Virtual Armour Blue Logo

Ransomware: Don’t Get Locked Out

Kurt Pritchard

March 14, 2022

Over the past few years, ransomware has become increasingly sophisticated and remains distressingly common. As such, all organizations need to be taking steps to shore up their cybersecurity defenses in the wake of this common and devastating threat. To help you get the information you need, we sat down with VirtualArmour SOC engineer Kurt Pritchard to discuss what ransomware is, a brief history of recent notable ransomware attacks, and what steps your organization can take to improve your cybersecurity posture.

If you have recently experienced, or are currently experiencing, a ransomware attack, please contact our team straight away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man locked out of his phone

What is Ransomware?

The National Cyber Security Centre in the United Kingdom defines ransomware as a type of malware that prevents legitimate end-users (such as you or your employees) from accessing a computer, tablet, or smartphone on your network or the data that is stored on the infected device. 

A ransomware attack can also spread quickly, locking users out of multiple infected machines and cutting you and your employees off from all the data stored on your local network. Once the device has been seized, and the files have been encrypted, the attacker typically demands payment (the ransom), frequently in cryptocurrencies, before promising to unlock the impacted devices and restore usability. 

However, even if the ransom is paid, the attacker may not follow through on their end, leaving many organizations with locked devices and encrypted files even once the ransom has been paid.

Even if You’re Locked Out, The Attacker Isn’t

Users also need to be aware that while the attack prevents them from accessing the impacted device, it remains fully accessible to the attacker. As such, the data stored on it may be stolen, deleted, or encrypted during the attack. Depending on the nature of the data impacted, this can lead to serious legal and regulatory issues, as well as serious reputational damage.  

Ransomware & Phishing Attacks Go Hand-in-Hand

Ransomware typically targets users using social engineering, specifically phishing attacks. During a phishing attack, the cybercriminal poses as someone the user trusts (such as their boss or the company’s bank) and then tricks them into handing over sensitive information such as usernames and passwords or granting the attacker administrative privileges. 

Doxware: A Subset of Ransomware

Doxware (also called extortionate) is a type of ransomware. However, unlike traditional ransomware, doxware typically involves seizing sensitive files and threatening to release confidential information on the open internet. Such information could include private financial records, sensitive proprietary information, or other data that organizations do not want shared freely. Another major difference between ransomware and doxware also typically targets individual sensitive files (such as financial reports), while ransomware typically targets the device’s entire hard drive.

woman locked out of her computer

Ransomware May Have Peaked in 2017, but Remains a Serious Threat

Though information from Google Trends strongly suggests that ransomware peaked in 2017 with the devastating WannaCry attack, more recent attacks such as those conducted by the cybercriminal group REvil and the supply chain attack that targeted Kaseya software users remind us that ransomware remains a serious threat. 

WannaCry: The 2017 Attack That Crippled the NHS

WannaCry targeted a number of organizations, including the National Health Service (NHS) in the United Kingdom, impacting both hospitals and doctor’s surgeries, compromising medical care for patients, and putting lives at risk. 

The WannaCry ransomware attack on the NHS ran from May 12th, 2017, to May 19th the same year and left doctors, nurses, and other healthcare professionals scrambling to care for patients while the IT system remained completely inaccessible. As a result of the attack, healthcare professionals were unable to access vital information, such as patients’ electronic documents, and critical life-saving devices such as MRI and CT scanning facilities were knocked offline. 

In total, around 230,000 computers in approximately 150 countries were impacted.

The attackers demanded $300 in Bitcoin per machine in exchange for unencrypting the impacted files. However, the attackers also introduced a time limit: If the payment wasn’t submitted within three days, it would double to $600 in Bitcoin. Unfortunately, some researchers who did pay the ransom were still unable to decrypt their files, and priceless research data was lost forever. 

WannaCry has been hailed as one of the most widespread and damaging cyberattacks to date. 

The Kaseya Attach Highlighted a New Trend in Ransomware: Supply Chain Attacks

Though WannaCry may be behind us, ransomware attacks continue to grow in both number and sophistication, with an increasing number of devices being impacted. 

One way ransomware is evolving is the recent trend of using ransomware directly, like in the case of the Kaseya attack of 2021. The group behind the attack, the Russian cybercrime group REvil, launched a ransomware attack targeting Kaseya (a cybersecurity company well known for their remote monitoring and management software) on July 2nd, 2021. However, unlike most ransomware attacks, the cybercriminals didn’t attack their victims directly but instead used Kaseya as an unknowing intermediary to target organizations that relied on Kaseya’s monitoring software. 

Unfortunately for the 200 businesses affected by the attack, Kaseya was the perfect target. According to John Hammond, a senior security researcher at Huntress, the Kaseya attack was “a colossal and devastating supply chain attack”, noting that because Kaseya is plugged into everything from large enterprises to small companies, “it has the potential to spread to any size or scale businesses.” This is because Kaseya’s VSA (virtual system/server administrator) is integrated into desktops, network devices, printers, and servers – leading to a potentially limitless impact. Ransoms varied from user to user, with demands ranging from a few thousand dollars to $5 million or more per organization.

Fortunately, REvil group members were arrested in Russia last January, with the FSB (Russia’s intelligence bureau) stating that the group now “ceased to exist”

Beyond Desktops & Laptops: Ransomware Attacks Now Targeting Android Smartphones

With users relying on their phones now more than ever, ransomware attackers are taking notice. Charger, a new ransomware program specifically designed to target Android smartphones, targeted unwitting users who downloaded the EnergyRescue app (purportedly designed to enhance the battery life of phones and tablets). Impacted users were subject to a ransomware attack that began by stealing contact data and text messages from the infected device. 

Next, the ransomware program asked users to grant it administrative permissions. Once the ransomware had admin access, the ransomware would begin to run, locking users out of their devices and demanding payment. The message warned that users who failed to pay up would remain locked out (ransomware) and have portions of the private information they had stored on their phone sold on the internet “black market” every 30 minutes (doxware).

Though it is still unclear who was behind the Charger ransomware, researchers noticed that one of the first things Charger did when installed was check the device’s location settings. If the device was located in Ukraine, Russia, or Belarus, the malicious code remained dormant, suggesting the cybercriminals behind the attack may be based in Eastern Europe. 

Android’s security team has since removed the EnergyRescue app from the Play Store, and though the malware is thought to have infected only a handful of devices, it remains an important example of how ransomware is evolving and may now include both ransomware and doxware strategies in a single attack. This incident also illustrates why it is important to only download applications and other forms of software from companies and developers that you know and trust and that if something appears too good to be true, it likely is.

maqn locked out of his laptop

Safeguarding Your Business and Its Digital Assets

Ransomware remains a serious threat to organizations of all sizes and in all industries and verticals. However, there are steps you can take to improve your cybersecurity posture and better secure your organization’s data and devices. 

Trust is Key: Opt for Reputable (& Verified) App & Software Developers

Make sure you, your employees, and anyone else whose devices have access to your network are only using apps and software from trusted companies such as Microsoft or Adobe rather than unknown, potentially malicious companies. 

It also doesn’t hurt to independently verify that “new Microsoft app” was actually developed by Microsoft and not a suspicious actor looking to catch less distracted users unaware. 

Everything Has a Price: Don’t Let it Be Your Privacy or Security

Everything has a price, whether the cost is laid out upfront or not. An app that promises to give you access to normally expensive software (such as the Adobe suite or a program that promises the same functionality) for free or at a fraction of the cost should give you pause. If you aren’t paying for it, it usually means you’re the product, not the customer. 

It’s always better to opt for a paid program or app from a reputable source than to download the “free version” from an unknown or suspicious entity in the name of saving a bit of money. If the app or program is full of ransomware or other forms of malware, you could end up paying much more than you bargained for.

Read Your Emails Carefully

Before you open that file or download that form, make sure to do your due diligence and check who it is from. If the sender appears to be your boss, your bank, or another trusted entity but they are asking you to do something irregular (such as purchase a large number of gift cards, hand over your login credentials, or provide your banking details), make sure you reach out independently (such as by phone) to verify the request.

You should also look for things like typos in the domain name (such as an email from Your Trusted Bank, not Your Trusted Bank) or variations on the sender’s name. For example, if your boss is Jane Smith, and her work email is [email protected]com, but this email came from [email protected]org, [email protected]hotmail.com, or jansmith instead of janesmith, you should proceed with extreme caution and reach out to the purported sender independently for verification before you click on any links, download any files, or complete any other actions the sender has asked you to. 

If you don’t recognize the sender it’s always safer to leave the attachment unopened or the link unclicked and consider forwarding the email to your security team. Passing the email along will not only help you determine if the request is legitimate, but can help your security team track phishing attacks targeting your organization and its employees and improve security for everyone.  

Backup Everything Regularly

Ransomware attacks prey on our fear of losing critical data. By regularly backing up all data stored on your network, you may be able to recover most, if not all, of the data that you can’t currently access without having to pay the ransom. Depending on the nature of your business, and the nature of the data being stored, you may want to consider opting for a cloud system such as iCloud, Google Drive, Microsoft OneDrive, or Dropbox or consider backing up your files locally using an external hard drive. 

However, before you make your final decision, you should ensure your preferred choice complies with all relevant security, privacy, and data protection standards, such as GDPR, HIPAA, or PCI DSS.

An Up to Date Operating System is a More Secure Operating System

One of the simplest things you can do to help keep your security posture strong is to keep your operating system and other software up to date. When developers discover vulnerabilities, bugs, or other security issues with their products, they develop and release patches to fix them. However, you can only take advantage of a new security patch if you actually download it, making out-of-date software a security liability. 

Because security patches are publicly announced, everyone, including cybercriminals, now knows about the vulnerability the patch is designed to fix. As such, attackers frequently target companies running recently patched software in the hopes that not all organizations are as diligent as yours about keeping their software up to date: It’s always better to invest the 20 minutes it takes to update your software than risk compromising your operational security. 

Anti-Virus Software Still Plays a Critical Role

While many people may think antivirus software is outdated, it still plays an important role in your cybersecurity defenses when combined with other security measures. Antivirus software is just one of many tools that, when combined appropriately with other security measures, help keep your organization safe.

It Always Pays to Have a Plan & Invest in Cybersecurity Training

Should your organization fall victim to ransomware or another type of cyberattack, it is critical you have an incident response program in place to help you and your team respond swiftly and effectively. All new employees should undergo cybersecurity training as part of your onboarding process, and all employees, from the CEO downwards, should also undergo regular cybersecurity training to keep their skills and knowledge top of mind and up to date.

secure laptop

Worried About Ransomware? VirtualArmour is Here to Help!

While the internet may feel like it is becoming more like the Wild West every day, there is hope. By partnering with organizations like VirtualArmour, you can take proactive steps to shore up your defenses and keep your data safe and secure. Our team of cybersecurity experts has your back every step of the way: Whether you are looking to develop or update your incident response plan, bolster your internal IT or cybersecurity team, or respond to an ongoing cybersecurity incident, we’re always here for you: 24/7/365. For more information, please contact our team today

Suggested Reading

Cybersecurity is a complex and continually evolving field, so it is vital that you stay up to date and in the loop if you want to safeguard your organization and its data effectively.

To help you stay on top of the latest cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Common Threats (and How to Avoid Them)

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

Post Categories

Related Posts

Schedule a meeting