NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
Ransomware: Don’t Get Locked Out

Ransomware: Don’t Get Locked Out

Over the past few years, ransomware has become increasingly sophisticated and remains distressingly common. As such, all organizations need to be taking steps to shore up their cybersecurity defenses in the wake of this common and devastating threat. To help you get the information you need, we sat down with VirtualArmour SOC engineer Kurt Pritchard to discuss what ransomware is, a brief history of recent notable ransomware attacks, and what steps your organization can take to improve your cybersecurity posture.

If you have recently experienced, or are currently experiencing, a ransomware attack, please contact our team straight away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man locked out of his phone

What is Ransomware?

The National Cyber Security Centre in the United Kingdom defines ransomware as a type of malware that prevents legitimate end-users (such as you or your employees) from accessing a computer, tablet, or smartphone on your network or the data that is stored on the infected device. 

A ransomware attack can also spread quickly, locking users out of multiple infected machines and cutting you and your employees off from all the data stored on your local network. Once the device has been seized, and the files have been encrypted, the attacker typically demands payment (the ransom), frequently in cryptocurrencies, before promising to unlock the impacted devices and restore usability. 

However, even if the ransom is paid, the attacker may not follow through on their end, leaving many organizations with locked devices and encrypted files even once the ransom has been paid.

Even if You’re Locked Out, The Attacker Isn’t

Users also need to be aware that while the attack prevents them from accessing the impacted device, it remains fully accessible to the attacker. As such, the data stored on it may be stolen, deleted, or encrypted during the attack. Depending on the nature of the data impacted, this can lead to serious legal and regulatory issues, as well as serious reputational damage.  

Ransomware & Phishing Attacks Go Hand-in-Hand

Ransomware typically targets users using social engineering, specifically phishing attacks. During a phishing attack, the cybercriminal poses as someone the user trusts (such as their boss or the company’s bank) and then tricks them into handing over sensitive information such as usernames and passwords or granting the attacker administrative privileges. 

Doxware: A Subset of Ransomware

Doxware (also called extortionate) is a type of ransomware. However, unlike traditional ransomware, doxware typically involves seizing sensitive files and threatening to release confidential information on the open internet. Such information could include private financial records, sensitive proprietary information, or other data that organizations do not want shared freely. Another major difference between ransomware and doxware also typically targets individual sensitive files (such as financial reports), while ransomware typically targets the device’s entire hard drive.

woman locked out of her computer

Ransomware May Have Peaked in 2017, but Remains a Serious Threat

Though information from Google Trends strongly suggests that ransomware peaked in 2017 with the devastating WannaCry attack, more recent attacks such as those conducted by the cybercriminal group REvil and the supply chain attack that targeted Kaseya software users remind us that ransomware remains a serious threat. 

WannaCry: The 2017 Attack That Crippled the NHS

WannaCry targeted a number of organizations, including the National Health Service (NHS) in the United Kingdom, impacting both hospitals and doctor’s surgeries, compromising medical care for patients, and putting lives at risk. 

The WannaCry ransomware attack on the NHS ran from May 12th, 2017, to May 19th the same year and left doctors, nurses, and other healthcare professionals scrambling to care for patients while the IT system remained completely inaccessible. As a result of the attack, healthcare professionals were unable to access vital information, such as patients’ electronic documents, and critical life-saving devices such as MRI and CT scanning facilities were knocked offline. 

In total, around 230,000 computers in approximately 150 countries were impacted.

The attackers demanded $300 in Bitcoin per machine in exchange for unencrypting the impacted files. However, the attackers also introduced a time limit: If the payment wasn’t submitted within three days, it would double to $600 in Bitcoin. Unfortunately, some researchers who did pay the ransom were still unable to decrypt their files, and priceless research data was lost forever. 

WannaCry has been hailed as one of the most widespread and damaging cyberattacks to date. 

The Kaseya Attach Highlighted a New Trend in Ransomware: Supply Chain Attacks

Though WannaCry may be behind us, ransomware attacks continue to grow in both number and sophistication, with an increasing number of devices being impacted. 

One way ransomware is evolving is the recent trend of using ransomware directly, like in the case of the Kaseya attack of 2021. The group behind the attack, the Russian cybercrime group REvil, launched a ransomware attack targeting Kaseya (a cybersecurity company well known for their remote monitoring and management software) on July 2nd, 2021. However, unlike most ransomware attacks, the cybercriminals didn’t attack their victims directly but instead used Kaseya as an unknowing intermediary to target organizations that relied on Kaseya’s monitoring software. 

Unfortunately for the 200 businesses affected by the attack, Kaseya was the perfect target. According to John Hammond, a senior security researcher at Huntress, the Kaseya attack was “a colossal and devastating supply chain attack”, noting that because Kaseya is plugged into everything from large enterprises to small companies, “it has the potential to spread to any size or scale businesses.” This is because Kaseya’s VSA (virtual system/server administrator) is integrated into desktops, network devices, printers, and servers – leading to a potentially limitless impact. Ransoms varied from user to user, with demands ranging from a few thousand dollars to $5 million or more per organization.

Fortunately, REvil group members were arrested in Russia last January, with the FSB (Russia’s intelligence bureau) stating that the group now “ceased to exist”

Beyond Desktops & Laptops: Ransomware Attacks Now Targeting Android Smartphones

With users relying on their phones now more than ever, ransomware attackers are taking notice. Charger, a new ransomware program specifically designed to target Android smartphones, targeted unwitting users who downloaded the EnergyRescue app (purportedly designed to enhance the battery life of phones and tablets). Impacted users were subject to a ransomware attack that began by stealing contact data and text messages from the infected device. 

Next, the ransomware program asked users to grant it administrative permissions. Once the ransomware had admin access, the ransomware would begin to run, locking users out of their devices and demanding payment. The message warned that users who failed to pay up would remain locked out (ransomware) and have portions of the private information they had stored on their phone sold on the internet “black market” every 30 minutes (doxware).

Though it is still unclear who was behind the Charger ransomware, researchers noticed that one of the first things Charger did when installed was check the device’s location settings. If the device was located in Ukraine, Russia, or Belarus, the malicious code remained dormant, suggesting the cybercriminals behind the attack may be based in Eastern Europe. 

Android’s security team has since removed the EnergyRescue app from the Play Store, and though the malware is thought to have infected only a handful of devices, it remains an important example of how ransomware is evolving and may now include both ransomware and doxware strategies in a single attack. This incident also illustrates why it is important to only download applications and other forms of software from companies and developers that you know and trust and that if something appears too good to be true, it likely is.

maqn locked out of his laptop

Safeguarding Your Business and Its Digital Assets

Ransomware remains a serious threat to organizations of all sizes and in all industries and verticals. However, there are steps you can take to improve your cybersecurity posture and better secure your organization’s data and devices. 

Trust is Key: Opt for Reputable (& Verified) App & Software Developers

Make sure you, your employees, and anyone else whose devices have access to your network are only using apps and software from trusted companies such as Microsoft or Adobe rather than unknown, potentially malicious companies. 

It also doesn’t hurt to independently verify that “new Microsoft app” was actually developed by Microsoft and not a suspicious actor looking to catch less distracted users unaware. 

Everything Has a Price: Don’t Let it Be Your Privacy or Security

Everything has a price, whether the cost is laid out upfront or not. An app that promises to give you access to normally expensive software (such as the Adobe suite or a program that promises the same functionality) for free or at a fraction of the cost should give you pause. If you aren’t paying for it, it usually means you’re the product, not the customer. 

It’s always better to opt for a paid program or app from a reputable source than to download the “free version” from an unknown or suspicious entity in the name of saving a bit of money. If the app or program is full of ransomware or other forms of malware, you could end up paying much more than you bargained for.

Read Your Emails Carefully

Before you open that file or download that form, make sure to do your due diligence and check who it is from. If the sender appears to be your boss, your bank, or another trusted entity but they are asking you to do something irregular (such as purchase a large number of gift cards, hand over your login credentials, or provide your banking details), make sure you reach out independently (such as by phone) to verify the request.

You should also look for things like typos in the domain name (such as an email from Your Trusted Bank, not Your Trusted Bank) or variations on the sender’s name. For example, if your boss is Jane Smith, and her work email is [email protected]com, but this email came from [email protected]org, [email protected]hotmail.com, or jansmith instead of janesmith, you should proceed with extreme caution and reach out to the purported sender independently for verification before you click on any links, download any files, or complete any other actions the sender has asked you to. 

If you don’t recognize the sender it’s always safer to leave the attachment unopened or the link unclicked and consider forwarding the email to your security team. Passing the email along will not only help you determine if the request is legitimate, but can help your security team track phishing attacks targeting your organization and its employees and improve security for everyone.  

Backup Everything Regularly

Ransomware attacks prey on our fear of losing critical data. By regularly backing up all data stored on your network, you may be able to recover most, if not all, of the data that you can’t currently access without having to pay the ransom. Depending on the nature of your business, and the nature of the data being stored, you may want to consider opting for a cloud system such as iCloud, Google Drive, Microsoft OneDrive, or Dropbox or consider backing up your files locally using an external hard drive. 

However, before you make your final decision, you should ensure your preferred choice complies with all relevant security, privacy, and data protection standards, such as GDPR, HIPAA, or PCI DSS.

An Up to Date Operating System is a More Secure Operating System

One of the simplest things you can do to help keep your security posture strong is to keep your operating system and other software up to date. When developers discover vulnerabilities, bugs, or other security issues with their products, they develop and release patches to fix them. However, you can only take advantage of a new security patch if you actually download it, making out-of-date software a security liability. 

Because security patches are publicly announced, everyone, including cybercriminals, now knows about the vulnerability the patch is designed to fix. As such, attackers frequently target companies running recently patched software in the hopes that not all organizations are as diligent as yours about keeping their software up to date: It’s always better to invest the 20 minutes it takes to update your software than risk compromising your operational security. 

Anti-Virus Software Still Plays a Critical Role

While many people may think antivirus software is outdated, it still plays an important role in your cybersecurity defenses when combined with other security measures. Antivirus software is just one of many tools that, when combined appropriately with other security measures, help keep your organization safe.

It Always Pays to Have a Plan & Invest in Cybersecurity Training

Should your organization fall victim to ransomware or another type of cyberattack, it is critical you have an incident response program in place to help you and your team respond swiftly and effectively. All new employees should undergo cybersecurity training as part of your onboarding process, and all employees, from the CEO downwards, should also undergo regular cybersecurity training to keep their skills and knowledge top of mind and up to date.

secure laptop

Worried About Ransomware? VirtualArmour is Here to Help!

While the internet may feel like it is becoming more like the Wild West every day, there is hope. By partnering with organizations like VirtualArmour, you can take proactive steps to shore up your defenses and keep your data safe and secure. Our team of cybersecurity experts has your back every step of the way: Whether you are looking to develop or update your incident response plan, bolster your internal IT or cybersecurity team, or respond to an ongoing cybersecurity incident, we’re always here for you: 24/7/365. For more information, please contact our team today

Suggested Reading

Cybersecurity is a complex and continually evolving field, so it is vital that you stay up to date and in the loop if you want to safeguard your organization and its data effectively.

To help you stay on top of the latest cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Common Threats (and How to Avoid Them)

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.

If you are currently experiencing, or have recently experienced, a cybersecurity incident, please contact our team for immediate assistance and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next). Our team can help you fend off the attack, identify the root cause of the issue, and create an actionable, comprehensive plan to help mitigate or even avoid further damage.

photo of a credit card with a fishing hooks in it, symbolizing how people use phising to steal credit card information

What is Phishing?

Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number). 

Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter. 

With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.

Phishing Tactics Have Evolved

When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).

The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.

Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.

Why Do Phishing Scams Peak Around the Holiday Season?

Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams. 

However, it isn’t just holiday shoppers that fall for these campaigns; many businesses and other organizations of all sizes continue to fall victim to these types of attacks.

One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.

“Smishing” (SMS Phishing) Scams Are On the Rise

Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams. 

One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).

How to Recognize (& Avoid Falling Prey To) a Smishing Attack

If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey: 

  1. Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
  2. Never click on any links or phone numbers sent from a user you don’t recognize.
  3. Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name. 
  4. Report any messages that appear suspicious to the relevant authority.
    1. In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
    2. In the United States, reports can be filed with the FCC here and FTC here.

A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.

laptop screen with phishing tactics being used on an unsuspecting user

Awareness is Critical

Education and awareness are a cornerstone of any solid cybersecurity strategy. By educating yourself and others about common scams and red flags to look for, you can help reduce the chance someone falls victim. Individual scams are often short-lived, so you need to act quickly; Verizon reports that 50% of scam targets open emails and click on phishing links within an hour of receiving a suspicious email.  

Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process. 

Vulnerability Scanning Offers Total Visibility Into Your Infrastructure

You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses. 

Social Engineering Takes Many Forms

Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails. 

As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish. 

Worried About Phishing Scams? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. VirtualArmour is full of experts like the cybersecurity engineer who helped us write this educational article. Whether you need help drafting a cybersecurity strategy, are looking for someone to monitor your network 24/7/365 for suspicious activities, or are looking to bolster your internal IT or cybersecurity team, our team is here to help. For more information, or to start improving your organization’s cybersecurity posture, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Common Threats (and How to Avoid Them)

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.