransomware outbreaks (SamSam), but more others soon followed (LockerGoga, Bad Rabbit, Dharma, Ryuk, and so on). The number of incidents has risen recently, and unlike in the past, we are now facing more sophisticated attacks that usually target businesses. Either way, ransomware is again the number one security threat, as a recent report from Europol shows (https://www.europol.europa.eu/newsroom/news/cybercrime-becoming-bolder-data-centre-of-crime-scene).
What about protection?
Since ransomware became a pandemic phenomenon, some anti-virus companies managed to update their products to fight these attacks better. However, there are ransomware variants out there which can still easily bypass AV products. So, to implement an adequate protection solution, several things must be considered:
- Backup data regularly to a safe (and preferably “cold”) storage system, and double-check the backups are valid and can be restored quickly. There have been many cases of companies that backed up data and not being able to restore it.
- Virtualize the infrastructure and backup all systems. For companies, besides losing valuable data, another significant loss is the downtime incurred in case of a ransomware attack. To have the systems back online, sometimes it can take several days, even weeks, and the disruption can cost businesses even millions of dollars. By using a virtual infrastructure supported by a sound backup system, restoring virtual machines can take minutes, and the whole infrastructure can be back online in a matter of hours, instead of days.
- Patch systems frequently. Even if ransomware is usually spread by email and infected web sites, from time to time we also see some variants that can exploit vulnerabilities in certain programs or system modules (e.g. WannaCry). To best solution to mitigate such risks is to patch systems and applications frequently.
- Use dedicated anti-ransomware tools. Many people assume ransomware programs are like regular viruses, and AV products must be able to track them down. This is a false assumption, as ransomware is different in many ways, the most notable trait being the fact that it’s usually simpler and performs common operations, as users do. That’s why security products must use specific methods to catch ransomware, methods which are usually different from the ones used to catch typical viruses.
- Train users to be more security-aware. Ransomware is usually delivered by email, embedded in infected documents. Many attacks can be prevented if users do not open suspicious attachments. Hence learning how to identify dangerous emails and how to handle their content is a potent means to prevent a computer from being infected.
For more information about ransomware and how to protect against it, check out this article: https://temasoft.com/information/ransomware-protection-prevention.
Last but not least, it looks like ransomware is here to stay, and hopefully, companies and individual users will become more informed about it and will use more efficient means to protect themselves.